Supervisory Committee Audits, 9278-9281 [E6-2531]

Download as PDF 9278 Proposed Rules Federal Register Vol. 71, No. 36 Thursday, February 23, 2006 This section of the FEDERAL REGISTER contains notices to the public of the proposed issuance of rules and regulations. The purpose of these notices is to give interested persons an opportunity to participate in the rule making prior to the adoption of the final rules. FOR FURTHER INFORMATION CONTACT: NATIONAL CREDIT UNION ADMINISTRATION I. Background 12 CFR Parts 704, 715, and 741 Supervisory Committee Audits National Credit Union Administration (NCUA). ACTION: Advance notice of proposed rulemaking. cchase on PROD1PC60 with PROPOSALS AGENCY: SUMMARY: The National Credit Union Administration (NCUA) requests public comment on whether and how to modify its Supervisory Committee audit rules to require credit unions to obtain an ‘‘attestation on internal controls’’ in connection with their annual audits; to identify and impose assessment and attestation standards for such engagements; to impose minimum qualifications for Supervisory Committee members; and to identify and impose a standard for the independence required of Statelicensed, compensated auditors. DATES: Comments must be received on or before April 24, 2006. ADDRESSES: You may submit comments by any one of the following methods (Please send comments by one method only): • Federal eRulemaking Portal: http:// www.regulations.gov. Follow the instructions for submitting comments. • NCUA Web Site: http:// www.ncua.gov/ RegulationsOpinionsLaws/proposed_ regs/proposed_regs.html. Follow the instructions for submitting comments. • E-mail: Address to regcomments@ncua.gov. Include ‘‘[Your name] Comments on Part 715 ANPR, Supervisory Committee Audits’’ in the e-mail subject line. • Fax: (703) 518–6319. Use the subject line described above for e-mail. • Mail: Address to Mary Rupp, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314– 3428. • Hand Delivery/Courier: Same as mail address. VerDate Aug<31>2005 16:48 Feb 22, 2006 Jkt 208001 Karen Kelbly, Chief Accountant, Office of Examination and Insurance, telephone: (703) 518–6389; Steven W. Widerman, Trial Attorney, Office of General Counsel, telephone: (703) 518– 6557. SUPPLEMENTARY INFORMATION: A. Existing Part 715 In 1998, the Credit Union Membership Access Act (‘‘CUMAA’’), Public Law 105–219, 112 Stat. 913 (1998), amended the Federal Credit Union Act to require credit unions having assets of $10 million or more to follow generally accepted accounting principles (‘‘GAAP’’) in all reports and statements filed with the NCUA Board. 12 U.S.C. 1782(a)(6)(C). CUMAA further required credit unions having assets of $500 million or more to obtain an annual independent audit of its financial statements (‘‘financial statement audit’’) performed in accordance with generally accepted auditing standards (‘‘GAAS’’) by an independent certified public accountant or public accountant licensed by the appropriate State or jurisdiction. 12 U.S.C. 1782(a)(6)(D). Beyond the requirement to adhere to GAAP, the CUMAA amendments imposed no minimum audit requirements on federally-chartered credit unions having less than $500 million in assets. See 64 FR 41029 (July 29, 1999). And in contrast to other federally-insured financial institutions, 12 U.S.C. 1831m(c), CUMAA did not require credit unions to obtain, in connection with their annual audits, an ‘‘attestation on internal controls’’ by the credit union’s independent accountant (hereinafter referred to as ‘‘external auditor’’). In 1999, NCUA comprehensively overhauled its Supervisory Committee audit rules to conform to the CUMAA amendments. 64 FR 41029. Amended part 715 follows CUMAA in requiring credit unions having assets of $500 million or more to annually obtain a financial statement audit. 12 CFR 715.5. However, part 715 gives those having less than $500 million in assets a choice among several audit options: (1) A financial statement audit; (2) a ‘‘balance sheet audit’’; (3) a ‘‘report on examination of internal controls over Call Reporting’’; and (4) an audit as PO 00000 Frm 00001 Fmt 4702 Sfmt 4702 prescribed by NCUA’s Supervisory Committee Guide. 12 CFR 715.7. None of these audit options requires an additional ‘‘attestation on internal controls’’ of the scope prescribed for other federally-insured financial institutions. B. Request for Comments Through this Advance Notice of Proposed Rulemaking, the NCUA Board seeks public comment in the form of answers to questions on four discrete issues: (A) Whether to require credit unions to obtain an ‘‘attestation on internal controls’’ in connection with their annual audits (questions 1 through 7 below); (B) What standards should govern the assessment and attestation components of such an engagement (questions 8 and 9 below); (C) What qualifications should be required as prerequisites to serve on a Supervisory Committee (questions 10 through 13 below); and (D) What standard should dictate the degree of independence required of state-licensed, compensated auditors (question 14 below). The NCUA Board also seeks input on several miscellaneous issues involving audit options for credit unions having less than $500 million in assets, requirements for delivery and regulatory access to audit reports, and the terms and conditions in engagement letters, including limitations on auditor liability (questions 15 through 22 below). To facilitate consideration of the public’s views, please address your comments to the questions set forth in section II. below for each subject. To maximize the value of your comments, it is essential to explain the reasons that support your conclusions. In addition, it is important to organize and identify your comments by corresponding question number and subject so that each question is addressed separately. You will have a further opportunity to comment comprehensively on the issues raised by these questions if the NCUA Board issues a proposed rule for public consideration. II. Issues for Comment A. Internal Control Assessment and Attestation An ‘‘attestation on internal controls’’ has two principal components. First, management must report its assessments of the effectiveness of the internal control structure and procedures E:\FR\FM\23FEP1.SGM 23FEP1 cchase on PROD1PC60 with PROPOSALS Federal Register / Vol. 71, No. 36 / Thursday, February 23, 2006 / Proposed Rules established and maintained by the credit union. Then, its external auditor must examine, attest to, and report separately on management’s written assertions (i.e., derived from its assessments) on the effectiveness of the internal control structure and procedures. The scope on an ‘‘attestation on internal controls’’ may be limited only to the effectiveness of internal controls over financial statements prepared for regulatory purposes, such as Call Reports. An example of this is the ‘‘report on examination of internal controls over Call Reporting,’’ an audit option currently available to some credit unions. 12 CFR 715.7(b). Or the scope on an ‘‘internal control attestation’’ engagement may extend to the effectiveness of internal controls over all financial reporting, i.e., financial statements prepared in accordance with GAAP and required regulatory reports. The Sarbanes-Oxley Act, Public Law 107–204, 116 Stat. 745, 789 (2002), enacted in 2002, requires all public companies, in connection with an annual financial statement audit, to obtain an ‘‘attestation on internal controls’’ over financial reporting. 15 U.S.C. 7262. This requirement is similar to that which the Federal Deposit Insurance Corporation Improvements Act (‘‘FDICIA’’) has imposed on federally-insured financial institutions, other than credit unions, since 1991. 12 U.S.C. 1831m(c). In 2003, the U.S. General Accounting Office (now the U.S. General Accountability Office) (‘‘GAO’’) suggested that ‘‘NCUA might gain an evaluation of an institution’s internal controls, comparable to other depository institution regulators, if credit unions were required, like banks and thrifts, to provide management evaluations of internal controls and their auditor’s assessments of such evaluations.’’ GAO, Credit Unions: Financial Condition Has Improved, But Opportunities Exist to Enhance Oversight and Share Insurance Management (GAO–04–91) (‘‘GAO Report’’) at 81. GAO further recommended ‘‘making credit unions with assets of $500 million or more subject to the FDICIA requirement that management and external auditors report on the internal control structure and procedures for financial reporting * * *.’’ Id. at 83–84. GAO reiterated this recommendation in 2005. GAO, Issues Regarding the Tax-Exempt Status of Credit Unions (GAO–06–220T) at 4. However, since GAO made its recommendation, the Federal Deposit Insurance Corporation (‘‘FDIC’’) has increased from $500 million to $1 billion the minimum asset size of the VerDate Aug<31>2005 16:33 Feb 22, 2006 Jkt 208001 institutions required by FDICIA to obtain an ‘‘attestation on internal controls’’ over all financial reporting. 12 CFR 363.3(b); 70 FR 71226 (Nov. 28, 2005).1 NCUA concurred with GAO’s recommendation to consider adopting a FDICIA-like attestation requirement, noting that it already provided guidance strongly encouraging large credit unions to voluntarily provide reporting on internal controls. GAO Report at 84; see enclosure to NCUA, Letter to Credit Unions No. 03–FCU–7 (Oct. 2003). GAO left the matter of ensuring parity in internal control reporting among all federally-insured financial institutions for Congressional consideration. However, NCUA believes that legislation is not necessary because the agency has the authority-which GAO acknowledged—to implement regulations requiring credit unions to provide these reports should it become necessary.2 Id. at 84–85. To determine the extent to which such reports are necessary, the NCUA Board invites public comments in response to the following questions: Questions No. 1. Should part 715 require, in addition to a financial statement audit, an ‘‘attestation on internal controls’’ over financial reporting above a certain minimum asset size threshold? Explain why or why not. 2. What minimum asset size threshold would be appropriate for requiring, in addition to a financial statement audit, an ‘‘attestation on internal controls’’ over financial reporting, given the additional burden on management and its external auditor? Explain the reasons for the threshold you favor. 3. Should the minimum asset size threshold for requiring an ‘‘attestation on internal controls’’ over financial reporting be the same for natural person credit unions and corporate credit unions? Explain why. 4. Should management’s assessments of the effectiveness of internal controls and the attestation by its external auditor cover all financial reporting, (i.e., financial statements prepared in 1 In contrast to NCUA, Congress gave FDIC the authority to adjust the minimum asset threshold that triggers FDICIA’s audit requirements. 12 U.S.C. 1831m(j)(2). Thus, FDICIA originally set the minimum asset threshold for requiring a financial statement audit at $150 million. 12 U.S.C. 1831m(j)(1). FDIC then raised the threshold to $500 million. 12 CFR 363.1(a); 58 FR 31332 (June 2, 1993). 2 See 12 U.S.C. 1761d, 1782a(a)(2), 1789(a)(8) and (11) as implemented by 12 CFR 715, 741.202(a) (federally-insured natural person credit unions) and 12 U.S.C. 1761d, 1766(a), 1782a(a)(2), 1789(a)(8) and (11) as implemented by 12 CFR 704.15(a) (federally-insured corporate credit unions). PO 00000 Frm 00002 Fmt 4702 Sfmt 4702 9279 accordance with GAAP and those prepared for regulatory reporting purposes), or should it be more narrowly framed to cover only certain types of financial reporting? If so, which types? 5. Should the same auditor be permitted to perform both the financial statement audit and the ‘‘attestation on internal controls’’ over financial reporting, or should a credit union be allowed to engage one auditor to perform the financial statement audit and another to perform the ‘‘attestation on internal controls?’’ Explain the reasons for your answer. 6. If an ‘‘attestation on internal controls’’ were required of credit unions, should it be required annually or less frequently? Why? 7. If an ‘‘attestation on internal controls’’ were required of credit unions, when should the requirement become effective (i.e., in the fiscal period beginning after December 15 of what year)? B. Standards Governing Internal Control Assessments and Attestations Management’s responsibility in an ‘‘attestation on internal controls’’—to report its assessments of the effectiveness of the internal control structure and procedures established and maintained by the credit union— and the external auditor’s responsibility—to examine, attest to, and report on management’s assessments—each must be done in accordance with a standard recognized by the auditing industry. For management, the most commonly recognized standard for establishing, maintaining and assessing the effectiveness of the internal control structure is the Internal Control— Integrated Framework (1994 ed.) developed by the Committee of Sponsoring Organizations of the Treadway Commission (‘‘COSO’’). For the external auditor’s attestation, the standard for non-public companies thus far has been the American Institute of Certified Public Accountants (‘‘AICPA’’) AT 501 internal control attestation standard. The AICPA has exposed for public comment a revised AT 501 that is more in line with the Public Company Accounting Oversight Board’s (‘‘PCAOB’’) Auditing Standard No. 2 (‘‘AS 2’’) that applies to public companies under Sarbanes-Oxley, 15 U.S.C. 7262(b). The final revisions to AT 501 are likely to require greater documentation and testing of internal control over financial reporting by E:\FR\FM\23FEP1.SGM 23FEP1 9280 Federal Register / Vol. 71, No. 36 / Thursday, February 23, 2006 / Proposed Rules management to enable the auditor to fulfill the attestation responsibility.3 To assist the NCUA Board in determining what assessment and attestation standards should apply to credit union ‘‘attestation on internal controls’’ engagements, please comment in response to the following questions: Question No. 8. If credit unions were required to obtain an ‘‘attestation on internal controls,’’ should part 715 require that those attestations, whether for a natural person or corporate credit union, adhere to the PCAOB’s AS 2 standard that applies to public companies, or to the AICPA’s revised AT 501 standard that applies to non-public companies? Please explain your preference. 9. Should NCUA mandate COSO’s Internal Control—Integrated Framework as the standard all credit union management must follow when establishing, maintaining and assessing the effectiveness of the internal control structure and procedures, or should each credit union have the option to choose its own standard? C. Qualificatons of Supervisory Committee Members cchase on PROD1PC60 with PROPOSALS A credit union’s Supervisory Committee is appointed by its board of directors and ‘‘shall consist of not less than three members nor more than five, one of whom may be a director other than the compensated officer of the board.’’ 12 U.S.C. 1761(b). Further, ‘‘no member of the credit committee, if applicable, or any employee of th[e] credit union may be appointed to the committee.’’ NCUA, Federal Credit Union Standard ByLaws Art. IX, section 1 (Rev. 10/99), 65 FR 55760 (Oct. 14, 1999). See also 70 FR 40924, 40928 (July 15, 2005). Apart from these disqualifications based on position and not asset size, part 715 imposes no affirmative qualifications as a prerequisite to serve on a Supervisory Committee. For financial institutions other than credit unions, the audit committee is the analog to a credit union Supervisory Committee. For institutions with total assets of $1 billion or more, FDIC requires the audit committee to be comprised completely of members who are independent of management of the institution. 12 CFR 363.5(a)(1). If this 3 AS 2 is available at: http://www.pcaobus.org/ Standards/StandardsandRelatedRules/Auditing StandardNo.2.aspx. For the exposure draft of revised AT 501, see AICPA Auditing Standards Board, Proposed Statement on Standards for Attestation Engagements dated Jan. 19, 2006, available at: http://www.aicpa.org/download/ exposure/EDAT501.pdf. VerDate Aug<31>2005 16:33 Feb 22, 2006 Jkt 208001 limitation were to apply to Supervisory Committees, 103 natural persons and 17 corporate credit unions would be affected. For institutions with total assets of $500 million or more but less than $1 billion, FDIC requires the majority of the members of the audit committee to be independent of management of the institution. 12 CFR 363.5(a)(2). If this limitation were to apply to Supervisory Committees, 258 natural persons and 22 corporate credit unions would be affected. Exceptions to these restrictions are permitted when it imposes a hardship in recruiting and retaining competent members. Id. Finally, for institutions with total assets of more then $3 billion, FDIC requires audit committee members to have banking or related financial management expertise, access to their own outside counsel, and no association with any large customer of the institution. 12 CFR 363.5(b). If the asset threshold for these qualifications were to apply to Supervisory Committees, 12 natural person and 6 corporate credit unions would be affected. To assist the NCUA Board in determining whether to develop such qualifications as prerequisites for Supervisory Committee membership, please respond to the following questions: Question No. 10. Should Supervisory Committee members of credit unions above a certain minimum asset size threshold be required to have a minimum level of experience or expertise in credit union, banking or other financial matters? If so, what criteria should they be required to meet and what should the minimum asset size threshold be? 11. Should Supervisory Committee members of credit unions above a certain minimum asset size threshold be required to have access to their own outside counsel? If so, at what minimum asset size threshold? 12. Should Supervisory Committee members of credit unions above a certain minimum asset size threshold be prohibited from being associated with any large customer of the credit union other than its sponsor? If so, at what minimum asset size threshold? 13. If any of the qualifications addressed in questions 10, 11 and 12 above were required of Supervisory Committee members, would credit unions have difficulty in recruiting and retaining competent individuals to serve in sufficient numbers? If so, describe the obstacles associated with each qualification. PO 00000 Frm 00003 Fmt 4702 Sfmt 4702 D. Independence of State-Licensed, Compensated Auditors Under existing part 715, a financial statement audit of a federally-insured credit union must be ‘‘performed in accordance with GAAS by an independent person who is [Statelicensed].’’ 12 CFR 715.5(a). GAAS incorporates the AICPA ‘‘independence’’ standards that apply when an independent, licensed certified public accountant audits financial statements. 12 CFR 715.2(f). FDIC requires independent accountants who audit institutions with assets of $500 million or more to not only meet the AICPA’s Code of Professional Conduct, but also to meet the ‘‘independence’’ standards and interpretations of the U.S. Securities and Exchange Commission (‘‘SEC’’) and its staff.4 12 CFR part 363 App. A ¶ 14. To assist the NCUA Board in determining what ‘‘independence’’ standards should apply to Statelicensed, compensated auditors, please comment in response to the following question: Question No. 14. Should a State-licensed, compensated auditor who performs a financial statement audit and/or ‘‘internal control attestation’’ be required to meet just the AICPA’s ‘‘independence’’ standards, or should they be required to also meet SEC’s ‘‘independence’’ requirements and interpretations? If not both, why not? E. Audit Options, Reports and Engagements Experience with part 715 over the last six years has raised a number of miscellaneous issues. To assist the NCUA Board in addressing these issues, please respond to the following questions: Question No. 15. Is there value in retaining the ‘‘balance sheet audit’’ in existing § 715.7(a) as an audit option for credit unions with less than $500 million in assets? 16. Is there value in retaining the ‘‘Supervisory Committee Guide audit’’ in existing § 715.7(c) as an audit option for credit unions with less than $500 million in assets? 4 For GAAS ‘‘independence’’ standards, see generally AU § 220—Independence in AICPA, Professional Standards (updated 12/05) and ET § 100—Independence, Integrity and Objectivity in AICPA, Code of Professional Conduct. For SEC ‘‘independence’’ standards and interpretations, see generally SEC, Strengthening the Commission’s Requirements Regarding Auditor Independence, Release Nos. 33–8183; 34–47265; 35–27642; IC– 25915; IA–2103, FR–68, File No. S7–49–02 (January 28, 2003), 68 FR 6005 (Feb. 5, 2003). E:\FR\FM\23FEP1.SGM 23FEP1 Federal Register / Vol. 71, No. 36 / Thursday, February 23, 2006 / Proposed Rules cchase on PROD1PC60 with PROPOSALS 17. Should part 715 require credit unions that obtain a financial statement audit and/or an ‘‘attestation on internal controls’’ (whether as required or voluntarily) to forward a copy of the auditor’s report to NCUA? If so, how soon after the audit period-end? If not, why not? 18. Should part 715 require credit unions to provide NCUA with a copy of any management letter, qualification, or other report issued by its external auditor in connection with services provided to the credit union? If so, how soon after the credit union receives it? If not, why not? 19. If credit unions were required to forward external auditors’ reports to NCUA, should part 715 require the auditor to review those reports with the Supervisory Committee before forwarding them to NCUA? 20. Existing part 715 requires a credit union’s engagement letter to prescribe a target date of 120 days after the audit period-end for delivery of the audit report. Should this period be extended or shortened? What sanctions should be imposed against a credit union that fails to include the target delivery date within its engagement letter? 21. Should part 715 require credit unions to notify NCUA in writing when they enter into an engagement with an auditor, and/or when an engagement ceases by reason of the auditor’s dismissal or resignation? If so in cases of dismissal or resignation, should the credit union be required to include reasons for the dismissal or resignation? 22. NCUA recently joined in the final Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters, 71 FR 6847 (Feb. 9, 2006). Should credit union Supervisory Committees be prohibited by regulation from executing engagement letters that contain language limiting various forms of auditor liability to the credit union? Should Supervisory Committees be prohibited from waiving the auditor’s punitive damages liability? By the National Credit Union Administration Board on February 16, 2006. Mary F. Rupp, Secretary of the Board. [FR Doc. E6–2531 Filed 2–22–06; 8:45 am] BILLING CODE 7535–01–P VerDate Aug<31>2005 16:33 Feb 22, 2006 Jkt 208001 DEPARTMENT OF TRANSPORTATION Federal Aviation Administration 14 CFR Part 39 [Docket No. FAA–2006–23704; Directorate Identifier 2006–NE–02–AD] RIN 2120–AA64 Airworthiness Directives; Honeywell International Inc. TPE331 Series Turboprop, and TSE331–3U Model Turboshaft Engines Federal Aviation Administration (FAA), Department of Transportation (DOT). ACTION: Notice of proposed rulemaking (NPRM). AGENCY: SUMMARY: The FAA proposes to adopt a new airworthiness directive (AD) for certain Honeywell International Inc. TPE331 series turboprop, and TSE331– 3U model turboshaft engines. This proposed AD would require implementing a new flight cycle counting method for first, second, and third-stage turbine rotors used in aircraft that make multiple takeoffs and landings without an engine shutdown, and removing turbine rotors from service that have reached or exceeded their cycle life limits. This new flight cycle counting method would require determining total equivalent cycles accrued. This proposed AD results from several reports of uncontained turbine rotor separation on engines used in special-use operations. We are proposing this AD to prevent uncontained failure of the turbine rotor due to low-cycle-fatigue (LCF), and damage to the aircraft. DATES: We must receive any comments on this proposed AD by April 24, 2006. ADDRESSES: Use one of the following addresses to comment on this proposed AD. • DOT Docket Web site: Go to http://dms.dot.gov and follow the instructions for sending your comments electronically. • Government-wide rulemaking Web site: Go to http://www.regulations.gov and follow the instructions for sending your comments electronically. • Mail: Docket Management Facility; U.S. Department of Transportation, 400 Seventh Street, SW., Nassif Building, Room PL–401, Washington, DC 20590– 0001. • Fax: (202) 493–2251. • Hand Delivery: Room PL–401 on the plaza level of the Nassif Building, 400 Seventh Street, SW., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. PO 00000 Frm 00004 Fmt 4702 Sfmt 4702 9281 You can get the service information identified in this proposed AD from Honeywell Engines, Systems & Services, Technical Data Distribution, M/S 2101– 201, P.O. Box 52170, Phoenix, AZ 85072–2170; telephone: (602) 365–2493 (General Aviation); (602) 365–5535 (Commercial); fax: (602) 365–5577 (General Aviation and Commercial). You may examine the comments on this proposed AD in the AD docket on the Internet at http://dms.dot.gov. FOR FURTHER INFORMATION CONTACT: Joseph Costa, Aerospace Engineer, Los Angeles Aircraft Certification Office, FAA, Transport Airplane Directorate, 3960 Paramount Blvd., Lakewood, CA 90712–4137; telephone (562) 627–5246; fax (562) 627–5210. SUPPLEMENTARY INFORMATION: Comments Invited We invite you to send us any written relevant data, views, or arguments regarding this proposal. Send your comments to an address listed under ADDRESSES. Include ‘‘Docket No. FAA– 2006–23704; Directorate Identifier 2006–NE–02–AD’’ in the subject line of your comments. We specifically invite comments on the overall regulatory, economic, environmental, and energy aspects of the proposed AD. We will consider all comments received by the closing date and may amend the proposed AD in light of those comments. We will post all comments we receive, without change, to http:// dms.dot.gov, including any personal information you provide. We will also post a report summarizing each substantive verbal contact with FAA personnel concerning this proposed AD. Using the search function of the DOT Web site, anyone can find and read the comments in any of our dockets, including the name of the individual who sent the comment (or signed the comment on behalf of an association, business, labor union, etc.). You may review the DOT’s complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477–78) or you may visit http:// dms.dot.gov. Examining the AD Docket You may examine the docket that contains the proposal, any comments received and, any final disposition in person at the DOT Docket Office between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. The Docket Office (telephone (800) 647– 5227) is located on the plaza level of the Department of Transportation Nassif Building at the street address stated in E:\FR\FM\23FEP1.SGM 23FEP1

Agencies

[Federal Register Volume 71, Number 36 (Thursday, February 23, 2006)]
[Proposed Rules]
[Pages 9278-9281]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E6-2531]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 71, No. 36 / Thursday, February 23, 2006 / 
Proposed Rules

[[Page 9278]]



NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Parts 704, 715, and 741


Supervisory Committee Audits

AGENCY: National Credit Union Administration (NCUA).

ACTION: Advance notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The National Credit Union Administration (NCUA) requests 
public comment on whether and how to modify its Supervisory Committee 
audit rules to require credit unions to obtain an ``attestation on 
internal controls'' in connection with their annual audits; to identify 
and impose assessment and attestation standards for such engagements; 
to impose minimum qualifications for Supervisory Committee members; and 
to identify and impose a standard for the independence required of 
State-licensed, compensated auditors.

DATES: Comments must be received on or before April 24, 2006.

ADDRESSES: You may submit comments by any one of the following methods 
(Please send comments by one method only):
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     NCUA Web Site: http://www.ncua.gov/
RegulationsOpinionsLaws/proposed_regs/proposed_regs.html. Follow the 
instructions for submitting comments.
     E-mail: Address to regcomments@ncua.gov. Include ``[Your 
name] Comments on Part 715 ANPR, Supervisory Committee Audits'' in the 
e-mail subject line.
     Fax: (703) 518-6319. Use the subject line described above 
for e-mail.
     Mail: Address to Mary Rupp, Secretary of the Board, 
National Credit Union Administration, 1775 Duke Street, Alexandria, 
Virginia 22314-3428.
     Hand Delivery/Courier: Same as mail address.

FOR FURTHER INFORMATION CONTACT: Karen Kelbly, Chief Accountant, Office 
of Examination and Insurance, telephone: (703) 518-6389; Steven W. 
Widerman, Trial Attorney, Office of General Counsel, telephone: (703) 
518-6557.

SUPPLEMENTARY INFORMATION:

I. Background

A. Existing Part 715

    In 1998, the Credit Union Membership Access Act (``CUMAA''), Public 
Law 105-219, 112 Stat. 913 (1998), amended the Federal Credit Union Act 
to require credit unions having assets of $10 million or more to follow 
generally accepted accounting principles (``GAAP'') in all reports and 
statements filed with the NCUA Board. 12 U.S.C. 1782(a)(6)(C). CUMAA 
further required credit unions having assets of $500 million or more to 
obtain an annual independent audit of its financial statements 
(``financial statement audit'') performed in accordance with generally 
accepted auditing standards (``GAAS'') by an independent certified 
public accountant or public accountant licensed by the appropriate 
State or jurisdiction. 12 U.S.C. 1782(a)(6)(D).
    Beyond the requirement to adhere to GAAP, the CUMAA amendments 
imposed no minimum audit requirements on federally-chartered credit 
unions having less than $500 million in assets. See 64 FR 41029 (July 
29, 1999). And in contrast to other federally-insured financial 
institutions, 12 U.S.C. 1831m(c), CUMAA did not require credit unions 
to obtain, in connection with their annual audits, an ``attestation on 
internal controls'' by the credit union's independent accountant 
(hereinafter referred to as ``external auditor'').
    In 1999, NCUA comprehensively overhauled its Supervisory Committee 
audit rules to conform to the CUMAA amendments. 64 FR 41029. Amended 
part 715 follows CUMAA in requiring credit unions having assets of $500 
million or more to annually obtain a financial statement audit. 12 CFR 
715.5. However, part 715 gives those having less than $500 million in 
assets a choice among several audit options: (1) A financial statement 
audit; (2) a ``balance sheet audit''; (3) a ``report on examination of 
internal controls over Call Reporting''; and (4) an audit as prescribed 
by NCUA's Supervisory Committee Guide. 12 CFR 715.7. None of these 
audit options requires an additional ``attestation on internal 
controls'' of the scope prescribed for other federally-insured 
financial institutions.

B. Request for Comments

    Through this Advance Notice of Proposed Rulemaking, the NCUA Board 
seeks public comment in the form of answers to questions on four 
discrete issues: (A) Whether to require credit unions to obtain an 
``attestation on internal controls'' in connection with their annual 
audits (questions 1 through 7 below); (B) What standards should govern 
the assessment and attestation components of such an engagement 
(questions 8 and 9 below); (C) What qualifications should be required 
as prerequisites to serve on a Supervisory Committee (questions 10 
through 13 below); and (D) What standard should dictate the degree of 
independence required of state-licensed, compensated auditors (question 
14 below). The NCUA Board also seeks input on several miscellaneous 
issues involving audit options for credit unions having less than $500 
million in assets, requirements for delivery and regulatory access to 
audit reports, and the terms and conditions in engagement letters, 
including limitations on auditor liability (questions 15 through 22 
below).
    To facilitate consideration of the public's views, please address 
your comments to the questions set forth in section II. below for each 
subject. To maximize the value of your comments, it is essential to 
explain the reasons that support your conclusions. In addition, it is 
important to organize and identify your comments by corresponding 
question number and subject so that each question is addressed 
separately. You will have a further opportunity to comment 
comprehensively on the issues raised by these questions if the NCUA 
Board issues a proposed rule for public consideration.

II. Issues for Comment

A. Internal Control Assessment and Attestation

    An ``attestation on internal controls'' has two principal 
components. First, management must report its assessments of the 
effectiveness of the internal control structure and procedures

[[Page 9279]]

established and maintained by the credit union. Then, its external 
auditor must examine, attest to, and report separately on management's 
written assertions (i.e., derived from its assessments) on the 
effectiveness of the internal control structure and procedures. The 
scope on an ``attestation on internal controls'' may be limited only to 
the effectiveness of internal controls over financial statements 
prepared for regulatory purposes, such as Call Reports. An example of 
this is the ``report on examination of internal controls over Call 
Reporting,'' an audit option currently available to some credit unions. 
12 CFR 715.7(b). Or the scope on an ``internal control attestation'' 
engagement may extend to the effectiveness of internal controls over 
all financial reporting, i.e., financial statements prepared in 
accordance with GAAP and required regulatory reports.
    The Sarbanes-Oxley Act, Public Law 107-204, 116 Stat. 745, 789 
(2002), enacted in 2002, requires all public companies, in connection 
with an annual financial statement audit, to obtain an ``attestation on 
internal controls'' over financial reporting. 15 U.S.C. 7262. This 
requirement is similar to that which the Federal Deposit Insurance 
Corporation Improvements Act (``FDICIA'') has imposed on federally-
insured financial institutions, other than credit unions, since 1991. 
12 U.S.C. 1831m(c).
    In 2003, the U.S. General Accounting Office (now the U.S. General 
Accountability Office) (``GAO'') suggested that ``NCUA might gain an 
evaluation of an institution's internal controls, comparable to other 
depository institution regulators, if credit unions were required, like 
banks and thrifts, to provide management evaluations of internal 
controls and their auditor's assessments of such evaluations.'' GAO, 
Credit Unions: Financial Condition Has Improved, But Opportunities 
Exist to Enhance Oversight and Share Insurance Management (GAO-04-91) 
(``GAO Report'') at 81. GAO further recommended ``making credit unions 
with assets of $500 million or more subject to the FDICIA requirement 
that management and external auditors report on the internal control 
structure and procedures for financial reporting * * *.'' Id. at 83-84. 
GAO reiterated this recommendation in 2005. GAO, Issues Regarding the 
Tax-Exempt Status of Credit Unions (GAO-06-220T) at 4. However, since 
GAO made its recommendation, the Federal Deposit Insurance Corporation 
(``FDIC'') has increased from $500 million to $1 billion the minimum 
asset size of the institutions required by FDICIA to obtain an 
``attestation on internal controls'' over all financial reporting. 12 
CFR 363.3(b); 70 FR 71226 (Nov. 28, 2005).\1\
---------------------------------------------------------------------------

    \1\ In contrast to NCUA, Congress gave FDIC the authority to 
adjust the minimum asset threshold that triggers FDICIA's audit 
requirements. 12 U.S.C. 1831m(j)(2). Thus, FDICIA originally set the 
minimum asset threshold for requiring a financial statement audit at 
$150 million. 12 U.S.C. 1831m(j)(1). FDIC then raised the threshold 
to $500 million. 12 CFR 363.1(a); 58 FR 31332 (June 2, 1993).
---------------------------------------------------------------------------

    NCUA concurred with GAO's recommendation to consider adopting a 
FDICIA-like attestation requirement, noting that it already provided 
guidance strongly encouraging large credit unions to voluntarily 
provide reporting on internal controls. GAO Report at 84; see enclosure 
to NCUA, Letter to Credit Unions No. 03-FCU-7 (Oct. 2003). GAO left the 
matter of ensuring parity in internal control reporting among all 
federally-insured financial institutions for Congressional 
consideration. However, NCUA believes that legislation is not necessary 
because the agency has the authority-which GAO acknowledged--to 
implement regulations requiring credit unions to provide these reports 
should it become necessary.\2\ Id. at 84-85. To determine the extent to 
which such reports are necessary, the NCUA Board invites public 
comments in response to the following questions:
---------------------------------------------------------------------------

    \2\ See 12 U.S.C. 1761d, 1782a(a)(2), 1789(a)(8) and (11) as 
implemented by 12 CFR 715, 741.202(a) (federally-insured natural 
person credit unions) and 12 U.S.C. 1761d, 1766(a), 1782a(a)(2), 
1789(a)(8) and (11) as implemented by 12 CFR 704.15(a) (federally-
insured corporate credit unions).
---------------------------------------------------------------------------

Questions No.
    1. Should part 715 require, in addition to a financial statement 
audit, an ``attestation on internal controls'' over financial reporting 
above a certain minimum asset size threshold? Explain why or why not.
    2. What minimum asset size threshold would be appropriate for 
requiring, in addition to a financial statement audit, an ``attestation 
on internal controls'' over financial reporting, given the additional 
burden on management and its external auditor? Explain the reasons for 
the threshold you favor.
    3. Should the minimum asset size threshold for requiring an 
``attestation on internal controls'' over financial reporting be the 
same for natural person credit unions and corporate credit unions? 
Explain why.
    4. Should management's assessments of the effectiveness of internal 
controls and the attestation by its external auditor cover all 
financial reporting, (i.e., financial statements prepared in accordance 
with GAAP and those prepared for regulatory reporting purposes), or 
should it be more narrowly framed to cover only certain types of 
financial reporting? If so, which types?
    5. Should the same auditor be permitted to perform both the 
financial statement audit and the ``attestation on internal controls'' 
over financial reporting, or should a credit union be allowed to engage 
one auditor to perform the financial statement audit and another to 
perform the ``attestation on internal controls?'' Explain the reasons 
for your answer.
    6. If an ``attestation on internal controls'' were required of 
credit unions, should it be required annually or less frequently? Why?
    7. If an ``attestation on internal controls'' were required of 
credit unions, when should the requirement become effective (i.e., in 
the fiscal period beginning after December 15 of what year)?

B. Standards Governing Internal Control Assessments and Attestations

    Management's responsibility in an ``attestation on internal 
controls''--to report its assessments of the effectiveness of the 
internal control structure and procedures established and maintained by 
the credit union--and the external auditor's responsibility--to 
examine, attest to, and report on management's assessments--each must 
be done in accordance with a standard recognized by the auditing 
industry. For management, the most commonly recognized standard for 
establishing, maintaining and assessing the effectiveness of the 
internal control structure is the Internal Control--Integrated 
Framework (1994 ed.) developed by the Committee of Sponsoring 
Organizations of the Treadway Commission (``COSO''). For the external 
auditor's attestation, the standard for non-public companies thus far 
has been the American Institute of Certified Public Accountants 
(``AICPA'') AT 501 internal control attestation standard.
    The AICPA has exposed for public comment a revised AT 501 that is 
more in line with the Public Company Accounting Oversight Board's 
(``PCAOB'') Auditing Standard No. 2 (``AS 2'') that applies to public 
companies under Sarbanes-Oxley, 15 U.S.C. 7262(b). The final revisions 
to AT 501 are likely to require greater documentation and testing of 
internal control over financial reporting by

[[Page 9280]]

management to enable the auditor to fulfill the attestation 
responsibility.\3\
---------------------------------------------------------------------------

    \3\ AS 2 is available at: http://www.pcaobus.org/Standards/
StandardsandRelatedRules/Auditing StandardNo.2.aspx. For the 
exposure draft of revised AT 501, see AICPA Auditing Standards 
Board, Proposed Statement on Standards for Attestation Engagements 
dated Jan. 19, 2006, available at: http://www.aicpa.org/download/
exposure/EDAT501.pdf.
---------------------------------------------------------------------------

    To assist the NCUA Board in determining what assessment and 
attestation standards should apply to credit union ``attestation on 
internal controls'' engagements, please comment in response to the 
following questions:
Question No.
    8. If credit unions were required to obtain an ``attestation on 
internal controls,'' should part 715 require that those attestations, 
whether for a natural person or corporate credit union, adhere to the 
PCAOB's AS 2 standard that applies to public companies, or to the 
AICPA's revised AT 501 standard that applies to non-public companies? 
Please explain your preference.
    9. Should NCUA mandate COSO's Internal Control--Integrated 
Framework as the standard all credit union management must follow when 
establishing, maintaining and assessing the effectiveness of the 
internal control structure and procedures, or should each credit union 
have the option to choose its own standard?

C. Qualificatons of Supervisory Committee Members

    A credit union's Supervisory Committee is appointed by its board of 
directors and ``shall consist of not less than three members nor more 
than five, one of whom may be a director other than the compensated 
officer of the board.'' 12 U.S.C. 1761(b). Further, ``no member of the 
credit committee, if applicable, or any employee of th[e] credit union 
may be appointed to the committee.'' NCUA, Federal Credit Union 
Standard ByLaws Art. IX, section 1 (Rev. 10/99), 65 FR 55760 (Oct. 14, 
1999). See also 70 FR 40924, 40928 (July 15, 2005). Apart from these 
disqualifications based on position and not asset size, part 715 
imposes no affirmative qualifications as a prerequisite to serve on a 
Supervisory Committee.
    For financial institutions other than credit unions, the audit 
committee is the analog to a credit union Supervisory Committee. For 
institutions with total assets of $1 billion or more, FDIC requires the 
audit committee to be comprised completely of members who are 
independent of management of the institution. 12 CFR 363.5(a)(1). If 
this limitation were to apply to Supervisory Committees, 103 natural 
persons and 17 corporate credit unions would be affected. For 
institutions with total assets of $500 million or more but less than $1 
billion, FDIC requires the majority of the members of the audit 
committee to be independent of management of the institution. 12 CFR 
363.5(a)(2). If this limitation were to apply to Supervisory 
Committees, 258 natural persons and 22 corporate credit unions would be 
affected. Exceptions to these restrictions are permitted when it 
imposes a hardship in recruiting and retaining competent members. Id.
    Finally, for institutions with total assets of more then $3 
billion, FDIC requires audit committee members to have banking or 
related financial management expertise, access to their own outside 
counsel, and no association with any large customer of the institution. 
12 CFR 363.5(b). If the asset threshold for these qualifications were 
to apply to Supervisory Committees, 12 natural person and 6 corporate 
credit unions would be affected. To assist the NCUA Board in 
determining whether to develop such qualifications as prerequisites for 
Supervisory Committee membership, please respond to the following 
questions:
Question No.
    10. Should Supervisory Committee members of credit unions above a 
certain minimum asset size threshold be required to have a minimum 
level of experience or expertise in credit union, banking or other 
financial matters? If so, what criteria should they be required to meet 
and what should the minimum asset size threshold be?
    11. Should Supervisory Committee members of credit unions above a 
certain minimum asset size threshold be required to have access to 
their own outside counsel? If so, at what minimum asset size threshold?
    12. Should Supervisory Committee members of credit unions above a 
certain minimum asset size threshold be prohibited from being 
associated with any large customer of the credit union other than its 
sponsor? If so, at what minimum asset size threshold?
    13. If any of the qualifications addressed in questions 10, 11 and 
12 above were required of Supervisory Committee members, would credit 
unions have difficulty in recruiting and retaining competent 
individuals to serve in sufficient numbers? If so, describe the 
obstacles associated with each qualification.

D. Independence of State-Licensed, Compensated Auditors

    Under existing part 715, a financial statement audit of a 
federally-insured credit union must be ``performed in accordance with 
GAAS by an independent person who is [State-licensed].'' 12 CFR 
715.5(a). GAAS incorporates the AICPA ``independence'' standards that 
apply when an independent, licensed certified public accountant audits 
financial statements. 12 CFR 715.2(f). FDIC requires independent 
accountants who audit institutions with assets of $500 million or more 
to not only meet the AICPA's Code of Professional Conduct, but also to 
meet the ``independence'' standards and interpretations of the U.S. 
Securities and Exchange Commission (``SEC'') and its staff.\4\ 12 CFR 
part 363 App. A ] 14. To assist the NCUA Board in determining what 
``independence'' standards should apply to State-licensed, compensated 
auditors, please comment in response to the following question:
---------------------------------------------------------------------------

    \4\ For GAAS ``independence'' standards, see generally AU Sec.  
220--Independence in AICPA, Professional Standards (updated 12/05) 
and ET Sec.  100--Independence, Integrity and Objectivity in AICPA, 
Code of Professional Conduct. For SEC ``independence'' standards and 
interpretations, see generally SEC, Strengthening the Commission's 
Requirements Regarding Auditor Independence, Release Nos. 33-8183; 
34-47265; 35-27642; IC-25915; IA-2103, FR-68, File No. S7-49-02 
(January 28, 2003), 68 FR 6005 (Feb. 5, 2003).
---------------------------------------------------------------------------

Question No.
    14. Should a State-licensed, compensated auditor who performs a 
financial statement audit and/or ``internal control attestation'' be 
required to meet just the AICPA's ``independence'' standards, or should 
they be required to also meet SEC's ``independence'' requirements and 
interpretations? If not both, why not?

E. Audit Options, Reports and Engagements

    Experience with part 715 over the last six years has raised a 
number of miscellaneous issues. To assist the NCUA Board in addressing 
these issues, please respond to the following questions:
Question No.
    15. Is there value in retaining the ``balance sheet audit'' in 
existing Sec.  715.7(a) as an audit option for credit unions with less 
than $500 million in assets?
    16. Is there value in retaining the ``Supervisory Committee Guide 
audit'' in existing Sec.  715.7(c) as an audit option for credit unions 
with less than $500 million in assets?

[[Page 9281]]

    17. Should part 715 require credit unions that obtain a financial 
statement audit and/or an ``attestation on internal controls'' (whether 
as required or voluntarily) to forward a copy of the auditor's report 
to NCUA? If so, how soon after the audit period-end? If not, why not?
    18. Should part 715 require credit unions to provide NCUA with a 
copy of any management letter, qualification, or other report issued by 
its external auditor in connection with services provided to the credit 
union? If so, how soon after the credit union receives it? If not, why 
not?
    19. If credit unions were required to forward external auditors' 
reports to NCUA, should part 715 require the auditor to review those 
reports with the Supervisory Committee before forwarding them to NCUA?
    20. Existing part 715 requires a credit union's engagement letter 
to prescribe a target date of 120 days after the audit period-end for 
delivery of the audit report. Should this period be extended or 
shortened? What sanctions should be imposed against a credit union that 
fails to include the target delivery date within its engagement letter?
    21. Should part 715 require credit unions to notify NCUA in writing 
when they enter into an engagement with an auditor, and/or when an 
engagement ceases by reason of the auditor's dismissal or resignation? 
If so in cases of dismissal or resignation, should the credit union be 
required to include reasons for the dismissal or resignation?
    22. NCUA recently joined in the final Interagency Advisory on the 
Unsafe and Unsound Use of Limitation of Liability Provisions in 
External Audit Engagement Letters, 71 FR 6847 (Feb. 9, 2006). Should 
credit union Supervisory Committees be prohibited by regulation from 
executing engagement letters that contain language limiting various 
forms of auditor liability to the credit union? Should Supervisory 
Committees be prohibited from waiving the auditor's punitive damages 
liability?

    By the National Credit Union Administration Board on February 
16, 2006.
Mary F. Rupp,
Secretary of the Board.
 [FR Doc. E6-2531 Filed 2-22-06; 8:45 am]
BILLING CODE 7535-01-P