CUES Member Community

Expand all | Collapse all

Internal Audit Structures

  • 1.  Internal Audit Structures

    Posted 5 days ago
    Good morning everyone, trust this email query finds you well.
    I am seeking to get some feedback around current approaches CUs have taken to establishing internal audit units, especially reporting lines i.e. does the Chief Internal Auditor (or whatever name the very top level of the unit goes by) report to the CU board, CU board-sub-committee, Supervisory Committee? What has been done to ensure independence without losing business efficiency and input?
    Hoping to get good responses to see how we vary across the industry and whether differences are driven by size or charter. Thanks in advance.

    Glyne Harrison
    Group CEO
    Barbados Public Workers' Co-operative CU Ltd
    St Michael

  • 2.  RE: Internal Audit Structures

    Posted 4 days ago
    What a great question. I've worked in environments where IA reported to the CEO and currently, where IA reports to the Supervisory Committee. In the former, although IA reported to the CEO, there was a tight relationship between IA and the SC and it was almost a quasi reporting structure. The key to success is transparency and good communication. I appreciated the fact that this structure felt more like a collaborative, team environment. In the latter structure, despite best efforts, at times there is more of an adversarial feeling. Again, transparency and good communication help here too.

    Looking at both options objectively, I tend to favor IA reporting to the SC. It's more challenging, however I personally think it's more appropriate in retaining independence and preventing undue influence, or things being covered up. In this structure, it's hard for the IA person to report to someone who isn't around much and the position changes frequently too. Might even be unfair at times, but it's hard to get around that unless you keep your same SC chair for a long time.

    I'd love to hear others' opinions on this one. Thanks for bringing it up.

    Brett Noll CME
    Chief Executive Officer
    Securityplus FCU
    Baltimore MD

  • 3.  RE: Internal Audit Structures

    Posted 3 days ago
    Our top level position is our VP-Risk Management. In that role, the VP-RM serves as the head internal auditor. That position has dual-reporting, both to the Supervisory Committee and a "dotted line" to me as the Chief Financial & Risk/Compliance Officer for administrative & management functions over the internal audit role. We are a State-Chartered CU and are $1.15 billion assets, but have had this general reporting structure for quite a few years.

    My perception is that this has worked well but relies on the character of the players. At times when I've had a different perspective about an issue, I will explain my understanding/opinion but reinforce to the VP-RM that they must apply their professional standards if they disagree. In that regard we are pretty open and transparent with each other. I believe I've had a positive influence on the productivity of the VP-RM role, in the sense of discussing how to better balance the "perfection" which internal auditors can sometimes feel compelled to strive for, versus the need to complete a larger number of audits over more areas, etc. I've also encouraged IA toward more use of statistical methods in audit processes and of automation & simplification in producing/finalizing audit reports.

    I am not aware of any issues where our VP-RM has been "over-ridden" except by a previous CEO who injected themself into several issues, superseding both me and our VP-RM (so, there was really an additional, invisible, dotted-line of authority).

    My 2¢ is that independence of the internal audit role can be weakened when the CEO and/or other dotted-line position controls the agenda for, and is in full attendance at, Supervisory Committee meetings. It may be a good idea for Supervisory Committee meetings to include the equivalent of a brief "Executive Session" when just the Committee and the top IA position have an opportunity to discuss issues outside the dotted-line reporting presence.​

    Paul Meissner CCUE, MBA
    Chief Financial & Risk/Compliance Officer
    Credit Union of America
    Wichita KS