As Internal Auditors in the Credit Union Sector WDA were invited to attend a workshop in the Central Bank on 18 July 2018. The subsequent report issued by Central Bank detailed its observations and highlighted Expectations for Internal Audit in the Sector.

WDA completed a detailed self-assessment of its own performance in line with the Central Bank’s Report issued on 18th July 2018 and it is our opinion that the Internal Audit services provided by WDA meets the highest standards expected by the Central Bank.

 

Supervisory Expectations on the Internal Audit Function.

Planning    
CBI Findings WDA Response Compliant
Activities that are determined to be higher risk in a credit union should be audited in more depth and more frequently than activities that are determined to be lower risk –risk based approach.

WDA base all internal work plans and audit testing on a risk based approach. WDA have over 25 years of experience providing services to the Credit Union sector including Audit, Internal Audit, Risk and Compliance. WDA IAF staff have experience in conducting risk assessment of industrial and community credit unions ranging from €15m to €350m assets.

Yes
The IA Function should establish and maintain a system to monitor the implementation of actions agreed by the board of directors which should include a follow up process to ensure that agreed actions have been effectively implemented.

 

All quarterly reports issued to the board are accompanied by a response document. These formally capture the board’s consideration of the findings and response to all findings. WDA review all responses received and follow up on all material/ significant mitigation plans.

Yes

 

Reporting    
CBI Findings WDA Response Compliant
IA reports should provide objective assurance on the effectiveness of the credit union’s risk management, internal control and governance processes. It should be accurate, objective, clear, concise, constructive, and complete and timely -to support boards understanding of weaknesses identified.

WDA IAF reports maintain a formal assessment of the effectiveness of the credit union’s risk management, internal control and governance processes.

Yes
Reports should cover at a minimum:

o   objectives, scope and work undertaken;

o   An opinion on the effectiveness of the credit union’s risk management, internal control and governance processes;

o   Internal audit findings;

o   Recommendations, ranked by priority, with timelines for implementation, and progress on previously agreed action plans.

WDA have developed and tailored the reporting framework to adhere with all legislative requirements whilst maintaining concise and effective communication style. The reports are all issued in an RMP style and are regarded as being user-friendly and highly effective.

 

The WDA internal audit reporting framework has historically been well-received during CBI PRISM inspections. 

Yes

 

Engagement with Board    
CBI Findings WDA Response Compliant
Effective engagement with IA should be evident:

o   Boards should have an awareness and understanding of issues identified by IA.

o   Evidence of board discussion and challenge in relation to IA issues raised.

The IA function should make recommendations to boards on improving the effectiveness of the risk management, internal controls and governance processes

All reports issued to Board are accompanied by a response document that formalises the Board’s responses and requires direct engagement with the Board.

Yes

 

Priority Areas    
CBI Findings WDA Response Compliant
Appropriate and effective systems of control are at the core of mitigating operational risk. These include regular verification and reconciliation of transactions and accounts, as well as appropriate segregations of duties, including procedures to deal with key person risk.

WDA have designed a suite of verification tests to gain sufficient assurance with the internal control environment.

 

Once WDA determined that the risk of internal control failure is sufficiently low the process of implementation of a thematic review cycle can commence.

Yes
‘IT’ is a major enabler of strategy and business development for credit unions. The operational risks associated with this area need to be appropriately managed, monitored and reviewed given the reliance on and the pace of change in this area.

WDA have designed and executed a detailed Internal Audit review of IT Infrastructure and Environment in credit unions. 

Yes
AML/CFT framework should be included in the risk assessment undertaken by IA–the board should consider, on at least an annual basis, whether the AML/CFT framework should be tested by IA.

WDA have designed and executed a detailed Internal Audit review of AML/CTF in credit unions.

Yes

Supervisory Observations on the Internal Audit Function                                                                                                    

CBI Findings WDA Response Compliant
Governance/Oversight
Ineffective engagement with the IA function, including a lack of written responses or challenge to reports from the IA function by the board.

The WDA reporting framework includes a ‘Response Document’ which requires the Board to formally respond on all IAF findings and recommendations.

Yes
Failure of boards to adequately monitor the quality of the IA function.

WDA have reported to Boards the requirement to document a formal appraisal of the IAF on an annual basis. WDA have received feedback resulting from these reviews in the past and incorporated improvements/ amendments to the process as a result.

Yes
Planning    
Plans lacking in detail and not demonstrating comprehensive work plans in place.

Annual audit plan designed and discussed with management team including plans for each quarter’s theme. Themes selected on a risk based approach. WDA identify areas with potential control weaknesses and outline areas to be reviewed therein. Comprehensive work plan not reflected in the audit plan as the audit plan is initially set in Q4 of the preceding year and the detailed plan of works is considered when the lead auditor is scoping the areas of weakness in the upcoming quarter.

Yes
Lack of formal remediation plans to address findings in previous IA reports.

 

All findings in IAF report include details recommendations and expected timelines for remediation.

Yes
Approach/Methodology
Lack of IA testing in key risk areas e.g. bank reconciliations, IT controls, credit underwriting and risk and compliance functions.

WDA have designed and implemented detailed thematic reviews of ‘IT’ Controls, Credit Underwriting and Credit Environment and Risk and Compliance functions. On all new IAF engagements WDA complete quarterly reviews of the bank and cash reconciliations until sufficient assurances have been sought regarding internal controls and the internal control environment. IAF will maintain testing on the bank and cash to ensure sufficient internal controls and financial controls are in place to mitigate the potential risk to error or fraud in the bank and cash reconciliations.

Yes
Examples of weaknesses concerning testing of branch locations (where applicable), including lack of evidence of testing by IA function in branches.

WDA have internal audit clients with multiple branch locations. Within the annual audit plan WDA included branch reviews and testing. The review included; visits on site in each branch location; testing of process and controls and interviews with branch staff.

Yes
No consideration given by IA to external audit management letters or third party external review reports.

 

WDA IAF maintain a review of all external reports and have reviewed the audit management letter in detail on an annual basis. These reviews are incorporated into the document review process in each quarter regardless of the theme.

Yes
Reporting    
o   Issues not identified in reports

o   Issues not appropriately ranked/prioritised

o   Lack of awareness at board level of issues identified by IA

o   Lack of review/response by the board of directors Lack of tracking of issues raised in IA Reports by boards and/or IA

WDA have modified and expanded the IAF reporting structure to ensure that all findings are laid out in the established ‘RMP’ format. This provides clarity on the issues/ expectations/ remediation and facilitates the Boards response to the findings. IAF are content that the reporting framework has been sufficiently developed to an acceptable standard and has repeatedly been positively appraised by PRISM inspectors.

Yes

If you wish to discuss internal audit services or want us to provide a quotation for services please do not hesitate to contact us: