With the advent of the Rule 712 (the “CUSO” Rule), all CUSOs must register their activities and financials on the NCUA’s website. It is expected that the NCUA will review this information and then begin examining CUSOs it deems to be a risk to the credit union industry, especially those CUSOs engaged in businesses that the NCUA has little knowledge or understanding of.
Schedule of Tasks
- Is the CUSO engaged in permissible activities or services?
- Are credit union investments or loans in a CUSO permissible, and does the CUSO present risk as a going concern?
- Does the CUSO interact with non-public personally identifiable financial information of members, and if so, does the CUSO have appropriate safeguards?
- Does the CUSO present systemic risk to the credit union clients or owners, particularly with respect to the credit union’s lending portfolio or financial statements?
- Are the CUSO services in compliance with regulations?
The following is a sample estimate on the time to complete various audits. Of course, times could vary considerably given the discrepancy in size and complexity of services offered.
|Audit||Est. Time to Complete|
|Formation and Legality||6 hours|
|Investors and Investments||4 hours|
|Financial Condition||12 hours|
|Data Processing||12 hours|
|Software Development||8 hours|
|IT Services||4 hours|
|ACH Services||2 hours|
|Audit and Compliance||6 hours|
|Loan Servicing||8 hours|
|Account and Back Office||8 hours|
How it Works
The proposed audit plan involves a pre-audit risk assessment, a review based on the NCUA Examiners Manual, and a detailed report on the effectiveness of the CUSOs controls. It is expected that the timeframe from the beginning of the engagement to delivery of the final report will be approximately one-two months. The deliverable will be a report highlighting control deficiencies and which might cause the CUSO to fail any of the above objectives, as well as an estimated cost of remediation if possible. CU*Answers can also provide assistance with the implementation of corrective actions for an additional charge to be determined at that time
The approach to reviewing the controls will follow a systematic pattern of data collection, testing, observations, and analysis. Specifically, this engagement will review:
- Organization and Management
- Financial Condition
- Internal Controls
- Information Security
- Lending Services
- Vendor Assessment
Designated CUSO management will be notified in writing of any matters that, in the opinion of the auditor, are significant deficiencies or material weaknesses in controls that could adversely affect the CUSO’s ability to withstand a regulatory examination.
The engagement will not include an examination of all aspects of your system of internal controls or testing of all areas of its operations, and therefore, we will not express an opinion on your system of internal controls. The engagement will not be able to review or assess any subject matter which would create a conflict of interest between CU*Answers and the CUSO. The engagement will not enable CU*Answers to address legal or regulatory matters or abuses of management discretion, including fraud or defalcations, of which matters should be properly discussed by you with legal counsel. Our procedures will not include a detailed examination of all transactions and cannot be relied on to disclose all errors or irregularities that may exist. Additionally, our engagement is not for the purpose of discovering security flaws within your applications software or networking software. However, we will inform your designated management or Board representative of any such material matters that come to the attention of CU*Answers.
Requirements & Prerequisites
The CUSO shall provide complete, timely information and data to meet the requirements of the engagement. The CUSO shall furnish the required information and data as expeditiously as is necessary for the orderly progress of the work. CU*Answers will rely on the accuracy and completeness of the required information. CU*Answers cannot be held responsible in any way for information provided by the CUSO. The CUSO shall designate a representative authorized to make commitments on the CUSO’s behalf for this Engagement and Agreement. The Authorized Representative shall render decisions promptly to avoid delay in the progress of CU*Answers’ services. The CUSO’s Authorized Representative for this engagement shall be listed in the Agreement and Acceptance section of the Proposal.