ABC CREDIT UNION INTERNAL AUDIT RATING GUIDELINES
BACKGROUND
These guidelines help define how the Internal Audit Department develops the overall audit rating thatappears in the final audit report. The process involves a combination of objective (fact based) informationcombined with a subjective (professional experience) evaluation of the findings discovered in the courseof the audit leading to the assignment of a score in each of four audit categories.
Each audit category has been assigned a relative weight factor. These weight factors are multiplied byscores to develop the weighted score for each audit category. The weight factors add up to 100 points, giving the most importance to regulatory compliance and safeguarding of assets – a weight factor of 25points to each category.
The rating scores range from 0 to 4, with zero meaning fails to meet standards or losses incurred due tobreakdowns of internal controls, and four as outstanding. Fractional scoring is used (3.5, 2.75, etc.).
The category weight factor is multiplied by the rating score to reach a maximum possible weighted scoreof 400 points. The audit rating is then derived by comparing the actual total score to the rating table shown at the end of this document. In some cases, a 300 points system is used if one or more categoriesare not applicable.
AUDIT RATING CATEGORIES AND WEIGHT FACTORS
Each audit involves tests designed to measure individual compliance with a variety of credit union policiesand procedures, including many designed to ensure compliance with applicable consumer laws andregulations. The tests are designed to evaluate management’s effectiveness in training staff, providingadequate supervision and implementing the established policies and procedures in their respective areaof responsibilities.
Five audit categories classify the results of our audit testing. Each audit category is assigned a weightfactor:
Audit Category Weight Factor Regulatory Compliance 25 Safeguarding of Assets Controls 25 Authorization Controls 20 Transaction Recording Controls 20 Quality of Management 10
Total Possible Points 100 AUDIT RISK CATEGORY
Regulatory Compliance
Many of the credit union’s policies and procedures involve processes designed to comply with avariety of state, federal laws and regulations (e.g. California Financial Code, Uniform Commercial Code, Bank Secrecy Act, Regulation E, Gramm Leach- Bliley Act, etc.). Consistent compliancewith these laws and regulations is extremely important, as the failure to comply can result in civilmoney penalties and significant reputational risk. Because of this, a weight factor of 25 wasassigned to this category.
Safeguarding of Asset Controls
Another significant portion of credit union policies and procedures are designed to ensure boththe credit union’s assets and member funds are adequately protected at all times (e.g.safeguarding from theft, fraud, errors, etc.). There are a variety of policies and proceduressurrounding physical, data and information security issues. Failure to effectively implement thesepolicies and procedures could result in reputational risk and financial loss to the Credit Union andits members. Because of this, a weight factor of 25 is assigned to this category.
Authorization Controls
This audit category deals with internal control policies and procedures designed to ensure thattransactions are properly authorized. For example, the Credit Union requires a member tocomplete and sign a signature card for every deposit account and a member signed promissorynote, loan, or security agreements for every loan. It also requires transactions to be processedwithin each employee’s authorized limit, both relating to dollar amount and to the type oftransaction the employee is authorized to process. Lending and transactional authority and limitsshould be established and properly approved by senior management and or the Board.Therefore, a weight factor of 20 is assigned to this category.
Transaction Recording Controls
This audit category deals with internal control policies and procedures designed to ensure thattransactions have been recorded in a timely and accurate manner. This control categoryencompasses a wide variety of procedural requirements including accurate completion of transaction on Symitar, various logs and other Credit Union systems and documents. It isexpected that personnel will properly document all transactions they process. Because of this, aweight factor of 20 is assigned to this category.
Quality of Management The final audit category addresses the overall quality of management as determined by thefindings of the audit. An overall body of relatively minor operational exceptions would suggest aneffective level of supervision by the management team. A series of more significant and/orserious exceptions would suggest a need for improved supervision of the staff. A weight factor of10 is assigned to this category. Along with fact-based findings and subjectivity (professionalexperience), this score may also be simply taking the average of the four categories previously mentioned.
AUDIT RATING AND SCORING
The process of assigning a score to each audit category involves a process, which is a combination ofobjective and subjective analysis. The audit test results provide an objective picture of the types of control weakness found in the audit testing.
It is the responsibility of the Auditor-in-Charge to evaluate the body of findings and determine theappropriate score assigned to each category. Significant control weaknesses that expose the CreditUnion to financial loss or significant regulatory action will affect the audit score more significantly than avariety of isolated errors or omissions. On the other hand, if the audit discloses a broad range of policyand procedure exceptions, which illustrate a lack of adequate management oversight of the area under,review, this too can seriously affect the assigned audit rating. It is our responsibility to ensure the processof assigning scores is fair and based on the factual results of the audit.
In the following sections, next page, we have attempted to list the factors we use in selecting theappropriate audit score for each category.
OUTSTANDING (1)
Function/Branch/Department compliance with established Credit Union policies and procedures is consistentlyapplied with minimal exception. Management and staff operate with a minimum of technical operatingexceptions. Function/Branch/Department management and staff are exceptionally knowledgeable of established policiesand procedures, and is a goal and team oriented culture. Management conducts an effective ongoingtraining program, which makes all team members aware of the importance of control policiesand procedures. Personnel meet or exceed established norms for compliance with Credit Union policies, procedures,applicable state and federal laws and regulations.
ABOVE SATISFACTORY (2) Function/Branch/Department management team effectively implements established internal controls andmanages for compliance with established control and compliance policies and procedures with acouple of moderate to high risk control weaknesses noted in any one category, or one moderate orhigh risk control weakness with a variety of lesser significant procedural exceptions in one or morecontrol categories. Function/Branch/Department personnel comply with Credit Union policies, procedures, state and federal lawsand regulations, with some low risk exceptions in various control categories. Function/Branch/Department personnel are knowledgeable and well trained.
SATISFACTORY (3)
Function/Branch/Department management and staff is adequately complying with most Credit Union policies,procedures, state and federal laws and regulations, with fewer than three high or moderate riskcontrol weaknesses noted in any one control category, or a combination of one or two high ormoderate risk control weaknesses with a variety of lesser significant procedural exceptions in one ormore control categories. Internal control of the daily workload meets established standards. Training in areas of weakness is needed to prevent development of conditions reflected in the audit.
NEEDS IMPROVEMENT (4)
Inconsistent compliance with established internal control policies and procedures, with three or morehigh or moderate risk control exceptions noted in one control category, or a combination of one or twohigh or moderate risk control weaknesses with a variety of lesser significant procedural exceptions inone or more control categories. Function/Branch/Department training program needs improvement and/or additional training required. Adequate controls have not been effectively implemented or maintained. Inexperience and/or staff have not been properly trained.
UNSATISFACTORY (5)
Function/Branch/Department losses have occurred because of serious breakdown of internal controls.Employees did not appear to comply with applicable state and federal laws and regulations, andcredit union policies and procedures. A combination of findings indicates control breakdown in several areas with serious loss potential.Many areas need improvement. A previous "Needs Improvement" classification was not corrected or improved. Knowledge, oversight, and enforcement lacking in the areas under reviewed. Exposure to loss exists because of misuse of authority, poor management, and or lack of stafftraining.
TABLE A:
INSERT AUDIT OVERALL EVALUATION
TOTAL SCORE RATING SCORE
326-400 OUTSTANDING (1) 226-325 ABOVE SATISFACTORY (2) 315 176-225 SATISFACTORY (3) 76-175 NEEDS IMPROVEMENT (4) 0-75 UNSATISFACTORY (5)
WEIGHT WEIGHTED AUDIT CATEGORY RATING FACTOR SCORE
REGULATORY COMPLIANCE 25 3.0 75 SAFEGUARDING OF ASSETS 25 4.0 100 AUTHORIZATION CONTROLS 20 3.0 60 TRANSACTION RECORDING CONTROLS 20 2.5 50 QUALITY OF MANAGEMENT 10 3.0 30
TOTAL 100 315
RATING SCORES:
4 - Consistent compliance with established internal control procedures, policies and procedures, applicable laws and regulations 3 - Strong compliance with established internal control procedures, laws and regulations with only minor exceptions 2 - Satisfactory compliance, with fewer than three high or moderate risk internal control exceptions noted in one control category 1 -Inconsistent compliance with established internal control policies and procedures, laws and regulations with three or more high or moderate risk control exceptions noted in one control category. 0 -Consistently failed to comply with established control policies and procedures, laws and regulations, and or fines/penalties assessed causing a loss to the credit union. Immediate training and management oversight required.