Written by Carie Lemley, CIA - Senior Audit Financial Manager, Financial Institutions Group

Credit unions are continually navigating a changing environmental and risk landscape. Governance and risk management are critical components in the proper oversight of strategic initiatives and safeguarding assets. To support these functions, an internal audit can provide independent, objective advice, and promote improvements, change and innovation.   

The Board of Directors (the Board) is ultimately responsible for governance; however, in many credit unions and community banks, there is a Supervisory or Audit Committee responsible for oversight of controls and safeguarding assets. The general responsibilities of the Supervisory Committee, as defined by Regulation 12 CFR §715.3, requires the following: 

• Meet required financial reporting objectives.
• Establish practices and procedures sufficient to safeguard members’ assets. 

The National Credit Union Administration (NCUA) further discusses responsibilities in the examiner’s guide to include performing or obtaining an annual audit and periodic internal control reviews.  However, performing the periodic reviews of internal controls can be challenging due to time constraints, limited knowledge and available resources.   

Three Lines Model 

The Institute of Internal Auditors’ (IIA) Three Lines Model encourages communication, collaboration, coordination and alignment to enhance risk management and governance. There are six principles that create a framework for the Three Lines Model1: 

Principle 1: Governance  

Governance of an organization requires appropriate structures and processes that enable:  

• Accountability by a governing body to stakeholders for organizational oversight through integrity, leadership and transparency.
• Actions (including managing risk) by management to achieve the objectives of the organization through risk-based decision-making and application of resources.
• Assurance and advice by an independent internal audit function to provide clarity and confidence, as well as provoke continuous improvement through rigorous inquiry and insightful communication.  

Principle 2: Governing Body Roles  

The governing body performs the following:  

• Ensures appropriate structures and processes are established for effective governance.
• Organizational objectives and activities are aligned with the prioritized interests of stakeholders.
• Delegates responsibility and resources to management to achieve the objectives of the organization, while ensuring legal, regulatory and ethical expectations are met.
• Establishes and oversees an independent, objective and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives.  

Principle 3: Management and First- and Second-line Roles  

Management’s responsibility for actions (including managing risk) to achieve organizational objectives comprises both first- and second-line roles. First-line roles are most directly aligned with the delivery of products and/or services, including support functions to make this possible. Second-line roles aid with managing risk.  

First- and second-line roles may be blended or separated. Some second-line roles may be assigned to specialists to provide complementary expertise, support and monitoring those with first-line roles. Second-line roles can focus on specific objectives of risk management, such as:  

• Compliance with laws, regulations and acceptable ethical behavior.
• Information and technology security.
• Quality assurance.  

Alternatively, second-line roles may span a broader remit for risk management, such as enterprise risk management. However, responsibility for managing risk remains a part of first-line roles and within the scope of management.  

Principle 4: Third-Line Roles  

Internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management (including internal control). It reports its findings to management and the governing body to provoke continuous improvement. In doing so, it may consider assurance from other internal and external providers.  

Principle 5: Third-Line Independence  

Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority and credibility. It is established through:  

• Accountability to the governing body.
• Unfettered access to people, resources and data needed to complete its work.
• Freedom from bias or interference in the planning and delivery of audit services.  

Principle 6: Creating and Protecting Value  

Governing body roles together with first-, second- and third-line roles, collectively contributes to the creation and protection of value when they are aligned with each other and the prioritized interests of stakeholders. Alignment of activities is achieved through communication, cooperation and collaboration, and supports the reliability, coherence and transparency of information needed for risk-based decision making. 

Utilizing Internal Audit 

An internal audit function performed by credit union employees, or an external audit firm, can provide benefits for the Board and management. Many credit unions have staff to fulfill the first and second roles to manage goals, risk and oversight. However, they may lack resources to add staff for internal audit. Hiring an external audit firm can provide the following synergies: 

• Review of internal controls.
• Provide best practices for enhancement of current processes.
• Review of risk management processes to provide an independent evaluation of effectiveness of controls and residual risk.   
• Review compliance with policies and procedures and state/federal regulation. 

An external audit firm allows credit unions to determine an internal audit program and customize audits in relation to resources, risk and efficiency. The firm employs auditors with expertise and knowledge of all areas of operations, risk and compliance. The management team can work with the committee and executive credit union management to determine areas of risk and create a custom internal audit plan to review those areas for compliance and effectiveness. The plan can include as many, or as few, audits as determined by budget, risk and need, and is determined by completing a risk assessment. Internal audit risk assessments help provide a broader picture of risk for the credit union and identify key risk themes. For example, organizational change and staff shortages can result in a lapse in ownership of controls, insufficient oversight or knowledge loss, which can affect the reliability of processes and increase risk. 

An outsourced firm for internal audit also creates an independence component vital to the framework. The auditors are not employees of the credit union and can provide an impartial review of designated areas in the internal audit plan.  

The Best Line of Defense 

Internal audit can strengthen governance and support second-line assurance functions. The IIA’s Global Internal Audit Standards and Guidance, Standard 9.5 Coordination and Reliance, emphasizes the importance and value of internal audit working with other assurance providers. The standard states, “coordination of services minimizes duplication of efforts, highlights gaps in coverage of key risks and enhances the overall value added by providers.”   

Governance and risk management are necessary and required components in the proper oversight of strategic initiatives and safeguarding assets. Using the Three Lines Model allows credit unions to determine the responsibilities for the Board and management, and to utilize the internal audit function to provide assurance and feedback on compliance, internal controls and best practices. Outsourcing or co-sourcing the internal audit function working alongside an external audit firm, like Doeren Mayhew, can also provide specialized knowledge and experience to maximize available financial resources to oversee the ever-changing risk landscape.