[Federal Register Volume 61, Number 154 (Thursday, August 8, 1996)]
[Rules and Regulations]
[Pages 41312-41326]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 96-19511]


=======================================================================
-----------------------------------------------------------------------

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 701


Supervisory Committee Audits and Verifications

AGENCY: National Credit Union Administration (NCUA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The National Credit Union Administration (NCUA) is amending 
its regulations governing credit union supervisory committee audits and 
verifications. The final amendments clarify existing audit scope; 
expand audit scope and reporting requirements for compensated auditors 
only; require a comprehensive engagement letter setting forth minimum 
contracting terms and conditions; clarify existing working paper access 
requirements; expressly state available administrative sanctions for 
failure to comply with supervisory

[[Page 41313]]

committee audit requirements and working paper access requirements; and 
add relevant definitions of accounting/auditing terms use throughout 
the regulation.

EFFECTIVE DATE: December 31, 1996.

FOR FURTHER INFORMATION CONTACT: Karen Kelbly, Accounting Officer, 
Office of Examination and Insurance (703) 518-6360, or Michael McKenna, 
Attorney, Office of General Counsel (703) 518-6540, at 1775 Duke 
Street, Alexandria, Virginia 22314-3428.

SUPPLEMENTARY INFORMATION: 

A. Background

    Section 701.12 of NCUA's Regulations sets forth the supervisory 
committee's responsibility in meeting the audit and verification 
requirements of section 115 of the Federal Credit Union Act, 12 U.S.C. 
Sec. 1761d. A supervisory committee audit is required at least once 
every calendar year covering the period since the last audit. The scope 
of the audit must be sufficient, at a minimum, to test the federal 
credit union's assets, liabilities, equity, income, and expenses for 
existence, proper cut off, valuations, ownership, disclosures and 
classification, and internal controls. Section 741.202 of NCUA's Rules 
and Regulations, 12 CFR 741.12, make these requirements applicable to 
federally insured state-chartered credit unions.
    NCUA continues to have concerns with the scope of the supervisory 
committee audit and with access to working papers supporting such 
audits. The Board felt there was a need to amend the regulation 
because:
     Many supervisory committee audits have been inadequate;
     Examiners have been placed in the position of brokering 
disputes between external auditors and supervisory committees relative 
to audit inadequacy;
     The standards supervisory committee have been held to are 
not definitive;
     Examiner access to ``proprietary working papers'' has been 
limited;
     Greater uniformity in audit scope is needed; and
     The addition of definitions is needed to enhance clarity.
    Consequently, on October 19, 1995, the Board issued proposed 
amendments to the regulation governing credit union supervisory 
committee audits and verifications (Section 701.12 of NCUA's 
Regulations) 60 F.R. 55663 (November 2, 1995). On December 19, 1995, 
the Board extended the comment period to January 18, 1996. 60 F.R. 
66952 (December 27, 1995). The proposed amendments: (1) clarified 
existing audit scope; (2) expanded audit scope and reporting 
requirements for compensated auditors only; (3) required a 
comprehensive engagement letter setting forth minimum contracting terms 
and conditions; (4) clarified existing working paper access 
requirements; (5) expressly stated available administrative sanctions 
for failure to comply with supervisory committee audit requirements and 
working paper access requirements; and (6) added relevant definitions 
of accounting/auditing terms used throughout the regulation.

B. Comments

    One hundred and eighteen comments were received. Comments were 
received from sixty-nine federal credit unions, nine state chartered 
credit unions, twenty-one state leagues, four national credit union 
trade associations, eleven certified public accounting firms, one 
internal auditor, one certified public accountant trade organization, 
and one government agency. NCUA also received one anonymous electronic 
mail.
    Eight commenters express complete support for the proposal. Fifteen 
commenters oppose the entire proposal. Twelve of these commenters 
believe that the current system is working well and that the proposed 
amendments will simply result in increased costs without any increased 
service. Ninety-seven commenters express varied levels of support for 
the proposal; however, most of these commenters had one or more 
objections to the proposal. A recurring theme among these commenters 
was that the proposal would hurt small credit unions. Another recurring 
theme was that the proposed amendments, in effect, require an opinion 
audit. Finally, a number of commenters believe the proposed amendments 
would increase costs to credit unions.
    The Board believes the final regulation reasonably balances the 
concerns of those opposing additional burden for small credit unions 
with the need for complete and reliable credit union audits. The Board 
appreciates the obstacles small credit unions face when operating in 
today's environment and does not wish to add to that burden 
unnecessarily. The amendments to this regulation will not have a 
significant impact on a credit union which meets its supervisory 
committee audit obligations in any of the following ways:
     The credit union's supervisory committee performs the 
audit itself.
     The credit union's internal auditor performs the audit.
     The supervisory committee recruits a member or volunteer 
who performs the audit (i.e., the member or volunteer is not in the 
business of performing compensated audits for credit unions).
     The supervisory committee obtains an opinion audit.
    If the supervisory committee itself or its uncompensated designated 
representative performs the supervisory committee audit as prescribed 
in Sec. 701.12(c)(5)(i)(D), the following portions of the proposed 
regulation will not apply to the supervisory committee audit:
     Sec. 701.12(c)(4)--Increased scope requirements in 
designated areas;
     Sec. 701.12(c)(5)(i)(A-C)--Opinion audits and agreed-upon 
procedures in relation to compensated auditors; and
     Sec. 701.12(d)--Engagement letter requirements.
    Additionally, NCUA will revise its Supervisory Committee Guide for 
Federal Credit Unions for targeted release prior to December 31, 1996. 
The revised Guide will provide guidance to assist a supervisory 
committee itself or its uncompensated designated representative in 
meeting the applicable requirements of this regulation.
    If the supervisory committee employs an auditor who is defined as a 
``compensated auditor'' to perform (or assist in performing) the audit, 
the following additional requirements will be necessary:
     An engagement letter between the credit union and the 
compensated auditor;
     Expanded audit scope in certain areas if the compensated 
auditor is engaged to address, and agrees to take on, these areas; and
     Notification in writing of reportable conditions or errors 
and irregularities, if any, discovered in the normal course of the 
audit.

------------------------------------------------------------------------
                                           SC Audit performed by        
                                 ---------------------------------------
                                      Supervisory                       
      Requirement addressed          committee or                       
                                   designated  non-       Compensated   
                                      compensated           auditor     
                                        auditor                         
------------------------------------------------------------------------
Engagement Letter...............  No engagement       Engagement letter 
                                   letter              required.        
                                   requirement.                         

[[Page 41314]]

                                                                        
Scope...........................  As exists under     As exists under   
                                   current             current          
                                   regulation.         regulation, plus 
                                                       expanded scope in
                                                       identified       
                                                       areas.1          
Testing/Procedures Performed in   Regulation          Regulation        
 Accordance With.                  identifies          identifies       
                                   specific            specific         
                                   standards which     standards which  
                                   apply.              apply.           
Reporting Standards.............  As exists under     As exists under   
                                   current             current          
                                   regulation.         regulation, plus 
                                                       ``reportable     
                                                       conditions,'' if 
                                                       any, and ``errors
                                                       and              
                                                       irregularities,''
                                                       if any, simply   
                                                       ``reduced to     
                                                       writing''.1      
------------------------------------------------------------------------
1 Distinguishable from an opinion audit because the following are not   
  required: full scope of opinion audit, financial statements, related  
  disclosures, auditor's opinion, or negative assurance.                


    Comments Relating to Current Sec. 701.12. Throughout the comment 
letters of accounting/auditing professionals were a series of comments 
addressing conditions which apply equally to the current and to the 
revised Sec. 701.12. These include:
    1. Auditing work should not be performed by lay individuals; CPAs 
alone have the professional proficiency to perform audits.
    2. The proposed regulations put CPAs at an economic disadvantage to 
compete in the credit union marketplace. A CPA performing a supervisory 
committee audit would be bound by the professional auditing standards 
promulgated by AICPA and the State Board of Accountancy, while a non-
CPA is not so burdened. CPA would not be able to charge fees 
competitive with (i.e., as low as) that of non-CPA.
    3. CPAs are concerned about the ability of non-CPA examiners to 
review CPA's work.
    4. CPAs may limit themselves to performing only opinion audits for 
credit unions. A new auditing standard, Statement of Auditing Standard 
(SAS) No. 75, governing agreed-upon procedures engagements requires 
users of agreed-upon procedures reports to acknowledge the sufficiency 
of such procedures in satisfying the requirements of the specified 
user. If the CPA cannot get the specified user to do this (in advance 
of the engagement), then the only work a CPA could perform for a 
specified user would be an opinion audit. The thrust of this comment is 
that NCUA would qualify as a ``specified user'' and would, therefore, 
have to acknowledge the sufficiency of the procedures prior to each 
credit union's engagement of a CPA.
    Each of these comments applies equally to the current regulation 
and the amended version being issued as a final rule; they are not 
exacerbated by the amendments. The source of some of the conditions 
addressed in the comments is not, if fact, any action by NCUA, but 
rather, exists due to the actions of others. The first three 
conditions, which we will address first, are relatively straight-
forward; the SAS No. 75 issue is more complex and is addressed in 
section K.
    The first condition will exist as long as NCUA allows auditors 
other than licensed, independent certified public accountants to 
perform supervisory committee audits. Since the NCUA Board is committed 
to allowing credit union supervisory committees the option to engage 
non-CPA accounting/auditing professionals, there can be no ready 
resolution of this concern either under the current or the amended 
final regulation.
    As to the second area of concern, that CPAs are bound by 
professional standards imposed by state licensing authorities and by 
the AICPA (e.g., education, proficiency, peer review, AICPA 
professional ethics, GAAS, etc.), while non-CPAs are not, this is not 
the result of any additional requirements imposed by NCUA. The NCUA 
Board has no jurisdiction over the imposition of auditing standards 
governing the work of CPAs. The only way to ``regulate away'' the 
purported ``economic disadvantage'' the CPAs would be to limit the 
performance of supervisory committee audits to licensed, independent 
certified public accountants. This would create an ``economic 
disadvantage'' as to all other types of auditors, particularly those 
who audit small credit unions. The NCUA Board does not believe this is 
a viable solution.
    Third, examiners review the work of compensated auditors for 
compliance with this section. Wherein such examination requires the 
non-CPA examiner to review compensated auditor's work for compliance 
with GAAS and a deficiency is suspected, NCUA recognizes it is not an 
authority on GAAP or GAAS. Referral to state accountancy licensing 
authorities or the AICPA Ethics Division, where applicable, will be 
NCUA's means of seeking assistance to make such determinations. NCUA is 
sympathetic to the argument that non-CPAs do not have the knowledge and 
proficiency necessary to determine the extent of substantive testing 
required under GAAS, but it believes they can do so under this section 
which is a lesser, and regulatory defined, standard.
    As to the fourth area of comment, this area is somewhat more 
perplexing. We have discussed SAS No. 75 and related issues in section 
K. Suffice it to say here that this condition exists as a result of the 
new auditing standard promulgated by auditing standards-setters which 
became effective May 1, 1996. The condition exists under the current 
regulation and was not created or aggravated by any NCUA effort to 
amend this regulation. The timing of the SAS No. 75 effective date and 
NCUA's efforts to revise this part are coincidental.
    Areas Seemingly Misunderstood. The comment relative to ``burden on 
small credit unions'' are believed to have resulted primarily from a 
misunderstanding of the proposed amendments. Such comments made 
include:
     The regulations essentially require an opinion audit.
     Audit scope will have to be expanded substantially to 
generate the two additional reports required.
     Working paper access requirements will generate increased 
travel and credit union staff costs.
    Each of these areas are discussed at length below.

C. Definitions

    The proposal added a set of definitions for terms used in the 
regulation. Many of these terms, while familiar to accounting/auditing 
professionals, may be less well know to supervisory committee 
volunteers. The proposed definitions included: (1) Agreed-upon 
procedures; (2) Applicable generally accepted auditing standards 
(GAAS); (3) Audit or Opinion audit; (4) Compensated auditor; (5) 
Financial statements; (6) Generally accepted

[[Page 41315]]

accounting principles (GAAP); (7) Generally accepted auditing standards 
(GAAS); (8) Independence or Independent; (9) Independent, licensed, 
certified public accountant; (10) Internal controls; (11) Other 
comprehensive basis of accounting; (12) Related party transactions; 
(13) Reportable conditions; (14) Substantive testing; (15) Supervisory 
committee; (16) Supervisory committee audit; and (17) Working papers. 
The NCUA Board also requested comment on whether any additional terms 
should be defined in the regulation.
    Eight commenters believe no further terms should be defined while 
three commenters believe the final amendments should define additional 
terms. One commenter requests a definition of ``verifications.'' One 
commenter requests NCUA define ``summary of operations'' One commenter 
believes NCUA should define ``internal auditor'' and ``Standards for 
the Professional Practice of Internal Auditing.'' Thirteen commenters 
believe that the proposal adequately defined the terms listed. Three of 
these commenters state that the definitions are valuable to credit 
unions. Four commenters believed that the proposal does not adequately 
define the listed terms.
    Generally, if several commenters suggested redefinitions along the 
same lines and the suggested language was technically correct, the 
final regulation reflects the revised language. Definitions for 
``internal auditor'' and ``Standards for the Professional Practice of 
Internal Auditing'' were not added as neither of these terms are used 
anywhere in the regulation. A definition for ``verifications'' was not 
added since it is defined and discussed fully in the existing 
regulation, Sec. 701.12(e). ``Summary of operations'' is simply a 
phrase which was used within the ``financial statements'' definition 
which is not critical to an understanding of the definition or the 
regulation; this phrase was dropped. One definition was added and that 
was the SAS No. 75 definition of ``specified elements, accounts or 
items of a financial statement.''
    The definition of ``applicable GAAS'' and the use of that term was 
dropped throughout the regulation. In the proposed regulation, we had 
defined ``applicable GAAS'' as GAAS excluding the second general 
standard and the standards of reporting. In the final regulation, we 
dropped the term ``applicable GAAS'' and instead spelled out five 
specific standards, contained in paragraph (c)(2). The five standards 
were adopted with modifications from the AICPA's ten generally accepted 
auditing standards, again excluding the second general standard and the 
standards of reporting. The Board believes that the use of the term 
``applicable GAAS'' may intimidate laymen; spelling out the specific 
standards intended should help eliminate any apprehension. The Board 
believes these standards are reasonable and attainable.
    The proposal defined ``audit or opinion audit'' in part, as an 
examination of the financial statements performed by an independent, 
licensed, certified public accountant in accordance with generally 
accepted auditing standards. One commenter believes that this 
definition must be modified. This commenter states that an ``audit'' 
and an ``opinion audit'' are not the same thing, and not all credit 
unions need an opinion audit which is performed by an ``independent, 
licensed, certified public accountant.'' One commenter states that 
since the definition applies to the word ``audit'' alone it is unclear 
if this requirement applies everywhere in the regulation where the term 
is used. For example, this commenter states that ``Supervisory 
Committee Audit'' could mean an ``audit'' by a CPA, which the commenter 
believes is beyond the scope of what NCUA is requiring with this 
proposal. This commenter suggests restricting the definition to only 
``opinion audits.'' One commenter states that there is an inconsistency 
between the definition of ``audit'' or ``opinion audit'' and the 
proposed supervisory committee audit in Section 701.12(c). This 
commenter states that the definition states an audit is to be performed 
by an independent, licensed, certified public accountant; whereas 
Section 701.12(c) provides other alternatives in the completion of an 
audit and specifically provides that someone other than a certified 
public accountant such as the supervisory committee may conduct audits.
    Within the accounting profession and as represented in GAAS, 
``audit'' is the term used for an ``opinion audit''. In fact, ``opinion 
audit'' is jargon for ``audit''; the terms are synonymous. However, 
since the use of the term ``audit'' in the regulation without an 
accompanying adjective such as ``opinion'' or ``supervisory committee'' 
was confusing to some of the commenters, we have eliminated the 
definition of ``audit,'' narrowed the definition to ``opinion audit'' 
and use only the term ``audit'' (when used as a noun) throughout the 
regulation preceded by descriptive terms, e.g., opinion audit, or 
supervisory committee audit. As to the alternatives set forth in 
Sec. 701.12(c), these relate to the performance of a supervisory 
committee audit. The scope of an opinion audit exceeds that a 
supervisory committee audit. Thus, an opinion audit which complies with 
GAAS, would exceed the requirements of the regulation.
    The proposal defined a ``compensated auditor'' as any accounting/
auditing professional who is compensated for performing the supervisory 
committee audit and/or verification services. Thirteen commenters 
believe that the term ``compensated auditor'' should be revised so as 
to distinguish between the credit union's internal auditor and the 
credit union's contracted external auditor. These commenters believe 
the proposal could be interpreted so that a compensated auditor is 
defined as an accounting or auditing professional who is employed 
directly by the credit union. Two commenters believe that the term 
``compensated auditor'' should not include someone who simply lends a 
hand to the supervisory committee in completing the audit. Two 
commenters believe that external auditors should be licensed 
professionals (such as CPAs) to ensure that audits are detailed and 
reflect the actual financial condition of the institution.
    The Board found the comments in this area helpful and has amended 
the definitions in response to some of the suggestions. It is not the 
Board's intent to include credit union employees acting in the course 
of their employment (internal auditors) or someone who simply lends a 
hand (volunteer). Nor is the Board comfortable with restricting the 
performance of supervisory committee audits to licensed professionals. 
The definition has been changed to exclude employees and to exclude 
individuals who perform no more than one compensated supervisory 
committee audit per calendar year. The later provision was added to 
ease the burden for small credit unions who may benefit through the 
assistance of a volunteer, someone who simply lends a hand, e.g., the 
local bookkeeper who, while compensated, performs the supervisory 
committee audit (one per calendar year) for a minimal and reasonable 
remuneration.
    The proposal defined generally accepted auditing standards (GAAS) 
in part as the standards approved and adopted by the American Institute 
of Certified Public Accountants which apply when ``independent, 
licensed certified public accountants'' audit financial statements. One 
commenter believes this definition will substantially increase the 
costs of audits for smaller credit unions that do not use a CPA. One 
commenter believes that the definition implies that a CPA is bound

[[Page 41316]]

by GAAS but non-CPAs are exempted from certain provisions and that this 
is unfair to the CPA. One commenter states that the definition does not 
identify which items of GAAS do not apply to the supervisory committee 
or its uncompensated auditor.
    In the final regulation, the Board has eliminated the use of the 
term ``applicable GAAS'' and refers to GAAS only once in the final 
regulation--in paragraph (c)(4), in conjunction with expanded scope for 
compensated auditors. The term ``applicable GAAS'' appeared to 
intimidate many commenters. The Board has replaced this approach by 
listing five relevant standards in the body of the regulation. The 
standards were adopted with modifications from the AICPA's ten 
generally accepted auditing standards, again excluding the second 
general standard and the standards of reporting. Procedures and testing 
performed consistent with the five identified standards are required 
for credit union supervisory committees, whether they hire a 
compensated auditor or not. Scope of work within the guidelines of the 
regulation, and degree of substantive testing (nature, extent and 
timing), are set by the supervisory committee or its designated 
representative based on its assessment of inherent risk, after gaining 
an understanding of the internal control environment. This approach 
does not bind a supervisory committee or its designated representatives 
to those requirements of GAAS which are definitionally unattainable, 
e.g., certain GAAS provisions a non-CPA cannot meet by virtue of the 
fact that he is not a CPA.
    There is no additional burden imposed in redefining the standard 
supervisory committees must meet in the performance of procedures and 
testing. By eliminating the term ``professional auditing procedures and 
standards'' which is non-specific, and replacing it with a listing of 
the five specific, relevant standards, the Board is issuing clearer 
standards. The amendment will not substantially increase burden on 
small credit unions because the regulation clearly does not require a 
CPA opinion audit, neither in scope of work nor reporting burden. There 
is no requirement for financial statements to accompany the report; no 
opinion is necessary; and negative assurance is not required. Since 
many of the commenters misunderstood certain provisions of the proposed 
regulation, their estimates of burden were based on a scope of work and 
reporting requirements substantially greater than what was actually 
proposed and/or intended. An additional burden exists only in the area 
of audit scope (not reporting) when the work is performed by a 
compensated auditor. While there is increased burden to some credit 
unions resulting from this requirement, the Board believes it is 
necessary and minimal.
    The proposal defines ``independence and independent'' as ``without 
bias with respect to the credit union so as to maintain the 
impartiality necessary for the reliability of the compensated auditor's 
findings. Independence requires the exercise of fairness toward credit 
union management, members, creditors and others who may rely upon the 
independent, compensated auditor's report. Auditors must be independent 
in fact and in appearance.''
    Eighteen commenters believe that this definition may pose problems 
for state leagues because some leagues are owned by credit unions for 
which the league provides audit services. These commenters request that 
the definition be clarified because they believe if the proposed 
definition of ``independence'' is strictly applied it could put league 
audit services out of business. They request that the preamble to the 
final amendments specifically state that league auditing programs are 
considered independent under the regulation. Seven commenters believe 
that a league audit is considerably cheaper than an audit by an 
accounting firm and if the state league was prohibited from doing the 
audit it would result in increased costs to credit unions. Some 
commenters also believe this definition should not be construed to mean 
that only CPAs could perform audits for credit unions. Several 
commenters recommend deleting the following sentence from the 
definition: ``Auditors must be independent in fact and in appearance.''
    NCUA has revised the definition for ``independence'' to exclude the 
following: ``without bias with respect to the credit union'' and 
``Auditors must be independent in fact and in appearance.'' Further, it 
is not the Board's intent to exclude league auditing services from 
performing supervisory committee audits or to require such services to 
use report terminology reserved by state laws specifically for CPAs. 
The Board is persuaded, however, that to be considered independent, 
league auditors must be independently managed. League auditors will not 
be considered independent in providing supervisory committee audits for 
a credit union if the credit union to be audited has an executive/
employee on the affiliated league board who influences board decisions 
relative to the league auditing service. League auditors would be 
considered independent if the executive/employee on the affiliated 
league board recuses himself from all discussions, decisions, or 
actions directly or indirectly related to the league auditing service/
department/function and/or meeting any requirements of this section. 
Additionally, the recusal must be documented in the written board 
minutes. Another alternative would be for reciprocity of league 
auditing services between leagues and credit unions subject to this 
restrictive interpretation. A third alternative would be for the league 
auditing service to periodically obtain a peer review from another 
league auditing service, similar to current practice for AICPA-
affiliated, CPA firms in public practice. Such a peer review would 
provide a reasonably independent quality review of the league auditing 
service's compliance with required auditing standards in the 
performance, documentation, and reporting of auditing services provided 
to federally-insured credit unions. The written peer review report 
would be available to NCUA, upon request, in conjunction with the 
examination of a particular credit union's supervisory committee audit 
and verification.
    The proposal defined ``internal controls'' in part as the process, 
established by the credit union's board of directors, officers and 
employees designed to provide reasonable assurance of reliable 
financial reporting and safeguarding of assets against unauthorized 
acquisition, use or disposition. Furthermore, this definition stated 
that a credit union's internal control structure consists of five 
components: control environment; risk assessment; control activities; 
information and communication; and monitoring. One commenter states 
that this definition could result in a decrease in testing of internal 
control structures.
    The supervisory committee's responsibilities with regard to 
internal controls is clearly set forth in Sec. 701.12(b)(2)(i) and 
(c)(2). The compensated auditor's further responsibility with regard to 
internal controls is set forth in Sec. 701.12(c). The proposed and 
final regulation does not decrease the amount of testing of internal 
control structures than is required in the existing regulation, nor 
does it drastically expand required testing. The Board intends that the 
supervisory committee attain an understanding of the internal control 
structure; assess the level of control risk; and based thereon, 
determine the nature, timing, and extent of substantive testing 
necessary to comply with the

[[Page 41317]]

minimum supervisory audit scope. The materiality level the supervisory 
committee chooses to govern scope and testing must encompass reasonable 
tests of the internal control structure commensurate with the size and 
complexity of the credit union under audit. Choosing a materiality 
level which results in no reasonable testing of internal controls would 
not be acceptable. Expanding audit scope to achieve a complete audit of 
the credit union's system of internal controls (commenter terms this 
``full compliance audit'') is not intended. The Board is simply seeking 
the extent of internal control testing which is normal in the audit of 
financial statements. The distinction would be clear to accounting/
auditing professionals; it may be less so to supervisory committee 
member volunteers.
    The proposal defined ``related party transactions'' as transactions 
among or between parties where one party controls or can significantly 
influence the management or operating policies of the other so as to 
prevent the other party from pursuing exclusively its own interests. 
The proposals provided the following examples of related parties: 
credit union members and their families, and credit union officials and 
their families. The proposal also stated that examples of ``related 
party transactions'' include: interest-free loans or loans at below 
market rates; sale of real estate significantly below appraised value; 
nonmonetary exchange of property; and making of loans lacking scheduled 
terms for repayment. Three commenters believe the definition of 
``related party transactions'' should include examples of related 
parties similar to those used in the preamble rather than those 
provided in the proposed definition. Two commenters believe that the 
examples of related parties in the definition is vague and obscures the 
meaning of the term.
    The definition of related parties has been changed to eliminate 
credit union members and their families and to add examples of related 
parties to include: executive management, board members, supervisory 
committee members, credit committee members, employees and their 
families.
    The proposal defined ``supervisory committee audit'' in part as an 
examination of the credit union's financial statement in accordance 
with applicable GAAS, which is performed by the supervisory committee 
or its designated representative as required by the regulation. 
Furthermore, the last sentence of the definition stated that an opinion 
audit as defined by this regulation satisfies the definition of 
``supervisory committee audit.'' One commenter states that the 
supervisory committee responsibilities need to be specifically defined, 
as well as any sanctions or penalties, if any, that may be assessed and 
how they will be determined. One commenter states that the last 
sentence of this proposed definition should be eliminated. One 
commenter states that this definition implies that a supervisory 
committee audit must be undertaken by a certified public accountant. 
This commenter suggests NCUA use ``supervisory committee review'' 
instead of ``supervisory committee audit'' to clarify this issue.
    The Board changed the definition of ``supervisory committee audit'' 
to drop the ``applicable GAAS'' reference, consistent with the addition 
of paragraph (c)(2) detailing five specific standards which must be met 
in the conduct of the supervisory committee audit. We continue to 
include the last sentence in the definition but have revised it to 
indicate that an opinion audit is one of several ways to satisfy the 
requirements of the regulation. It is a misinterpretation of the 
proposed regulation to conclude that a supervisory committee audit must 
be undertaken by a certified public accountant. The Board continues to 
use the term ``supervisory committee audit'' because this is how the 
function is identified in the Federal Credit Union Act. The Board is 
satisfied that the final regulation clearly defines the supervisory 
committee responsibilities, short of providing a written audit program. 
Available sanctions and penalties are those that are normally available 
to NCUA in dealing with regulatory non-compliance as granted throughout 
the Federal Credit Union Act and administered through the NCUA's 
Regulations.
    The proposal defined ``working papers'' in part as the principal 
record, in any form, of the work performed by the auditor and/or 
supervisory committee to support its findings and/or conclusions 
concerning significant matters. The definition provided the following 
examples of documents that meet this definition: the written record of 
procedures applied, tests performed, information obtained, and 
pertinent conclusions reached in the engagement, audit programs, 
analyses, memoranda, letters of confirmation and representation, 
abstracts of credit union documents, reviewer's notes, if retained, and 
schedules or commentaries prepared or obtained by the independent, 
compensated auditor. One commenter specifically supports this 
definition. Several commenters believe that although they agree with 
the ``working papers'' definition, they do not agree that all of the 
examples of working papers cited therein meet the definition. They 
believe that all of the auditors' memoranda, personal notes, and 
commentaries do not make up the principal record of the work performed. 
They suggest references to these items be eliminated from the list of 
examples provided in the definition of working papers. One commenter 
believes the definition is so extensive that it may discourage the 
compilation of notes and other internal memoranda, to the detriment of 
the credit union having a thorough audit.
    The Board believes that, in the past, accounting/auditing 
professionals have afforded themselves broad license in determining 
what they will provide to NCUA staff in the way of working papers. This 
situation has resulted through a wide interpretation, by some 
compensated auditors, of what constitutes ``proprietary information.'' 
The Board is persuaded that such discretion needs to be limited. NCUA 
staff needs access to a complete set of working papers. The Board 
believes much of what compensated auditors have held back as 
``proprietary'' is integral to NCUA staff in assessing if the audit 
meets regulatory requirements. Requiring full access to existing 
working papers should in no way discourage the compilation of notes and 
other internal memoranda, to the detriment of the credit union having a 
thorough audit. The standards requiring working paper documentation is 
not changed, lessened or strengthened by this final regulation which is 
simply seeking full disclosure to NCUA staff of existing working paper 
information. Photocopies are not required.

D. Expanded Audit Scope

    The proposed amendments expanded the required audit scope when a 
supervisory committee employs the services of a compensated auditor. 
The Board proposed the changes to address practical enforcement 
problems in the existing regulation, some of which have arisen through 
the examination process as a matter of course and others of which have 
arisen in litigation and in negotiating settlements. Additionally the 
changes were intended to eliminate vagueness regarding the required 
audit scope as well as improving supervisory committee audits. The 
vagueness of audit scope has been the subject of complaints from both 
credit unions and examiners.
    The Board proposed that the supervisory committee audit shall be 
made by the supervisory committee or

[[Page 41318]]

its designated representative using applicable GAAS. Furthermore, the 
Board proposed that for the compensated auditor, audit testing of the 
following areas must satisfy applicable GAAS for expressing an opinion 
on the financial statements taken as a whole: internal controls, cash, 
loans and interest thereon, shares and dividends and/or interest 
thereon, related party transactions, and the detection and reporting of 
errors and irregularities with regard to each of these areas.
    Three commenters specifically support the new audit scope. Two 
commenters believe the clarification eliminates any possible confusion 
regarding the overall requirements of the audit. One commenter 
recommends that this section be revised to state that the supervisory 
committee shall determine whether the established internal controls are 
sufficient to identify/detect material errors and fraud. The Board does 
not believe it is necessary to revise this section to include the 
suggested language because the responsibilities of the supervisory 
committee with regard to ``internal controls'' and ``error, 
carelessness, conflict of interest, self-dealing and fraud errors and 
irregularities'' are already set forth.
    Seventeen commenters believe a compensated auditor should follow 
GAAS. Two of these commenters believe credit union auditors should be 
held to the same high standards as auditors in other industries. One of 
these commenters stated that GAAS is the acceptable standard for all 
audits. One of these commenters believes that a compensated auditor 
should be required to follow GAAS but it should not be required by 
regulation. One supporting commenter believes that this amendment will 
have numerous unintended consequences, one of which will result in 
requiring any audit performed by a CPA to be an opinion audit. This 
commenter also believes the proposal could harm small credit unions by 
having them seek less qualified individuals.
    As addressed above, the Board does not wish to require an opinion 
audit for credit unions. To require compensated auditors to meet GAAS 
in scope of work, audit testing and reporting would be to require an 
opinion audit by a licensed, independent certified public accountant. 
The Board believes adopting the five specific standards set forth in 
the final regulation is preferable to the existing rule's reference to 
``professional auditing procedures and standards''; the former is 
specific while still allowing for reasonable judgment, the later is too 
vague. And while the expanded audit scope may slightly increase costs 
to some credit unions, the Board believes this burden is reasonable and 
necessary in light of the substandard audits NCUA found in some credit 
unions.
    Twenty commenters believe compensated auditors should not be 
required to follow GAAS. One of these commenters believes that it 
appears to have the practical effect of requiring the performance of an 
opinion audit, except the actual issuance of an opinion, whenever an 
outside auditor is used. Six of the commenters believe such a 
requirement will increase credit union costs. Three commenters believe 
this requirement will hurt small credit unions. One commenter believes 
that the proposed GAAS requirements could result in small credit unions 
employing CPAs to perform the audit and could discourage members from 
volunteering to serve on the supervisory committee. In the final 
regulation, a standard far short of GAAS is being required. Five 
specific standards governing performance of the work are set forth in 
the final regulation. Financial statements are not necessary, an 
opinion or attestation is not required, negative assurance is not 
sought, and GAAS reporting standards do not have to be met, paragraph 
(c)(4). Only compensated auditors are being held to GAAS-level scope 
and testing (not reporting), and then, only in selected risk areas. We 
continue to believe that the increased burden estimates were based on a 
misunderstanding of proposed regulatory requirements.
    One commenter states requiring non-CPA auditors to meet CPA 
standards is tantamount to requiring CPA audits. Another commenter 
states that league auditors are not allowed by AICPA rules to use the 
terms GAAS and GAAP in their audit reports. Furthermore, the commenter 
states that if these terms are required it will mean that only CPAs 
could audit credit unions which would prohibit league audits as well as 
increase credit union costs. The proposed and final regulations do not 
require non-CPAs to use GAAS and GAAP references or language in 
supervisory committee audit reports. In the proposed regulation the 
definition of ``applicable GAAS'' excluded the ``standards of 
reporting.'' The final regulation continues to exclude these reporting 
standards. The relevant standards governing performance of work have 
been more specifically identified in the final regulation in paragraph 
(c)(2).
    One commenter believes that NCUA should determine what additional 
procedures should be performed, if any, on a credit union by credit 
union basis, rather than requiring all compensated auditors to complete 
an expanded scope. Another commenter also states that NCUA should not 
require expanded scope for all credit unions. It is not practical for 
NCUA to determine what additional procedures should be performed, if 
any, on a credit union by credit union basis, thus this alternative of 
requiring the supervisory committee or its designated representative to 
attain an understanding of the internal control environment, assess 
control risk, and based thereon, determine the extent of substantive 
testing necessary to meet the requirements of this section. The 
guidelines NCUA primarily will use in assessing the adequacy of the 
expanded scope under paragraph (c)(4) will be the AICPA's guide, 
``Audits of Credit Unions'', relevant chapters, subheading ``Audit 
Objectives and Procedures'' where discussions are provided on audit 
objectives, planning considerations, internal control structure, tests 
of controls, and substantive tests. The expanded scope in selected, 
identified areas for all credit unions that employ a compensated 
auditor should contribute to improved consistency and uniformity.
    One commenter believes the proposed amendments impose different and 
higher standards for supervisory committee audits conducted by 
compensated auditors than those performed by supervisory committees or 
uncompensated auditors. Two commenters believe the proposed amendment 
is an attempt to permit non-CPAs to perform the work of CPAs when 
auditing credit unions. Both commenters believe that this poses an 
increased risk of substandard audits which will fail in detecting 
serious accounting deficiencies and internal control weaknesses. 
Another commenter believes a non-licensed accountant attempting to 
comply with the regulation may be violating state accountancy law by 
performing duties which can only be performed by a licensed CPA. 
Another commenter does not believe it is realistic or feasible to 
require volunteer supervisory committee members to comply with a 
complex body of standards that require significant education and 
training to understand.
    While the Board appreciates the seemingly unfairness of imposing a 
different and higher standard for supervisory committee audits 
conducted by compensated auditors than for those performed by 
supervisory committees or uncompensated auditors, the Board must be 
realistic in

[[Page 41319]]

recognizing that imposing an expanded scope requirement for supervisory 
committee audits performed by layman would be to invite certain 
disappointment. NCUA will need to review supervisory committee audits 
for thoroughness and sufficiency, and recommend needed supplemental 
procedures and testing to enhance the effectiveness of the audit 
process. Furthermore, for those supervisory committees that continue to 
perform the audit and/or verification themselves, where the credit 
union's sophistication and complexity have grown beyond the 
capabilities of the resident supervisory committee and its staff, it 
will be incumbent upon NCUA to recognize the deficiencies in the audit 
which diminish the committee's usefulness in the oversight process 
assigned it under Sec. 701.12. NCUA has significant flexibility under 
Sec. 701.13 of NCUA's Regulations, through FIRREA, to call for the 
conduct of a second audit, one which will fulfill the intended 
objectives of this regulation. The requirement for a second audit would 
add burden since it must be performed by an independent public 
accountant.

E. Engagement Letter Requirement

    The Board proposed to require credit unions which employ 
compensated auditors to memorialize the terms and conditions of the 
engagement in a comprehensive engagement letter, which constitutes an 
enforceable contract between the compensated auditor and the 
supervisory committee. The proposal also set forth the minimum 
requirements of an audit engagement to be addressed in such a letter. 
The Board made this proposal to further reduce the confusion for 
required scope components that are excluded from the audit engagement. 
Thirty-eight commenters support this proposal. Fourteen of these 
commenters believe the requirements for an engagement letter should 
adequately protect the interests of the supervisory committee. Five 
commenters believe the engagement letter will formalize the 
expectations of the supervisory committee. Four commenters believe that 
this proposal would eliminate any misunderstandings between the 
supervisory committee and the auditing firm. One commenter supports the 
requirement to provide an appendix to the engagement letter specifying 
the procedures to be performed.
    Seven commenters believe it should be left to the discretion of the 
credit union to determine what specific details should be included in 
the engagement letter. Conversely, two commenters believe that NCUA 
should produce a form engagement letter in the final rule. In current 
practice, the engagement letter has been written primarily by the 
compensated auditor, for the compensated auditor. Many credit unions 
have signed the engagement letters thus drafted without a real 
knowledge or understanding of what specific details should be included. 
Through the engagement letter requirement, the Board hopes to help 
credit unions in its business dealings with the professional auditor. 
The regulation sets forth minimums; the credit union has full 
discretion to include other provisions.
    The compensated auditor has the option to exclude from his scope of 
work any areas for which he is uncomfortable/unwilling to perform the 
expanded audit scope, if such exclusion is agreeable to his credit 
union client. He is obligated then only to caution the supervisory 
committee in the engagement letter that the supervisory committee will 
remain obligated to perform or have performed this required but 
excluded work. As concerns areas excluded from the audit engagement, 
simple, general statements, such as is demonstrated in the current 
AICPA Guide, Audits of Credit Unions, illustrative engagement letter, 
with the added caution required in the rule, Sec. 701.12(d)(3)(i)(C), 
is the minimum NCUA is seeking. For example, ``The scope of this audit 
* * * does not include an evaluation of all areas that generally are of 
higher risk in the credit union industry, such as securities held or 
the collectibility of loans, the adequacy of collateral thereon, or the 
reasonableness of the allowance for loan losses,'' plus cautionary 
language required consistent with this section.
    Five commenters stated that the requirement in the proposal that 
the engagement letter specify a date of delivery of the written audit 
report is unrealistic. They believe that the auditor can not complete 
the audit if the required information is not available. One commenter 
believes this requirement puts undue pressure on the auditor. One of 
these commenters stated that we should not require an exact delivery 
date but rather a ``target'' delivery date. The Board agrees with this 
commenter. Delivery date has been changed to ``target date of 
delivery.'' The intent is to provide the auditor with flexibility in 
dealing with unforeseen events while providing NCUA with a target date 
for receiving the report.
    Nine commenters do not believe NCUA should require a formal 
engagement letter. One commenter believes that the requirement for an 
engagement letter will not adequately protect the interests of the 
supervisory committee. One commenter states this should not be a 
regulatory requirement since most credit unions already use an 
engagement letter. One commenter states that the use of an engagement 
letter is a management decision. One commenter believes the additional 
cost for this separate letter far outweighs the perceived benefit. Two 
commenters believe regulating the content of an engagement letter is 
unnecessary. One commenter states that the criteria and the matter to 
be included in the engagement letter as outlined by SAS 75 address 
questions concerning the conditions for engagement preference, the 
sufficiency of procedures, the nature, timing and extent of procedures 
and will address issues that may arise between the auditor and the 
supervisory committee.
    The NCUA Board believes the engagement letter requirement will 
protect the credit union, will compel communication concerning the 
audit engagement, and will provide all parties with an enforceable 
contract and a documented record of accountability which hopefully will 
preclude NCUA from brokering disputes between the credit union and the 
compensated auditor. Credit unions are free to include any additional 
criteria, conditions, terms in the engagement letter beyond those 
required (such as those additionally outlined in SAS No. 75); again, 
the regulation is suggesting the minimum requirements. The final 
amendment reflects engagement letter requirements, generally as 
proposed, with the addition of target date of delivery, and working 
paper retention requirements for 3 years from the date of the audit 
report.

F. Requirement for a Written Report of Internal Control Exceptions or 
Reportable Conditions and a Written Report of Irregularities or Illegal 
Acts

    The proposed amendments required written reports of any internal 
control exceptions or reportable conditions noted and of any 
irregularities or illegal acts noted. Eighteen commenters support the 
requirement to report on internal controls and possible illegalities. 
Ten commenters state that requiring these reports will not increase the 
cost of a supervisory audit. Two commenters, although supporting the 
requirement, believe it will increase credit union costs. Three 
commenters state that the information in the reports is already 
available in some form of report. We agree the information is already 
available as a result of performing the supervisory committee

[[Page 41320]]

audit, but current requirements do not mandate written communication.
    Thirty-seven commenters oppose this requirement. Twenty-six 
commenters state that requiring these reports will increase the cost of 
supervisory committee audits. Five commenters wondered why the auditor 
cannot simply report any such findings in their normal report to the 
supervisory committee instead of creating two new reports. This option 
is agreeable to NCUA; we are simply seeking such information be 
``reduced to writing.'' Three commenters believe that no report should 
be required if no internal control exceptions, reportable conditions or 
irregularities or illegal acts were noted. This is also agreeable to 
NCUA; we are not seeking negative assurance. One commenter states that 
auditors that find problems during the scope of their normal audit 
already comment on internal controls and fraud when appropriate in the 
audit report to the credit union. Not necessarily; CPAs are not 
required to communicate such matters in writing. One commenter states 
that one report should be able to handle both issues. The Board agrees 
and the final regulation reflects this.
    Two commenters believe this requirement will hurt smaller credit 
unions since they usually have weaker controls due to small staffs. 
This requirement was not added to ``hurt smaller credit unions,'' but 
often these are the very credit unions where efforts are needed to 
bolster internal controls. One commenter states that the requirement to 
have the compensated auditor report on internal control and fraud may 
not be valid for all credit unions. This commenter believes that credit 
unions having an internal audit function should be exempted from this 
requirement to avoid duplication of efforts and costs. The internal 
audit function could be the means by which the supervisory committee 
chooses to comply with this section.
    This was one of the most misunderstood proposed amendments to the 
regulation. NCUA is simply asserting that any instances of reportable 
conditions or errors and irregularities which are identified in the 
normal course of a supervisory committee audit, be reduced to writing. 
Currently, while such information must be reported, GAAS does not 
require this information to be in writing. Without written 
communication of these items, NCUA has limited assurance of gaining 
knowledge of the auditor's observations in these areas, unless the 
credit union provides notification voluntarily.
    NCUA does not expect or require any negative assurance; no report 
is required if internal control exceptions, reportable conditions or 
irregularities or illegal acts were not noted. In many supervisory 
committee audit reports prepared by compensated auditors other than 
CPAs under existing guidelines, such internal control and fraud 
problems/weaknesses uncovered during the scope of their normal audit 
are already commented upon, when appropriate, in the audit report to 
the credit union. This practice continues to meet regulatory 
requirements under the final regulation.
    NCUA has no preference whether the auditor prepares one report 
including this information, two reports or three; what matters is that 
the information is reduced to writing. NCUA does not expect supervisory 
committees to direct audit scope at discovering such problems. Nor is 
NCUA seeking a specific report on the control structure and any 
breaches of that structure or to specifically note the absence or 
presence of any irregular or illegal act; NCUA recognizes this would 
require a substantially different level of audit than heretofore has 
been required. The NCUA Board believes it is possible that those who 
argued ``burden to small credit unions'' in this reporting aspect 
misunderstood the intended reporting requirements in this instance, and 
mistakenly magnified cost estimates accordingly.

G. Clarification on Access to Original Working Papers

    The proposal clarified that NCUA has unconditional access to a 
complete set of original working papers including all the existing 
documentation relative to the audit. Such access would be either at the 
offices of the credit union or at a mutually acceptable location. 
Thirty-four commenters provide varying support for the clarification. 
Sixteen commenters believe that unconditional NCUA access to original 
working papers is not overly burdensome and intrusive. Six commenters 
do not believe unconditional access to working papers will cause an 
increase in administrative and other expenses. One commenter believes 
that such access to original working papers will assist NCUA in its 
exams and that the clarification makes good business sense. Five 
commenters state that it is important to maintain the confidentiality 
of the working papers. NCUA appreciates the auditor's concerns about 
maintaining the confidentiality of working papers and will cooperate 
reasonably with auditors to achieve this end.
    Two commenters believe this section should be clarified to provide 
that copies, certified copies or electronic formatted data are 
``originals'' for the purpose of this section. Relevant to the most 
recent audit completed and awaiting NCUA review, the Board rejects the 
notion that ``copies, certified copies or electronic formatted data are 
``originals'' for the purpose of this section.'' Subsequently, and for 
purposes of meeting the three year working papers retention 
expectation, accessible alternative electronic storage is acceptable. 
One commenter, although supporting the proposal, believes this proposal 
may increase credit union costs. NCUA does not believe this 
clarification to the existing regulation will increase the costs to 
credit unions. This requirement would simply be included in the 
engagement letter as a clarified condition of engagement.
    Three commenters state that the location for viewing the working 
papers must be flexible because the credit union may be located some 
distance from the office of the auditor. Two commenters believe that 
the location for NCUA access should include the external auditor's 
place of business. The ``mutually agreeable location'' alternative does 
provide for the external auditor's place of business. One commenter 
recommends that working papers should be made available only at the 
auditor's place of business for the NCUA to copy or review. This the 
Board finds too restrictive and continues to prefer ``or at a mutually 
agreeable location.'' One commenter requests that the final regulation 
clarify that the working papers be available, either at the auditor's 
or credit union's office with adequate notice and under the auditor's 
supervision. The proposal stated that working paper access could be at 
the offices of the credit union or at a mutually agreeable location. A 
``mutually agreeable location'' could be at the credit union, at the 
auditor's place of business, or other location agreeable to the 
auditor. NCUA staff will be instructed to be reasonable in their 
negotiation of ``mutually agreeable location.'' One commenter would 
also put in the regulation that such access would be at an agreed upon 
time and an agreed upon location. The Board believes this to be the 
normal business practice. This commenter also believes that notes could 
be made but not copies. Several other commenters state that copies of 
the working papers should not be permitted. The Board did not propose 
and will not incorporate in the final regulation any requirement for 
NCUA to photocopy the working papers.
    Twenty-seven commenters oppose the clarification on working papers. 
Twelve commenters stated that complete access to the original working 
papers is overly

[[Page 41321]]

burdensome and intrusive. Such access exists under the current 
regulation. Eight commenters believe unconditional access to working 
papers will cause an increase in administrative and other expenses. 
This should not be the case since: such access exists under the current 
regulation and such access will be a condition of engagement. Several 
commenters believe that the working papers are the property of the 
compensated auditor and not the credit union unless the papers are 
prepared by the supervisory committee. NCUA recognizes that the working 
papers prepared by a compensated auditor are the property of the 
compensated auditor. Several commenters were concerned with an examiner 
copying the working papers and then having the examiner retire and 
compete with the auditor using the auditor's program. Examiners are 
prohibited from copying audit programs for their personal use.
    One commenter believes that the supervisory committee should not be 
held accountable for making sure that an independent auditor makes his 
or her original working papers available to NCUA since that provision 
is already included in the engagement letter and, as a practical 
matter, there is not much the supervisory committee can do to enforce 
that provision beyond the confines of the engagement letter. NCUA 
disagrees; the supervisory committee can enforce its audit contract. 
Several commenters believe that original working papers are the 
property of the auditor. NCUA acknowledges this. One of these 
commenters states that while the auditor can and must agree to make 
those papers available, NCUA has no role in enforcing that requirement 
against an independent auditor over whom it has no regulatory powers. 
NCUA acknowledges that enforcement lies with the supervisory committee. 
One commenter states that the proposal puts the credit union in a ``no-
win'' situation. If the auditor fails to cooperate with the supervisory 
committee by not making the papers available, rejection of the audit is 
a possibility, which may result in additional expenses for a new audit 
or the NCUA may seek formal administration sanctions against the 
supervisory committee. This is true, but presently, without this 
provision, NCUA is ``brokering disputes'' between compensated auditors 
and supervisory committees. An enforceable contract should remove both 
NCUA and supervisory committees from the middle. With an enforceable 
contract, there will be a clearly defined line of responsibility and 
thus, a business pressure, if not the possibility of litigative 
pressure, for the honoring of contract terms. If a compensated auditor 
does not wish for NCUA to review his working papers, he should not 
agree to be engaged by a credit union.
    One commenter believes NCUA should specify a working paper 
retention policy to clarify how long the working papers must be 
available for review. The Board agrees that an auditor should not have 
to retain his/her working papers indefinitely. Therefore, the Board has 
amended the regulation to require retention of working papers by 
compensated auditors for a minimum of three years from the date of the 
written audit report. The audit working papers for the most recent 
audit would need to be retained in paper form; subsequently, 
alternative, accessible storage would be acceptable.

H. Enforcement Mechanism

    The Board proposed an enforcement mechanism to ensure compliance 
with this regulation by authorizing the regional director, as a first 
step toward enforcement, to reject as deficient the supervisory 
committee audit and the reports thereof. Two commenters support this 
proposal. One commenter encourages the NCUA Board to ensure that all 
regional offices use the same criteria for determining whether or not 
to accept a supervisory committee audit (whether or not performed by a 
compensated auditor). Two commenters oppose the proposal. One of these 
commenters believes that only state credit union supervisory agencies 
should initiate administrative sanctions against the supervisory 
committee of a state chartered credit union. Furthermore, this 
commenter notes that the proposed amendments bestow a great deal of 
discretionary authority upon regional directors and suggests the Board 
instruct regional directors not to reject audits which are flawed by 
minor technicalities.
    In the case of a federally-insured state chartered credit union, 
the Board believes it is appropriate for the state regulator to first 
attempt to resolve any problems concerning the supervisory committee 
audit. The Regional Director will take action after the state regulator 
has had a reasonable opportunity to reach a satisfactory result. The 
Board will instruct its regional offices on the proper criteria in 
determining whether to accept or reject a supervisory committee audit 
to minimize differences among the regions and provide more consistency. 
NCUA will not be rejecting supervisory committee audits for minor 
technicalities.

I. Effective Date

    Section 302 of the Riegle Community Development and Regulatory 
Improvement Act of 1994 requires the federal regulators of banks and 
savings associations to make all regulations that impose new 
requirements take effect on the first date of the calendar quarter 
following publication of the rule unless good reason exists for some 
other effective date. Although NCUA is not formally subject to this 
requirement, Letter to Credit Unions #158 stated that the requirements 
would be beneficial to credit unions and that NCUA planned to implement 
it whenever practicable. NCUA believes that delaying the effective date 
to December 31, 1996 is necessary so that credit unions and individuals 
conducting supervisory committee audits have sufficient time to 
understand the regulation and determine what type of audit will best 
serve their needs. Therefore, the regulation will be effective for 
audits conducted for, and covering, the audit period ending on December 
31, 1996, and thereafter.

J. Request for Comment on Whether Credit Unions Should Have an 
Ongoing Internal Audit Function

    The Board requested comment on whether it should mandate an 
internal audit function and, if so, whether such a requirement should 
be imposed on all or only some credit unions, and on what basis. 
Seventeen commenters support mandating an internal audit function. Ten 
commenters believe an audit function should be required based on some 
combination of asset size and complexity of operations. Two commenters 
believe it should be required for credit unions with assets in excess 
of $100 million. Another commenter believes it should be required for 
credit unions with assets over $150 million. Another commenter believes 
asset size should be the basis for requiring an internal audit 
function. One commenter believes the audit function should be based on 
complexity of operations and not asset size.
    Fifty-three commenters oppose requiring a credit union to have an 
ongoing internal audit function. Thirty-three commenters believe the 
decision to have an internal audit function should be made by credit 
union management. Four commenters believe that many credit unions can 
not afford an internal audit function. Two commenters believe the 
internal audit function is costly and that the internal auditor may not 
adequately scrutinize operations. Several commenters believe NCUA 
should not require but instead

[[Page 41322]]

encourage large and complex credit unions to have an internal audit 
function.
    Three commenters believe that both compensated auditors and 
internal auditors should be hired, report to and receive instructions 
from the supervisory committee. They believe any other line of 
reporting compromises the integrity of the communication. Sixteen 
commenters believe it is not always feasible or desirable for the 
auditor to report directly to the supervisory committee, especially if 
the credit union is relatively large. Most of these commenters believe 
that each credit union should decide to whom the auditor reports.
    The Board is not requiring an internal audit function at this time 
because it believes that the costs of mandating such a function for all 
credit unions outweighs the perceived benefit. The Board, however, 
continues to encourage credit unions to have an ongoing internal audit 
function if management believes it would be helpful as well as 
economically prudent. The Board also believes it is important to 
minimize possible conflicts of interest when determining to whom the 
internal auditor reports. Management should carefully consider whether 
it is feasible for their credit union to have the compensated or 
internal auditor report to the supervisory committee.

K. Relevance of SAS No. 75 to CPAs and Its Impact on Supervisory 
Committee Audits

    Effective May 1, 1996, the AICPA adopted SAS No. 75 which provides 
in pertinent part:
    b. The accountant and the specified users agree upon the procedures 
performed or to be performed by the accountant.
    c. The specified users take responsibility for the sufficiency of 
the agreed-upon procedures for their purposes. (emphasis added)
    In essence, SAS No. 75 requires the CPA to identify the ``specified 
users'' of a ``report on agreed-upon procedures'' and, in advance of 
such an engagement, to obtain an acknowledgment from all identified 
specified users that the procedures the auditor will perform are 
sufficient to satisfy the ``specified user's'' needs. There is no doubt 
that a credit union's supervisory committee and its board of directors 
are ``specified users'' because they will rely on the auditor's report. 
However, some may contend that, in addition, NCUA itself is a 
``specified user'' of each credit union's supervisory committee audit 
report. This would put NCUA in the position of having to agree with the 
CPA and each credit union as to the agreed-upon procedures the CPA will 
use to ensure that each credit union's audit satisfies the requirements 
of Sec. 701.12.
    To expect NCUA to acknowledge the sufficiency of a set of 
procedures in meeting this part prior to the credit union's engagement 
of a CPA is both infeasible and would shift the responsibility for the 
supervisory audit from the credit union's supervisory committee to 
NCUA. The supervisory committee or its designated representative, not 
NCUA, is uniquely able to ``attain an understanding of the internal 
control environment, assess control risk, and based on the control 
risk, determine the substantive testing (nature, extent, and timing) 
necessary'' to comply with this section.
    Many credit union supervisory committees hire a compensated auditor 
because they do not have the expertise necessary to perform the 
supervisory committee audit. Supervisory committees consisting 
primarily of volunteers cannot be expected to acknowledge the 
sufficiency of a set of agreed-upon procedures developed by accounting 
professionals. In such cases, the supervisory committee would naturally 
rely upon the assistance of a CPA to attain an understanding of the 
internal control environment, assess control risk, and based on the 
control risk, determine the substantive testing that is necessary.
    Since 1985, NCUA's objective has been to place with the credit 
union and its supervisory committee the responsibility for sufficiency 
of audit procedures and testing. This approach was enunciated in the 
preamble to the 1985 rule, as follows:
    The supervisory committee must carry out its duties in a manner 
responsive to each credit union's circumstances, i.e., the supervisory 
committee must use good judgment in determining the scope, the 
frequency, and the detail of the committee's activities. (Deregulation 
efforts recognized that) * * * a credit union's audits and reviews must 
reflect each credit union's business activities and financial and 
operating condition. The committee's work requires judgment of each 
credit union's needs based on an analysis of each institution's 
strengths and weaknesses * * * Since the committee is responsible for 
the audit, it should determine the scope of the work to be performed. 
The scope of the work should be varied based on the nature of risk and 
exposure for each transaction or account being audited within each 
federal credit union. [50 CFR 8710, March 5, 1985] (emphasis added).
    NCUA's approach is consistent with the approach of the auditing 
profession today. In fact, SAS No. 75 is premised upon this same line 
of reasoning, shifting this burden away from the independent accountant 
to the specified user.
    The issue created by AICPA's adoption of SAS No. 75 exists under 
both the current, and this revised supervisory committee audit 
regulation. Some compensated auditors suggest that SAS No. 75 limits 
them to performing only opinion audits for credit unions. To the extent 
that this claim is true, both the cause and the remedy for this 
limitation resides with the accounting profession.
    The NCUA Board continues to welcome the CPA practitioner in the 
performance of supervisory committee audits as one of several favorable 
options for credit union supervisory committees. It is the NCUA Board's 
intent to allow credit unions a full range of options in whom they may 
contract with to have their audit work performed. NCUA will continue to 
work with the AICPA toward a practicable solution to this question to 
enable CPA practitioners to perform non-opinion, supervisory committee 
audits.

L. Comments Received on Regulatory Procedures

Regulatory Flexibility Act

    The NCUA Board has certified that small credit unions (less than $1 
million in assets) will not see a significant impact because of this 
proposal. Fourteen commenters believe that NCUA's assessment of the 
monetary costs of these changes is wrong. Two of these commenters 
believe it will effect credit unions under $50 million in assets by 
doubling the cost of the supervisory committee audit. Another commenter 
states it will substantially increase the cost for small credit unions. 
NCUA believes these burden estimates are based on a misunderstanding of 
the proposed requirements as discussed above, especially in the areas 
of scope of work and reporting.
    In the final analysis, a cost of doing business as a credit union 
or any other financial institution is the conduct of an audit to ensure 
member confidence. The audit must be performed by persons with audit 
skills commensurate with the complexities of the credit union. For 
credit unions under $1 million who are already hiring a compensated 
auditor to perform the supervisory committee audit, NCUA believes the 
engagement letter requirement, the expanded scope requirement, and 
``reducing to writing'' identified reportable conditions/errors

[[Page 41323]]

or irregularities may minimally increase costs. It is a normal business 
practice for compensated auditors to obligate audit clients to sign 
engagement letters and many of the affected credit unions are already 
doing so. Merely ``reducing to writing'' identified and known 
reportable conditions and/or errors and irregularities cannot be 
significantly burdensome. The expanded scope requirements then require 
examination.
    Cost can be controlled or reduced by the credit union establishing 
or strengthening its system of sound internal controls which serve to 
contain control risk. Favorable control risk can mean the reduced 
necessity for extensive substantive testing, thus, lower audit costs. 
We estimate that approximately 64% of the credit unions under $1 
million have supervisory committee audits which are performed by the 
supervisory committee itself (not affected); receive opinion audits 
(already meet expanded scope); or engage outside auditors who do not 
meet the definition of ``compensated auditor'' (not affected). Thus, 
few, if any, of these estimated credit unions will be significantly 
affected by the expanded scope requirements of this section.

Paperwork Reduction Act

    In the proposal the NCUA Board estimated that for most credit 
unions the additional paperwork will require only one to three hours a 
year of additional time. One commenter asks if NCUA has determined the 
extra time needed for auditors to complete the additional reports 
required by the proposed regulation. Another commenter believes the 
paperwork requirements are much higher than stated in the proposal.
    The additional paperwork burden to the credit union is only 
relevant to credit unions hiring compensated auditors and lies 
primarily in the engagement letter requirement and in ``reducing to 
writing'' reportable conditions and/or errors and irregularities, if 
any, NCUA did not include paperwork burden as to the compensated 
auditor, simply additional paperwork burden as to the credit union. 
NCUA continues to believe the paperwork burden to credit unions is in 
line with original estimates.

M. Miscellaneous

    One commenter requested that the final rule or its preamble 
explicitly state that this rule does not apply to corporate credit 
unions. Section 701.12 does not apply to corporate credit unions. One 
commenter believes that the proposal unfairly singles out those credit 
unions that are attempting to upgrade their operation by hiring an 
independent auditor to do the annual supervisory committee audit. NCUA 
encourages supervisory committes to avail themselves of the services of 
compensated auditors when it is advisable and feasible to do so; this 
regulation is in no way designed to discourage credit unions from doing 
so. The Board is persuaded in all but the exceptional case, supervisory 
committees will choose the auditor alternative which is best for its 
credit union under the circumstances. Failing this, the Board is 
confident that the annual examination process will identify those 
credit unions in which evoking the FIRREA provisions of Sec. 701.13 
will become necessary.
    The Board is not issuing any changes to the current regulation 
regarding the independence and verification of members' accounts but 
they will be redesignated as Sec. 701.12(g) and (h), respectively. The 
Board is adopting in final the one proposed change to Sec. 701.13 to 
redesignate the current Sec. 701.12(e) as Sec. 701.12(h).

N. Regulatory Procedures

Regulatory Flexibility Act

    The Regulatory Flexibility Act requires NCUA to prepare an analysis 
to describe any significant economic impact a proposed regulation may 
have on a substantial number of small credit unions (primarily those 
under $1 million in assets). As noted above, NCUA determined in the 
proposed rule that there was no significant economic impact on small 
credit unions. Comments received are discussed above. Accordingly, the 
NCUA Board determines and certifies that this final amendment does not 
have a significant economic impact on a substantial number of small 
credit unions and that a Regulatory Flexibility Analysis is not 
required.

Paperwork Reduction Act

    Comments received on paperwork collection requirements are 
discussed above. The information collection requirements in the final 
rule have been submitted to the Office of Management and Budget. The 
control number assigned for this rule is 3133-0059, approved for use 
through April 30, 1997.

Executive Order 12612

    Executive Order 12612 requires NCUA to consider the effect of its 
actions on state interests. The final amendments will not have a 
substantial direct effect on the states, on the relationship between 
the national government and the states, or on the distribution of 
rights and responsibilities among the various levels of government.

List of Subjects in 12 CFR Part 701

    Credit unions, Reporting and recordkeeping requirements.

    By the National Credit Union Administration Board on July 24, 
1996.
Becky Baker,
Secretary of the Board.

    Accordingly, NCUA amends 12 CFR part 701 as follows:

PART 701--ORGANIZATION AND OPERATIONS OF FEDERAL CREDIT UNIONS

    1. The authority citation for Part 701 continues to read as 
follows:

    Authority: 12 U.S.C. 1752(5), 1755, 1756, 1757, 1759, 1761a, 
1761b, 1766, 1767, 1782, 1784, 1787, 1789, 1798 and Public Law 101-
73. Section 701.6 is also authorized by 31 U.S.C. 3717. Section 
701.31 is also authorized by 15 U.S.C. 1601, et seq., 42 U.S.C. 1981 
and 42 U.S.C. 3601-3610.

    2. Sec. 701.12 is amended by redesignating paragraphs (d) and (e) 
as paragraphs (g) and (h), by revising paragraphs (a) through (c), and 
by adding new paragraphs (d) through (f) to read as follows:


Sec. 701.12  Supervisory committee audits and verifications.

    (a) Definitions. As used in this chapter:
    (1) Agreed-upon procedures engagement refers to the performance by 
an independent, licensed certified public accountant of an engagement 
in which the scope is limited to applying specified agreed-upon 
procedures to one or more specified elements, accounts or items of a 
financial statement. Such procedures are insufficient to express an 
opinion regarding either the financial statements taken as a whole, or 
the specified elements, accounts or items under examination.
    (2) Compensated auditor refers to any accounting/auditing 
professional, excluding credit union employees, who is compensated for 
performing more than one compensated supervisory committee audit and/or 
verification of members' accounts, or opinion audit, per calendar year.
    (3) Financial statements refers to a presentation of financial 
data, including accompanying notes, derived from accounting records of 
the credit union, and intended to disclose a credit union's economic 
resources or obligations at a appoint in time, or the changes therein 
for a period of time, in conformity with GAAP or RAP, as

[[Page 41324]]

defined herein. Each of the following is considered to be a financial 
statement: a balance sheet or statement of financial condition; 
statement of income or statement of operations; statement of undivided 
earnings; statement of cash flows; statement of changes in members' 
equity; statement of assets and liabilities that does not include 
members' equity accounts; statement of revenue and expenses; and 
statement of cash receipts and disbursements.
    (4) GAAP is an acronym for ``generally accepted accounting 
principles'' which refers to the conventions, rules, and procedures 
which define accepted accounting practice. GAAP includes both broad 
general guidelines and detailed practices and procedures, provides a 
standard by which to measure financial statement presentations, and 
encompasses not only accounting principles and practices but also the 
methods of applying them.
    (5) GAAS is an acronym for ``generally accepted auditing 
standards'' which refers to the standards approved and adopted by the 
American Institute of Certified Public Accountants which apply when an 
``independent, licensed certified public accountant'' audits financial 
statements. Auditing standards differ from auditing procedures in that 
``procedures'' address acts to be performed, whereas ``standards'' 
measure the quality of the performance of those acts and the objectives 
to be achieved by use of the procedures undertaken. In addition, 
auditing standards address the auditor's professional qualifications as 
well as the judgment exercised in performing the audit and in preparing 
the report of the audit. Copies of GAAS may be obtained from the AICPA, 
Order Department, Harborside Financial Center, 201 Plaza Three, Jersey 
City, NJ 07311-3881, telephone (800) TO-AICPA or (800) 862-4272.
    (6) Independence and Independent means the impartiality necessary 
for the reliability of the compensated auditor's findings. Independence 
requires the exercise of fairness toward credit union officials, 
members, creditors and others who may rely upon the supervisory 
committee audit report.
    (7) Internal controls refers to the process, established by the 
credit union's board of directors, officers and employees, designed to 
provide reasonable assurance of reliable financial reporting and 
safeguarding of assets against unauthorized acquisition, use, or 
disposition. A credit union's internal control structure consists of 
five components: control environment; risk assessment; control 
activities; information and communication; and monitoring. Reliable 
financial reporting refers to preparation of financial statements that 
``present fairly'' the financial position of the credit union and 
results of its operations and its cash flows, in conformity with GAAP 
or RAP, as defined herein. Internal control over safeguarding of assets 
against unauthorized acquisition, use, or disposition refers to 
prevention or timely detection of transactions involving such 
unauthorized access, use, or disposition of assets which could result 
in a loss that is material to the financial statements.
    (8) Licensed, certified public accountant refers to an accounting/
auditing professional who has received a certificate and license from a 
duly-appointed state licensing authority to practice accounting/
auditing, and is independent as defined herein.
    (9) Opinion audit refers to an examination of the financial 
statements performed by an independent, licensed, certified public 
accountant in accordance with GAAS. The objective of an ``opinion 
audit'' is to express an opinion as to whether those financial 
statements of the credit union present fairly, in all material 
respects, the financial position and the results of its operations and 
its cash flows in conformity with GAAP or RAP, as defined herein.
    (10) RAP is an acronym for ``regulatory accounting practices'' 
which refer to the conventions, rules, and procedures governing 
accepted accounting practices, other than GAAP, for credit unions and 
having the substantial support of either the NCUA or the applicable 
state credit union supervisor.
    (11) Related party transactions refers to transactions among or 
between parties where one party controls or can significantly influence 
the management or operating policies of the other so as to prevent the 
other party from pursuing exclusively its own interests. Examples of 
related parties include: executive management, board members, 
supervisory committee members, credit committee members, and employees, 
and their families. Examples of ``related party transactions'' include: 
interest-free loans or loans at below market rates; sale of real estate 
significantly below appraised value; nonmonetary exchange of property; 
below market fees, and making of loans lacking scheduled terms for 
repayment.
    (12) Reportable conditions refers to a matter coming to the 
attention of the independent, compensated auditor which, in his or her 
judgment, represents a significant deficiency in the design or 
operation of the internal control structure of the credit union, which 
could adversely affect its ability to record, process, summarize, and 
report financial data consistent with the representations of management 
in the financial statements.
    (13) Specified elements, accounts or items of a financial statement 
refers to accounting information that is a part of, but significantly 
less than, a financial statement. These may be directly identified in a 
financial statement or notes thereto; or they may be derived from a 
financial statement by analysis, aggregation, summarization, or 
mathematical computation.
    (14) Substantive testing refers to testing of details and 
analytical procedures to detect material misstatements in the account 
balance, transaction class, and disclosure components of financial 
statements.
    (15) Supervisory committee refers to a supervisory committee as 
defined in Section 111(b) of the Federal Credit Union Act, 12 U.S.C. 
1786(r). For some federally-insured state chartered credit unions, the 
``audit committee'' designated by state statute or regulation is the 
equivalent of a supervisory committee.
    (16) Supervisory committee audit refers to an examination of 
specified elements, accounts or items of the credit union's financial 
statement to the full extent required in this part. An opinion audit as 
defined herein exceeds the requirements of a ``supervisory committee 
audit.''
    (17) Working papers refers to the principal record, in any form, of 
the work performed by the auditor and/or supervisory committee to 
support its findings and/or conclusions concerning significant matters. 
Examples include the written record of procedures applied, tests 
performed, information obtained, and pertinent conclusions reached in 
the engagement, proprietary audit programs, analyses, memoranda, 
letters of confirmation and representation, abstracts of credit union 
documents, reviewer's notes, if retained, and schedules or commentaries 
prepared or obtained by the independent, compensated auditor.
    (b) Supervisory committee responsibilities. (1) The supervisory 
committee is responsible for ensuring that:
    (i) The financial condition of the credit union is accurately and 
fairly presented in the credit union's financial statements; and
    (ii) The credit union's management practices and procedures are 
sufficient to safeguard members' assets.

[[Page 41325]]

    (2) To meet its responsibilities, the supervisory committee shall 
determine whether:
    (i) Internal controls are established and effectively maintained to 
achieve the credit union's financial reporting objectives which must be 
sufficient to satisfy the requirements of the supervisory committee 
audit, verification of members' accounts and its additional 
responsibilities;
    (ii) The credit union's accounting records and financial reports 
are promptly prepared and accurately reflect operations and results;
    (iii) The relevant plans, policies, and control procedures 
established by the board of directors are properly administered; and
    (iv) Policies and control procedures are sufficient to safeguard 
against error, carelessness, conflict of interest, self-dealing and 
fraud.
    (c) Supervisory committee audit. (1) A supervisory committee audit 
of each Federal credit union shall occur at least once every calendar 
year and shall cover the period elapsed since the last audit period. 
The supervisory committee audit shall be performed by the supervisory 
committee or its designated representative, as prescribed in paragraph 
(c)(5) of this section.
    (2) Standards for Performing Supervisory Committee Audit. The 
supervisory committee audit procedures/testing must be performed in 
accordance with the following standards:
    (i) The audit is to be performed by a person or persons having 
adequate technical training and proficiency as an auditor commensurate 
with the level of sophistication and complexity of the credit union 
under audit.
    (ii) Reasonable care is to be exercised in the performance of the 
audit and the preparation of the report.
    (iii) The work is to be adequately planned and assistants, if any, 
are to be properly supervised.
    (iv) The person or persons performing the audit must attain a 
sufficient understanding of the internal control structure to plan the 
audit and to determine the nature, timing, and extent of tests to be 
performed.
    (v) The person or persons performing the audit must, through 
inspection, observation, inquiry, and confirmation obtain sufficient 
evidence to afford a reasonable basis for the financial statement 
elements, accounts or items under audit.
    (3) Scope of Supervisory Committee Audit. The scope of the 
supervisory committee audit shall consist of:
    (i) Attaining an understanding of the internal control structure;
    (ii) Assessing the level of control risk; and
    (iii) Based on the level of control risk, determining the nature, 
timing, and extent of substantive testing necessary to confirm the 
assertions made by management regarding each of assets, liabilities, 
equity, income, and expenses for the following attributes:
    (A) Existence or occurrence;
    (B) Completeness;
    (C) Valuation or allocation;
    (D) Rights and obligations; and
    (E) Presentation and disclosures.
    (4) In addition to scope requirements set forth in paragraph (c)(3) 
of this section, an audit performed by an independent, compensated 
auditor which includes any of the following areas must, with respect to 
audit scope but not with respect to reporting, satisfy GAAS for 
expressing an opinion on the financial statements taken as a whole:
    (i) Internal controls;
    (ii) Cash;
    (iii) Loans and interest thereon;
    (iv) Investments and interest thereon;
    (v) Shares and dividends and/or interest thereon;
    (vi) Related party transactions; and
    (vii) The reporting of identified errors and irregularities with 
regard to each of the items in paragraphs (c)(4) (i) through (vi) of 
this section.
    (5)(i) The requirements of the annual supervisory committee audit 
may be satisfied by one of the following:
    (A) An opinion audit of the credit union's financial statements 
performed by an independent, licensed, certified public accountant;
    (B) An ``agreed-upon procedures engagement'' performed by an 
independent, licensed, certified public accountant, which by itself or 
in combination with procedures performed by the supervisory committee, 
fulfills the required scope of the supervisory committee audit;
    (C) A supervisory committee audit performed by an independent, 
compensated auditor other than an independent, licensed, certified 
public accountant which by itself or in combination with procedures 
performed by the supervisory committee, fulfills the scope of a 
supervisory committee audit; or
    (D) A supervisory committee audit by the supervisory committee or 
its designated, uncompensated representative.
    (ii) In all cases, an independent, compensated auditor is required 
to contract directly with the supervisory committee for the audit 
engagement and to deliver its written reports directly to the 
supervisory committee.
    (iii) For a supervisory committee audit performed by the 
supervisory committee or its designated, uncompensated representative, 
the supervisory committee shall prepare a written report of the 
supervisory committee audit.
    (d) Engagement letter. (1) The engagement of an independent, 
compensated auditor to perform all or a portion of the scope of a 
supervisory committee audit shall be evidenced by an engagement letter. 
The engagement letter shall be signed by the compensated auditor and 
acknowledged therein by the supervisory committee prior to commencement 
of a supervisory committee audit. The engagement letter shall:
    (i) Specify the terms, conditions, and objectives of engagement;
    (ii) Identify the basis of accounting to be used, e.g., GAAP or 
RAP;
    (iii) Include an appendix setting forth the procedures to be 
performed (if not an opinion audit);
    (iv) Specify the rate of, or total, compensation to be paid for the 
audit;
    (v) Provided that the audit shall, upon completion of the 
engagement, deliver to the supervisory committee:
    (A) A written report of the supervisory committee audit; and
    (B) Notice in writing, either within the report or communicated 
separately, of any internal control reportable conditions and/or 
irregularities or illegal acts which come to the auditor's attention 
during the normal course of the audit (i.e., no additional duty is 
imposed nor additional written communications beyond (A) is required if 
none of these is noted);
    (vi) Specify a target date of delivery of the written reports;
    (vii) Certify that NCUA staff or its designated representative will 
be provided unconditional access to the complete set of original 
working papers either at the credit union or at a mutually agreeable 
location, for purposes of inspection; and
    (viii) Acknowledge that working papers shall be retained for a 
minimum of three years from the date of the written audit report.
    (2) In the case of a supervisory committee audit engagement which 
addresses all of the financial statement elements, accounts or items 
and attributes prescribed in paragraphs (c)(3) and (c)(4) of this 
section, the engagement letter shall certify that the contracted scope 
of the audit satisfies the requirements of a complete supervisory 
committee audit.
    (3) In the case of a supervisory committee audit engagement which 
excludes any financial statement elements, accounts or items and 
attributes prescribed in paragraphs (c)(3)

[[Page 41326]]

and (c)(4) of this section, the engagement letter shall:
    (i) Identify the elements, accounts or items and attributes 
excluded from the audit;
    (ii) State that, because of the exclusion(s), the resulting audit 
will not, by itself, fulfill the scope of a supervisory committee 
audit; and
    (iii) Caution that the supervisory committee will remain 
responsible for fulfilling the scope of a supervisory committee audit 
with respect to the excluded elements, accounts or items and 
attributes.
    (e) Audit reports and working paper access. (1) Upon completion or 
receipt of the written supervisory committee audit reports, the 
supervisory committee shall provide the reports to the board of 
directors. The supervisory committee shall ensure that the independent, 
compensated audit and its reports comply with the terms of the 
engagement letter prescribed in this section. The supervisory committee 
shall, upon request, provide to the National Credit Union 
Administration a copy of the written reports received from the auditor.
    (2) The supervisory committee shall be responsible for preparing 
and maintaining, or making available, a complete set of original 
working papers supporting each supervisory committee audit. The 
supervisory committee shall, upon request, provide NCUA staff 
unconditional access to such working papers either at the offices of 
the credit union or at a mutually agreeable location, for purposes of 
inspecting such working papers.
    (f) Sanctions. (1) Failure of a supervisory committee and/or its 
independent compensated auditor to comply with the requirements of this 
section, or the terms of an engagement letter required by this section, 
is grounds for:
    (i) The regional director to reject the supervisory committee 
audit;
    (ii) The regional director to impose the remedies available in 
Sec. 701.13, provided any of the conditions specified in Sec. 701.13 is 
present; and
    (iii) The NCUA to seek formal administrative sanctions against the 
supervisory committee and/or its independent, compensated auditor 
pursuant to section 206(r) of the Federal Credit Union Act, 12 U.S.C. 
1786(r).
    (2) In the case of a federally-insured state chartered credit 
union, NCUA shall provide the state regulator an opportunity to timely 
impose a remedy satisfactory to NCUA before seeking to impose a 
sanction permitted under (f)(1) of this section.
* * * * *


Sec. 701.13  [Amended]

    3. Section 701.13 is amended in paragraph (a)(2) by revising 
``Sec. 701.12(e)'' to read ``Sec. 701.12(h)''.
[FR Doc. 96-19511 Filed 8-7-96; 8:45 am]
BILLING CODE 7535-01-M