[Federal Register Volume 64, Number 145 (Thursday, July 29, 1999)]
[Rules and Regulations]
[Pages 41029-41040]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-19254]


=======================================================================
-----------------------------------------------------------------------

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Parts 701, 715 and 741


Supervisory Committee Audits and Verifications

AGENCY: National Credit Union Administration.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Credit Union Membership Access Act amended certain audit 
and financial reporting requirements of the Federal Credit Union Act. 
The National Credit Union Administration has received and reviewed 
public comments on its proposed rule implementing those amendments. As 
revised to reflect commenters' suggestions and to enhance clarity, the 
final rule specifies the minimum annual audit a credit union is 
required to obtain according to its charter type and asset size, the 
licensing authority required of persons performing certain audits, the 
auditing principles that apply to certain audits, and the accounting 
principles that must be followed in reports filed with the NCUA Board.

DATES: Effective January 1, 2000.

FOR FURTHER INFORMATION CONTACT: Karen Kelbly, Program Officer, Office 
of Examination and Insurance at (703) 518-6360, or Steven W. Widerman, 
Trial Attorney, Office of General Counsel, at (703) 518-6557, National 
Credit Union Administration Board, 1775 Duke Street, Alexandria, VA 
22314-3428.

SUPPLEMENTARY INFORMATION:

I. Background

A. Credit Union Membership Access Act

    Section 201(a) of the Credit Union Membership Access Act (CUMAA), 
Public Law 105-219, 112 Stat. 918 (1998), added two new subsections to 
section 202(a)(6) of the Federal Credit Union Act (FCUA), 12 U.S.C. 
1782(a)(6)(C) and (D). Subsection (C) addresses accounting principles, 
generally requiring credit unions having assets of $10 million or more 
to follow generally accepted accounting principles (GAAP) in all 
reports or statements filed with the NCUA Board.\1\ 12 U.S.C. 
1782(a)(6)(C). The NCUA Board, and State credit union supervisors under 
applicable statutes, are given the authority to require credit unions 
having less than $10 million in assets to follow GAAP. 12 U.S.C. 
1782(a)(6)(C)(iii).
---------------------------------------------------------------------------

    \1\ In lieu of GAAP, the NCUA Board may prescribe ``an 
accounting principle * * * that is no less stringent than [GAAP].'' 
12 U.S.C. 1782(a)(6)(c)(ii).
---------------------------------------------------------------------------

    Subsection (D) imposes audit requirements for large federally-
insured credit unions--those having assets of $500 million or more. A 
credit union at or above that level of assets, whether State-or 
Federally-chartered, is required to obtain an annual independent audit 
of its financial statements performed in accordance with generally 
accepted auditing standards (GAAS)--hereinafter referred to as a 
``financial statement audit.'' Furthermore, that audit must be 
performed by an independent certified public accountant or public 
accountant licensed to do so by the appropriate State or jurisdiction. 
12 U.S.C. 1782(a)(6)(D)(i). For a breakdown of State-licensing 
requirements for persons who perform audits, see proposed rule, 64 FR 
777n.2.
    A federally-chartered credit union having total assets of less than 
$500 million but more than $10 million is subject to only one 
requirement under subsection (D). If that credit union elects to obtain 
the financial statement audit required of a credit union having assets 
of $500 million or more, the audit must be performed consistent with 
the accountancy laws and licensing requirements of the appropriate 
State or jurisdiction. 12 U.S.C. 1782(a)(6)(D)(ii). The appropriate 
State or jurisdiction normally is the State in which the credit union 
is principally located.
    Subsection (D) imposes no minimum audit requirements at all on 
federally-chartered credit unions having total assets of less than $500 
million but more than $10 million that do not voluntarily elect to 
obtain a financial statement audit performed in accordance with GAAS 
(as credit unions having assets of $500 million or more must obtain 
under subsection (D)(i)). See Sec. 715.2(f) (GAAS definition). Only in 
the case of a financial statement audit performed in accordance with 
GAAS, whether by choice or by law, do State accountancy laws and 
licensing requirements apply.\2\ Subsection (D) is silent regarding 
audits of federally-chartered credit unions having assets of $10 
million or less, and Federally-insured State-chartered credit unions 
(FISCUs) having assets of less than $500 million.
---------------------------------------------------------------------------

    \2\ FCUA section 202(a)(6)(D)(ii), 12 U.S.C. 1782(a)(6)(D)(ii), 
provides: If a Federal credit union that is not required to conduct 
and audit under clause (i), and that has total assets of more than 
$10,000,000 conducts such an audit for any purpose, using an 
independent auditor who is compensated for his or her audit services 
with respect to that audit, the audit shall be performed consistent 
with the accountancy laws of the appropriate State or jurisdiction, 
including licensing requirements.'' (emphasis added.) ``Such an 
audit'' refers back to ``an audit under clause (i)'' of section 
1782(a)(6)(D). A clause (i) audit is a financial statement audit 
performed in accordance with GAAS. The clause (ii) requirement to 
follow State accountancy and licensing laws is triggered only when a 
credit union voluntarily chooses a financial statement audit.
---------------------------------------------------------------------------

    With respect to financial statement audits, the threshold set by 
subsection (D) at $500 million for requiring a financial statement 
audit puts federally-insured credit unions in parity with other 
federally-insured depository institutions. The institutions supervised 
by the Federal Deposit Insurance Corporation, the Office of Thrift 
Supervision, the Office of Comptroller of the Currency and the Federal 
Reserve Board are required to obtain a financial statement audit if 
they have assets of $500 million or more.\3\ 12 CFR 363. For 
institutions having assets of less than $500 million, the Federal 
Financial Institutions Examination Council (FFIEC) has proposed audit 
options similar to two of those which this final rule prescribes for 
credit unions. FFIEC, Policy Statement on External Auditing Programs of 
Banks and Savings Associations, 63 FR 7796 (Feb. 17, 1998) (FFIEC 
Policy Statement).
---------------------------------------------------------------------------

    \3\ The statute authorizing 12 CFR 363, originally established a 
$150 million asset floor for requiring a financial statement audit. 
12 U.S.C. 1831m(j)(2). However, the banking agencies exercised their 
statutory authority to increase the asset floor to $500 million, 
thereby exempting two-thirds of all institutions required under 
Sec. 1831m to obtain a financial statement audit. 12 CFR 363.1(a) 58 
FR 31332 (June 2, 1993).
---------------------------------------------------------------------------

B. Proposed Rule

    On January 6, 1999, NCUA published a Notice of Proposed Rule, 64 FR 
776 (Jan. 6, 1999), establishing new part 715 to implement the 
statutory minimum audit requirements imposed by

[[Page 41030]]

CUMAA, 12 U.S.C. 1782(a)(6) (C) and (D); to provide supervisory 
committee audit alternatives for credit unions which are not required 
to obtain a financial statement audit; and to retain in substance the 
current rules relating to Supervisory Committee audit responsibilities, 
verification of accounts, independence of outside auditors, the 
requirement of an engagement letter, audit report and workpaper 
maintenance and access, and sanctions and remedies for inadequate 
audits. Secs. 701.12 and 701.13. In addition, the proposed rule revised 
section 741.6 [financial and statistical and other reports] to change 
certain Call Report filing dates and to introduce the use of GAAP in 
Call Reports filed by credit unions having $10 million or more in 
assets. Finally, the proposed rule conformed the citations in section 
741.202 to apply part 715 to Federally-insured State-chartered credit 
unions. See 12 U.S.C. 1781(b)(9), 1789(a)(11) (authority for 
application to FISCUs).
    By the comment deadline of March 8, 1999, NCUA received thirty-one 
comments in response to the Notice of Proposed Rule. Comments were 
submitted by eleven Federal credit unions, seven credit union industry 
trade associations, seven certified public accounting or auditing 
firms, two auditing industry trade associations, two unlicensed credit 
union auditors, an association of state credit union supervisors, and 
one banking industry trade association.
    Except for the latter group, the comments generally support NCUA's 
interpretation of the statutory ``financial statement audit'' 
requirement and, in concept if not in detail, all three of the audit 
engagements proposed in the rule as alternatives to a financial 
statement audit--a balance sheet audit; a ``review and evaluation of 
internal controls over Call Reporting'' (renamed and redefined in the 
final rule); and an audit pursuant to NCUA's Supervisory Committee 
Guide.\4\ Predictably, licensed individuals opposed provisions of the 
rule allowing unlicensed persons a role in the credit union auditing 
process. Conversely, unlicensed individuals were grateful that NCUA 
preserved their role in the process. The comments are analyzed 
generally in section II. immediately below, except that comments of the 
internal auditing industry and banking industry trade associations are 
addressed separately in section II.I.
---------------------------------------------------------------------------

    \4\ NCUA anticipates issuing the revised Supervisory Committee 
Guide in late 1999.
---------------------------------------------------------------------------

II. Section-Within-Subject Analysis of Comments

A. Definitions

    Section 715.2 establishes definitions for the terms that are used 
in part 715, nearly all of which are virtually identical in form and 
substance to their predecessors in current Sec. 701.12(a). Several 
commenters suggested revisions to the proposed definitions as follows.
    ``Balance sheet audit.'' One commenter suggested that the ``balance 
sheet audit'' definition, Sec. 715.2(a), should prescribe GAAP as a 
basis of accounting for this engagement. The definition has been 
revised to provide that a credit union which obtains a ``balance sheet 
audit'' engagement shall use as a basis of accounting the same basis of 
accounting used in its Call Reports. Effectively, this means that 
credit unions which have $10 million or more in assets will be required 
to use GAAP as a basis of accounting for this engagement. See 
Sec. 741.6(b) (requiring credit unions having assets of $10 million or 
greater to follow GAAP in Call Reports).
    ``Compensated person.'' Two commenters objected to the definition 
of a ``compensated person,'' Sec. 715.2(b), because it expressly omits 
individuals or firms who are compensated to perform only one 
supervisory committee audit per year. The omission is intentionally 
designed to exempt from this rule persons who are not in the business 
of auditing credit unions, but who are modestly compensated by a single 
credit union to perform its annual supervisory committee audit. NCUA 
remains committed to ensuring that such one-time audit engagements do 
not trigger the requirements of this rule.
    ``Financial statement .'' One commenter strongly urged deleting the 
``statement of assets and liabilities that does not include members'' 
equity accounts'' from the definition of ``financial statement'' 
Sec. 715.2(c), because that statement is rarely used and is of little 
benefit to the financial statement reader. NCUA agrees and has amended 
the proposed definition accordingly.
    ``Independent person.'' Two commenters pointed out that the 
interchangeable use of the terms ``independent person'' and 
``independent auditor'' throughout the proposed rule was confusing. 
Thus, the final rule retains ``independent person'' and omits 
``independent auditor.'' Two commenters urged that the terms 
``independent'' and ``independence'' be redefined either to parallel 
the GAAS definition of ``independence'' as it applies to State-licensed 
persons, or to otherwise incorporate the GAAS definition to some 
extent.\5\ To define ``independence'' as GAAS does would have the 
unintended effect of limiting the auditing of Federal credit unions to 
State-licensed individuals. NCUA is committed to enabling both licensed 
and unlicensed persons to satisfy its ``independence'' definition, so 
that both may have a role in auditing credit unions. Regardless of 
NCUA's definition, licensed persons already would be required under 
State law to comply with GAAS independence rules. The proposed 
definition of ``independence,'' Sec. 715.2(g), is no less stringent 
than the GAAS definition, and may in certain circumstances be more 
stringent.
---------------------------------------------------------------------------

    \5\ See 1 AICPA, AICPA Professional Standards AUSec. 220.02 
(1997) (GAAS definition of ``independence'').
---------------------------------------------------------------------------

    ``Qualified person.'' Although not defined in the proposed rule, 
the term ``qualified person'' is used throughout as the minimum 
standard for persons who may perform certain audit engagements although 
they are not State-licensed. Four commenters suggested expressly 
defining a ``qualified person.'' NCUA declines to add such a definition 
because the proposed rule already identifies persons who would be 
qualified to perform an audit under the Supervisory Committee Guide, 
e.g., a certified public accountant, public accountant, league auditor, 
credit union auditor consultant, retired financial institutions 
examiner. Sec. 715.7(c). It is the responsibility of the Supervisory 
Committee to apply its judgment within given guidance to determine who 
is a ``qualified person.''
    ``Report on examination of internal control over Call Reporting.'' 
The proposed rule referred to this engagement as a ``review and 
evaluation of internal controls over Call Reporting.'' An auditing 
industry trade association suggested that the proper term of art for 
this engagement is an ``examination,'' not a ``review,'' and should be 
subject to attestation standards. NCUA agrees and has renamed this 
engagement a ``Report on the examination of internal control over Call 
Reporting'' and is redefining it consistent with attestation 
standards.\6\ Sec. 715.2(j). See discussion of Sec. 715.7(b) infra.
---------------------------------------------------------------------------

    \6\ In the final rule, 715.7(b) provides that a ``Report on 
examination of internal control over Call Reporting'' may be 
performed only by a ``State-licensed per.'' See discussion of 
Sec. 715.7(b) infra.
---------------------------------------------------------------------------

    ``State-licensed person.'' The proposed definition of ``State-
licensed person'' refers to a ``person who is licensed by the State or 
jurisdiction where the credit union is located . . . .''

[[Page 41031]]

Sec. 715.2(k). One commenter insists that this definition departs from 
CUMAA because it is not as specific or restrictive as the statute 
provides. In fact, the definition in the rule mirrors the language of 
CUMAA. Compare Sec. 715.2(k) and 12 U.S.C. 1786(a)(2)(D). Another 
commenter suggested replacing the word ``located'' with the word 
``headquartered'' to address instances where a credit union has 
multiple branches and overseas locations. This point is well taken. To 
eliminate confusion as to where a person must be licensed, NCUA is 
replacing the term ``located'' with the term'' principally located'' 
throughout the final rule. See, e.g., Secs. 715.4(b), 715.5(a), 
715.6(a) and (b), 715.7(a) and (b).
    ``Supervisory committee audit.'' One commenter objected that the 
last sentence of the proposed definition of a ``supervisory committee 
audit''--which had provided that a financial statement audit ``fulfills 
the requirements of a `supervisory committee audit' ''--is redundant 
and outside the scope of a definition. Sec. 715.2(m). This sentence has 
been eliminated in view of the fact that the point it makes is 
expressed elsewhere in the rule. See, e.g., Sec. 715.4(b).
    ``Working papers.'' NCUA staff determined that the phrase ``by the 
independent, compensated auditor'' at the end of the definition of 
``working papers,'' Sec. 715.2(n), unintentionally excluded 
uncompensated auditors from that definition. Therefore, that phrase has 
been eliminated.

B. Supervisory Committee Responsibilities

Section 715.3--General Responsibilities of the Supervisory Committee
    Under this section, a principal duty of the Supervisory Committee 
is to ``establish practices and procedures sufficient to safeguard 
members' assets'' against ``error, conflict of interest, self-dealing 
and fraud.'' Sec. 715.3(a) and (b)(4). The sole commenter addressing 
this section, who generally supported the rule, interpreted this 
language as improperly creating a duty to prevent acts which constitute 
error, conflict of interest, self-dealing and fraud. NCUA disagrees 
with that interpretation; the rule clearly mandates a duty to establish 
practices and procedures designed to ``safeguard members'' assets'' 
against such misconduct, but imposes no absolute liability on the board 
of directors or management to prevent such misconduct. Therefore, NCUA 
retains the original language of paragraph (a). Although there were no 
further substantive comments on this section, paragraph (b) is modified 
in form to improve clarify and parallelism.
Section 715.4--Audit Responsibility of the Supervisory Committee
    This section restates the Supervisory Committee's annual audit 
responsibility under 12 U.S.C. 1761d, Sec. 715.4(c); provides that a 
financial statement audit will always satisfy that responsibility, 
Sec. 715.4(b); and that other options to satisfy that responsibility 
are available to credit unions which do not choose to obtain a 
financial statement audit. Sec. 715.4(c). For the convenience of the 
reader, the minimum audit requirements according to charter type and 
asset size are summarized in a diagram preceding Sec. 715.5. NCUA 
received no comments directly addressing this section. To eliminate 
ambiguity in determining asset size, NCUA has added a sentence 
indicating that ``asset size is the amount of total assets reported in 
the Call Report for the year-end immediately preceding and outside of 
the period under audit.'' Sec. 715.4(c).

C. Minimum Audit Requirements

    The proposed rule was organized primarily according to asset size--
$500 million and above, less than $500 million but more than $10 
million, and $10 million or less--rather than by charter type. An 
association of state credit union supervisors urged reorganization of 
part 715 primarily by charter type, and then by asset size, so that 
audit requirements which apply to FISCUs are consolidated according to 
asset size in one section and those which apply to federally-chartered 
credit unions (FCUs) are consolidated according to asset size in a 
separate section. NCUA believes that the benefits of such a 
reorganization--namely, improved clarity and accessibility--outweigh 
the minimal duplication that results. Accordingly, in the final rule, 
Sec. 715.5 addresses audit requirements exclusive to federal charters, 
and Sec. 715.6 addresses audit requirements exclusive to State 
charters. The substance of the applicable audit requirements remains 
unchanged in both sections.
Section 715.5--Audit of Federal Credit Unions
    This section sets forth the minimum requirements for the audit of 
federal credit unions (FCUs) according to asset size. As CUMAA 
mandates, 12 U.S.C. 1782(a)(6)(D), an FCU having assets of $500 million 
or greater must obtain a financial statement audit. Sec. 715.5(a). For 
FCUs having less than $500 million in assets, Sec. 715.5(b) reflects 
NCUA's interpretation that CUMAA allows credit unions the choice of 
obtaining a financial statement audit under Sec. 715.6(a)--as credit 
unions having $500 million or more in assets must do--or one of three 
alternative audit engagements set forth in Sec. 715.7. See 12 U.S.C. 
1782(a)(6)(D)(ii). NCUA received eight comments expressly agreeing with 
NCUA's interpretation of CUMAA; four opposing the interpretation; and 
eighteen which did not comment on the matter. One supporter enclosed a 
legal opinion concurring with NCUA's interpretation. Another pronounced 
the rule clear and concise and the interpretation appropriate.
    The four commenters opposing NCUA's interpretation of CUMAA consist 
of licensed auditing professionals and an auditing industry trade 
association, all of whom favored an interpretation of CUMAA limiting 
auditing of credit unions above $10 million in assets exclusively to 
State-licensed individuals like themselves. In stark contrast, another 
commenter who is an unlicensed auditor insisted that, compared to 
current Sec. 701.12, the proposed rule is a concession to the auditing 
profession and is contrary to the best interests of the credit unions, 
even though it maximizes audit choice for credit unions.
    Consistent with its interpretation of CUMAA, NCUA stands by section 
715.5 as proposed, except to add a final paragraph (d) indicating that 
FCUs must meet applicable requirements elsewhere in part 715 regardless 
of which audit engagement they choose under Sec. 715.5. See 
Secs. 715.8, 715.9(b) through (e), 715.10.
Section 715.6--Audit of Federally-insured, State-chartered Credit 
Unions
    This section sets forth the minimum requirements for the audit of 
FISCUs according to asset size. As in the case of FCUs, CUMAA mandates 
that FISCUs having assets of $500 million or greater must obtain a 
financial statement audit. Sec. 715.6(a). For FISCUs having less than 
$500 million in assets, Sec. 715.6 gives FISCUs the choice of obtaining 
a financial statement audit per Sec. 715.6(a), or one of three 
alternative audit engagements set forth in Sec. 715.7. The rule 
provides, however, that if the State or jurisdiction in which the 
credit union is principally located prescribes an audit engagement 
which is more stringent than the alternative engagements offered in 
Sec. 715.7, the FISCU must comply with the State-mandated audit. 
Sec. 715.6(b).\7\ As in the

[[Page 41032]]

case of FCUs, a new subsection (c) has been added to indicate that 
FISCUs must meet applicable requirements elsewhere in part 715 
regardless of which engagement they choose under Sec. 715.6. See 
Secs. 715.8, 715.9(b) through (e), 715.10. NCUA received no comments on 
the predecessor provision to this section.
---------------------------------------------------------------------------

    \7\ NCUA does not define ``stringent'' except to suggest that it 
might involve enhanced audit scope and depth. ``Stringent'' is not 
defined in 12 U.S.C. 1782(a)(6)(C)(iii), which refers to an 
accounting principle that is ``no less stringent'' than GAAP.
    In comparison to NCUA's current supervisory committee audit 
rule, Sec. 701.12, State-prescribed audits for credit unions 
generally fall into three categories: (1) States which prescribe 
audits substantially similar to 12 U.S.C. 1761d and/or Sec. 701.12; 
(2) States which prescribe audits which differ in some respects from 
12 U.S.C. 1761d and/or Sec. 701.12, but which are not necessarily 
``more stringent,'' including four States which determine the type 
of audit by asset size, e.g., Mich. Comp. Laws Sec. 490.11(2); and 
(3) States in which a financial statement audit is prescribed for 
certain credit unions.
---------------------------------------------------------------------------

Section 715.7--Supervisory Committee Audit Alternatives To a Financial 
Statement Audit
    This section establishes alternative supervisory committee audit 
engagements for federally-insured credit unions that are not required 
by virtue of asset size to obtain a financial statement audit, and that 
otherwise do not voluntarily elect to obtain a financial statement 
audit.
    ``Opinion on the balance sheet.'' Like a financial statement audit, 
this engagement, also known as a ``balance sheet audit,'' must be 
performed in accordance with GAAS by a person who is licensed under 
State law to do so. Sec. 715.7(a). This engagement consists of an 
examination of assets, liabilities and equity and requires an opinion 
by the auditor on the fairness of the balance sheet only. Apart from 
the basis of accounting required, see Sec. 715.2(a), this option is 
identical to that of the same name proposed for other federally-insured 
financial institutions by the FFIEC. FFIEC Policy Statement, 63 F.R. at 
7797, 7800.
    Five commenters addressed the ``balance sheet audit'' option. One 
commenter fully supported the option. One characterized it as a step 
backwards due to insufficient testing of the internal control structure 
and less assurance than in current Sec. 701.12. Three commenters were 
cautious--one suggesting this engagement should incorporate 
supplemental analytic procedures, one criticizing the limited scope and 
limited assurance of this option, and one urging mandatory linkage to a 
basis of accounting consistent with GAAP. NCUA believes that these 
generally are matters of judgment which, to the extent possible, should 
be left to the supervisory committee. Thus, the ``opinion on the 
balance sheet'' is modified only to require the same basis of 
accounting as that which is reflected in the credit union's Call 
Reports. See discussion of Sec. 715.2(a) supra.
    ``Report on examination of internal control over Call Reporting.'' 
This engagement was originally proposed as a ``review and evaluation of 
internal controls over Call Reporting,'' consisting of an examination 
of management's written assertions concerning the effectiveness of 
internal controls over data reported in Call Reports (NCUA Form 5300) 
which addresses high risk areas. In this engagement, the auditor 
produces a report on the written assertions of management. See 
Sec. 715.2(j).
    Ten commenters addressed the originally proposed ``review and 
evaluation of internal controls over Call Reporting. One commenter 
fully supported this option as written; one commenter believed it would 
confuse credit unions and should be clarified; and a third opposed it 
outright. The latter commenter argued that this engagement is too 
limited, does not consider many areas of the financial structure, and 
does not identify problems that may exist with account balances. As a 
remedy, this commenter recommended that the ``review and evaluation'' 
be subject to attestation standards of the auditing profession--thus 
allowing only licensed individuals to perform this examination--and be 
increased in scope.
    Seven commenters supported this audit option in a revised form. 
Five argued that only external, licensed certified public accountants 
under the attestation standards of the profession should be allowed to 
perform this engagement. One of these commenters suggested that 
attestation standards demand use of the nomenclature ``examination,'' 
rather than ``review,'' as these terms have different ascribed meanings 
under auditing standards. This same commenter strongly recommended that 
the rule clearly define the scope and level of work for this 
engagement, specify the criteria for the evaluation of internal 
controls, and define a ``complex'' credit union. Another commenter 
argued that small credit unions lack sound internal controls and that 
this engagement will not be helpful to them. This commenter also 
contended that it would be difficult for credit union management to 
document its internal control assertions,\8\ and that the engagement 
would not yield a particularly reduced fee. This commenter joined two 
others in opposing the use of differing levels of expertise for 
performing this engagement--a ``State-licensed person'' if performed 
for a credit union defined as ``complex,'' but only a ``qualified 
person'' if not. NCUA found these comments generally persuasive and has 
revised the final rule as follows.
---------------------------------------------------------------------------

    \8\ In the case of a small credit union which lacks the 
expertise to develop management's written assertions and is unable 
to gain such expertise, this engagement would not be a viable 
alternative for fulfilling its supervisory committee audit 
responsibility.
---------------------------------------------------------------------------

    First, the final rule renames this engagement a ``report on the 
examination of internal control over Call Reporting'' and requires it 
to satisfy the attestation standards of the auditing profession. 
Sec. 715.7(b). Second, whereas the proposed rule was silent about the 
criteria on which the review of internal controls is based, the final 
rule assigns credit union management the responsibility of 
``specif[ying] the criteria on which it based its evaluation of 
internal controls.'' \9\
---------------------------------------------------------------------------

    \9\ For example, Internal Control--Integrated Framework 
published by the Committee of Sponsoring Organizations of the 
Treadway Commission identifies an entity's internal control as 
consisting of five components: control environment, risk assessment, 
control activities, information and communication, and monitoring.
---------------------------------------------------------------------------

    Third, whereas the proposed rule prescribed the ``high risk areas'' 
on which this engagement concentrates--loans, investments, and cash and 
deposit activity--the final rule gives management the responsibility of 
designating the areas it considers high risk. However, the NCUA Board 
still believes that high risk areas should most often include: lending 
activities, investing activities, and cash-handling and deposit-taking 
activities.
    Finally, the final rule abandons the proposed two-tier approach to 
the expertise required to perform this engagement, in favor of a 
single, higher level of expertise. The final rule now provides that 
only State-licensed persons under attestation standards of the auditing 
profession may perform a ``report and examination of internal control 
over Call Reporting'' regardless whether the credit union is defined as 
``complex'' for prompt corrective action purposes. See CUMAA 
Sec. 301(d)(2)(B) and (e)(2) (requirement to adopt definition of 
``complex'' credit union).
    As modified in the final rule, the ``report on examination of 
internal control over Call Reporting'' is comparable to the FFIEC-
proposed option of an ``attestation report on

[[Page 41033]]

internal control assertions.'' 63 FR at 7797, 7800.
    ``Supervisory Committee Guide audit.'' This engagement follows an 
audit program prescribed in NCUA's Supervisory Committee Guide (Guide), 
as revised to conform to part 715, and is similar to a ``Directors' 
Examination'' used by some Federally-insured banks. The Guide 
engagement is the only audit alternative under the final rule that can 
be performed either by a ``State-licensed person'' or by a ``qualified 
person'' who is not licensed. As revised, the Guide will provide 
guidance regarding the minimum scope and procedures of the engagement, 
and clearly distinguish a Guide engagement from a financial statement 
audit engagement.
    Eleven comments addressed the Guide option. Two advocated limiting 
performance of the Guide engagement to ``State-licensed persons.'' The 
NCUA Board disagrees because this is directly contrary to the objective 
of providing a supervisory committee audit option that can be performed 
by individuals who are not ``State-licensed.'' The Guide engagement 
accomplishes this objective.
    Five of the commenters asked that NCUA issue the proposed Guide for 
public comment before finalizing it. Because it is likely that the 
Guide will be revised periodically, NCUA has decided to issue the Guide 
as a manual rather than as a rule. As such, the Guide will not be 
issued for public comment. Three commenters strongly encouraged NCUA to 
write the Guide so that it conforms to auditing standards governing an 
``agreed-upon procedures'' engagement, thereby permitting ``State-
licensed persons'' to perform this engagement. To achieve this 
objective in revising the Guide, and in lieu of soliciting public 
comment, NCUA is seeking the assistance of the Credit Unions Committee 
of the American Institute of Certified Public Accountants in 
identifying appropriate minimum procedures to append to the Guide.
    A commenter suggested that the Guide audit be available only to 
credit unions under $50 million in assets, and another encouraged NCUA 
to tailor the Guide audit program according to asset size. NCUA 
declines both suggestions. Although NCUA prefers to make the Guide 
audit universally available to all credit unions regardless of asset 
size, experience indicates that it is the option most often chosen by 
credit unions which are relatively small in asset size. NCUA also 
prefers to offer a uniform audit program regardless of asset size. NCUA 
believes that an audit program which varies by asset size is unworkable 
and would substitute the regulator's judgment for that which is 
properly reserved to the supervisory committee.
    Choice among audit options. One commenter suggested that the final 
rule should provide guidance as to which audit option is appropriate 
for a credit union which is not required to obtain a financial 
statement audit--a voluntary-chosen ``financial statement audit,'' a 
``balance sheet audit,'' a ``report on examination of internal controls 
over Call Reporting,'' or a ``Supervisory Committee Guide audit.'' The 
NCUA Board declines to provide such guidance, believing instead that it 
is the supervisory committee's responsibility to obtain the highest 
level of supervisory committee audit service that is consistent with 
the credit union's size, the nature and scope of its activities, and 
any compensating internal controls. Cost of service alone should not be 
the deciding factor in this decision. Cost should be one among many 
factors the supervisory committee thoughtfully considers when weighing 
the purpose and benefit of each audit alternative. A supervisory 
committee which is unfamiliar with distinctions among the different 
types of audits should seek the advice of an independent accountant in 
choosing among them.
    December 1998 NCUA Call Report data shows that 80% of Federally-
insured credit unions above $50 million in assets already obtain a 
financial statement audit voluntarily. NCUA encourages all credit 
unions, regardless of asset size, to obtain financial statement audits, 
but recognizes that financial statement audits may not be practical for 
all credit unions. Accordingly, the final rule seeks to preserve less 
burdensome audit alternatives for credit unions that do not obtain 
financial statement audits, without compromising the Supervisory 
Committee's ability to carry out its oversight responsibilities.

D. Verification of Accounts

Section 715.8--Requirements for Verification of Accounts and Passbooks
    As mandated by 12 U.S.C. 1761d, this section requires the 
Supervisory Committee to conduct a verification of the passbooks and 
accounts of the members against the records of the credit union at 
least once every two years. One commenter urged removing proposed 
language requiring the auditor to ``provide assurance'' or draw 
conclusions in reference to both the statistical and non-statistical 
methods of verification. NCUA agrees with regard to the statistical 
sampling methods under Sec. 715.8(b)(2), but disagrees with regard to 
the non-statistical methods under Sec. 715.8(b)(3).
    Consistent with State licensing requirements, NCUA prohibits 
persons who are not ``State-licensed'' from providing assurance 
services in connection with a verification. Sec. 715.7(c). Because a 
``controlled verification,'' Sec. 715.8(b)(1), and statistical sampling 
methods, Sec. 715.8(b)(2), may be performed by persons who are not 
``State-licensed,'' the ``assurance'' language has been removed from 
Sec. 715.8(b)(2)(iv). Because non-statistical sampling methods 
consistent with GAAS, Sec. 715.8(b)(3), may be performed only by a 
``State-licensed person,'' who is authorized to provide assurance 
services, the ``assurance'' language remains intact in 
Sec. 715.8(b)(3)(i).

E. Other Audit Requirements

Section 715.9--Assistance From Outside Compensated Person
    This section sets the independence and engagement letter 
requirements that are triggered when the Supervisory Committee engages 
an outside person who is compensated to perform, or to assist in the 
performance of, a supervisory committee audit under this part. 
Paragraph (a) concerns the auditor's independence from credit union 
officials. Although NCUA received no comments on this provision, it has 
determined that the definition of persons ``unrelated to officials'' of 
the credit union (i.e., persons who qualify as independent of credit 
union officials) was too narrow with respect to relatives of credit 
union employees. This made the category of persons not sufficiently 
independent of credit union officials overinclusive. Accordingly, the 
final rule provides that a compensated auditor ``shall not be related 
by blood or marriage to any management employee * * * of the credit 
union,'' and eliminates as redundant the list of blood and marital 
relations. Sec. 715.9(a) (emphasis added).
    Paragraph (b) sets forth the general requirement for an engagement 
letter between the Supervisory Committee and the outside auditor 
memorializing the terms and conditions of the audit engagement. Two 
commenters sought clarification of the requirement that ``the 
engagement must be contracted with the supervisory committee,'' 
Sec. 715.9(b), suggesting the possibility that the supervisory 
committee may not have the authority to contract for the audit. The 
NCUA Board disagrees, believing that the supervisory committee's 
authority to contract for the credit union's audit is clear from the 
language of the FCUA,

[[Page 41034]]

which provides that ``the supervisory committee shall make or cause to 
be made an annual audit.'' 12 U.S.C. 1761d.
    Paragraph (c) sets forth the required contents of an engagement 
letter. Proposed paragraph (c)(6) required the engagement letter to 
``specify a target date of delivery'' for the audit report. At the 
suggestion of an auditing industry trade association, this provision 
has been revised to prescribe a fixed target date of delivery ``not to 
exceed 120 days from date of calendar or fiscal year-end under audit 
(period covered), unless the supervisory committee obtains a waiver 
from the supervising NCUA Regional Director.'' Sec. 715.9(c)(6). NCUA 
believes that prescribing a uniform fixed date of delivery, rather than 
allowing the date to be set on an engagement-by-engagement basis, will 
improve the consistency and efficiency of the auditing process.
    To avert post-engagement disputes between the credit union and its 
outside auditor, proposed paragraphs (d) and (e) together mirrored the 
current rule, Sec. 701.12(d)(2)-(3), in requiring an auditor to certify 
in the engagement letter when all items within the scope of a 
supervisory committee audit will be addressed in the engagement, and 
conversely, to identify any items that will be excluded from the 
engagement. The final rule is revised to reflect that certification of 
complete scope is redundant with respect to three types of audit 
engagements under part 715--the financial statement audit, the balance 
sheet audit, and the report on examination of internal control over 
Call Reporting--because reporting standards under GAAS and attestation 
standards, respectively, for those engagements already would require 
any excluded items to be reflected in the level of assurance the 
independent accountant provides in rendering an opinion. In contrast, 
the Supervisory Committee Guide audit engagement available under part 
715 does not by definition include all items within the scope of the 
engagement. Therefore, with regard to that engagement only, the final 
rule still requires the auditor to certify the completeness of scope 
or, conversely, to specify the exclusions from the scope of the 
engagement. Sec. 715.9(d) and (e).
    In the case of a Guide engagement, for example, the auditor and the 
supervisory committee may by agreement exclude the allowance for loan 
losses from the scope of the engagement. In that event, paragraph (e) 
would require the engagement letter to specify the excluded items.
Section 715.10--Audit Report and Working Paper Maintenance and Access
    This section addresses the procedure for distributing the audit 
report produced either by the Supervisory Committee or by an outside 
person who performed the audit, and the responsibility for maintenance 
of, and access to, the auditor's ``working papers'' once the engagement 
is complete. Whereas the proposed rule expressly stated that credit 
union members must be provided with ``a report of the results of an 
audit at the next annual meeting,'' the final rule provides that 
members must be provided with a ``summary'' of the results of the 
audit, ``orally or in writing''. Sec. 715.10(a). The purpose of this 
revision is to indicate that credit unions need not provide members a 
written, abridged version of the audit report itself.
    One commenter suggested that NCUA specify minimum information to be 
included in a report (or summary) of the results of the audit. Although 
NCUA has not experienced problems of insufficient disclosure of audit 
results, the final rule nonetheless includes a remedy: ``If a member so 
requests, the Supervisory Committee shall provide the member access to 
the full audit report,'' Sec. 715.10(b), although the member would not 
necessarily have a right to a copy of the report.
    Paragraph (b) concerns maintenance of, and access to, audit working 
papers. Sec. 701.10(e)(2). Two commenters sought a commitment from 
NCUA, either by rule or otherwise, to maintain the confidentiality of 
working papers to which it is given access under this section. Such a 
commitment is not necessary because audit workpapers fall within the 
scope of confidential, commercial and financial information protected 
from disclosure by NCUA regulations, except to other government 
agencies and as required by law. 12 CFR 792.11(a)(4) and (8), 792.30, 
792.60.

F. Sanctions and Remedies

Section 715.11--Sanctions for Failure To Comply With This Part
    This section authorizes NCUA to reject an audit or to impose formal 
administrative sanctions when a Supervisory Committee or its 
independent compensated auditor violates a provision of this part or a 
provision of an engagement letter prescribed by this part. Although 
NCUA received no substantive comments on this section, the final rule 
has been revised in two ways. First, to provide that when a regional 
director rejects an audit, he or she must ``provide a reasonable 
opportunity to correct the deficiencies.'' Sec. 715.11(a)(1). Second, 
to clarify that this section applies to FISCUs, the final rule cites 
section 741.202 of chapter VII as authority. Sec. 715.11(b).
Section 715.12--Statutory Audit Remedies for Federal Credit Unions
    This section provides the NCUA Board with a pair of additional 
remedies which, if certain conditions are met, apply to federally-
chartered credit unions by statute, 12 U.S.C. 1782(a)(6)(A), and to 
State-chartered credit unions by regulation. 12 CFR 701.13(a)(2). The 
remedies are the authority to compel a credit union in this category to 
have its audit performed by a State-licensed person, Sec. 715.12(a), or 
to compel the credit union to obtain a financial statement audit even 
when it is not otherwise required to do so. Sec. 715.12(b). NCUA 
received a single comment on this section, cautioning that these 
sanctions alone, when imposed against a small credit union, could drive 
that credit union into liquidation. NCUA emphasizes in response its 
commitment to chartering and continued growth of small credit unions 
when feasible, and to considering all circumstances in imposing lawful 
sanctions and remedies under this section. Finally, this section has 
been modified in the last sentence to indicate that, in addition to a 
``adverse opinion,'' a ``disclaimer of opinion'' should be an exception 
to the objective of producing an unqualified opinion. Sec. 71512(b).

G. Appropriation for Non-conforming Investments

Section 741.3--Criteria
    Although not raised in the proposed rule, Sec. 741.3(a)(3) is 
revised in the final rule to conform to a change in the technical 
nomenclature used in NCUA's Call Report (NCUA Form 5300). The phrases 
``Investment Valuation Reserve Account'' and ``Investment Valuation 
Reserve'' both are renamed the ``Appropriation for Non-conforming 
Investments''. This account receives appropriated funds from undivided 
earnings in amounts by which investment fair value exceeds book value 
in FISCUs that hold investments which would be impermissible 
investments for an FCU to hold, i.e., non-conforming investments. As 
the auditing industry trade association suggested, this change more 
appropriately reflects the function and composition of the account 
under GAAP.

[[Page 41035]]

H. Call Reporting Requirements

Section 741.6--Financial and Statistical and Other Reports
    This section sets deadlines for filing Call Reports with NCUA and 
implements the statutory mandate that Call Reports filed by credit 
unions having assets of $10 million or more must be consistent with 
GAAP. 12 U.S.C. 1782(a)(6)(C)(i). The proposed rule required that such 
Call Reports ``reflect measurement principles consistent with GAAP.'' 
An auditing industry trade association encouraged NCUA to specify other 
principles of GAAP in addition to ``measurement principles.'' Instead 
of identifying specific principles of GAAP, however, NCUA has concluded 
that it is consistent with CUMAA to simply require Call Reporting to 
``reflect GAAP'' without further specification. Sec. 741.6(b). Because 
NCUA received no other comments on this section, it is otherwise 
unchanged.

I. Comments of Principal Trade Associations

Internal Auditing Industry
    The principal trade association of the internal auditing industry 
agreed with the intent of the proposed rule but disagreed with its 
implementation, advocating that certain requirements of the rule can be 
met only by internal auditors. The association urged the NCUA to 
relieve untrained, unpaid supervisory committee volunteers of the 
burden of meeting those requirements. Seeking a niche for internal 
auditors, the trade association further proposed to replace the 
regulatory scheme in part 715 with a hierarchy of both mandatory 
internal and external audit requirements based on six asset size 
categories. Depending on the category in which a credit union falls, 
the hierarchy prescribes an examination period ranging between 12 and 
36 months, the option or requirement to conduct an internal audit, and 
different supervisory committee audit alternatives available in each 
category.
    While NCUA appreciates the constructive input of the internal 
auditing industry trade association, it is not prepared at this 
juncture to tailor auditing requirements by asset size, to prescribe 
examination periods of varying lengths, to mandate an internal audit 
function, or to designate particular types of audits available under 
different asset categories. Rather, the NCUA's objective in part 715 is 
to implement the auditing requirements of CUMAA and to establish for 
federally-insured credit unions having less than $500 million in assets 
a uniform structure of universally available alternatives to fulfill 
the supervisory committee audit responsibility. All but one of these 
alternatives may be performed only by State-licensed auditors.
Principal Banking Industry Trade Association
    In sum, the principal banking industry trade association contends 
that while the proposed rule fulfills the requirements of CUMAA, those 
requirements still are much less stringent than those to which banks 
are held. Many of the points raised by the trade association were 
raised by other commenters and are addressed earlier in this preamble. 
Apart from these points, the trade association complains that even 
though part 715 complies with CUMAA, it still is less stringent than 
audit requirements imposed on banks; that although not required to do 
so, NCUA should require the Call Reports of credit unions having less 
than $10 million in assets to reflect GAAP; that the statutory minimum 
audit requirements should be addressed in a rule which is entirely 
separate from part 715, which as proposed purportedly is ``missing 
critical elements''; that many of the definitions in part 715 are 
deficient and many terms used in the rule are undefined; that the 
Supervisory Committee's responsibilities need to be ``clarified and 
strengthened''; and that the standards and scope provisions of the 
current rule, Sec. 701.12(c)(2) and (3), should be retained in part 715 
and in the Supervisory Committee Guide.
    In general, the trade association's views are fundamentally 
contrary to NCUA's objectives in part 715. Whereas NCUA wishes to 
faithfully implement the minimum audit requirements of CUMAA, the trade 
association apparently wants to hold credit unions to a standard 
approaching that which applies to the institutions which are its 
members. To do so would impose an unwarranted burden on credit unions. 
Rather, NCUA's objective in part 715 is to serve the distinctive needs 
of credit unions for simplicity, choice and flexibility in the auditing 
process, consistent with the supervisory committee's oversight 
responsibility and NCUA's duty to protect the National Credit Union 
Share Insurance Fund.

Regulatory Procedures

Regulatory Flexibility Act

    The Regulatory Flexibility Act requires NCUA to prepare an analysis 
to describe any significant economic impact a proposed regulation may 
have on a substantial number of small credit unions (primarily those 
under $1 million in assets). The NCUA Board has determined and 
certifies that the final rule will not have a significant economic 
impact on a substantial number of small credit unions. Thus, a 
Regulatory Flexibility Analysis is not required.

Paperwork Reduction Act

    The final rule imposes no additional information collection 
requirements beyond those in the current rule it replaces. Therefore, 
no Paperwork Reduction Act analysis is required.

Executive Order 12612

    Executive Order 12612 requires NCUA to consider the effect of its 
actions on state interests. The final rule will not have a substantial 
direct effect on the states, on the relationship between the national 
government and the states, or on the distribution of rights and 
responsibilities among the various levels of government.

List of Subjects

12 CFR Parts 710 and 741

    Credit unions, Reporting and recordkeeping requirements.

12 CFR Part 715

    Audits, Credit unions, Reporting and recordkeeping requirements, 
Supervisory committee.

    By the National Credit Union Administration Board on July 22, 
1999.
Becky Baker,
Secretary of the Board.

    Accordingly, 12 CFR parts 701, 715 and 741 are amended as set forth 
below:

PART 701--ORGANIZATION AND OPERATION OF FEDERAL CREDIT UNIONS

    1. The authority citation for part 701 continues to read as 
follows:

    Authority: 12 U.S.C. 1752(5), 1755, 1756, 1757, 1759, 1761a, 
1761b, 1766, 1767, 1782, 1784, 1787, 1789 and 1798. Section 701.6 is 
also authorized by 31 U.S.C. 3717. Section 701.31 is also authorized 
by 15 U.S.C. 1601 et seq.; 42 U.S.C. 1981 and 3601-3610. Section 
701.35 is also authorized by 42 U.S.C. 4311-4312.


Secs. 701.12 and 701.13  [Removed]

    2. Sections 701.12 and 701.13 are removed.
    3. Part 715 is added to read as follows:

PART 715--SUPERVISORY COMMITTEE AUDITS AND VERIFICATIONS

Sec.
715.1  Scope of this part.
715.2  Definitions used in this part.

[[Page 41036]]

715.3  General responsibilities of the Supervisory Committee.
715.4  Audit responsibility of the Supervisory Committee.
715.5  Audit of Federal Credit Unions.
715.6  Audit of Federally-insured State-chartered credit unions.
715.7  Supervisory Committee audit alternatives to a financial 
statement audit.
715.8  Requirements for verification of accounts and passbooks.
715.9  Assistance from outside, compensated person.
715.10  Audit report and working paper maintenance and access.
715.11  Sanctions for failure to comply with this part.
715.12  Statutory audit remedies for Federal credit unions.

    Authority: 12 U.S.C. 1761d, 1782(a)(6).


Sec. 715.1  Scope of this part.

    This part implements section 202(a)(6)(D) of the Federal Credit 
Union Act, 12 U.S.C. 1782(a)(6)(D), as added by section 201(a) of the 
Credit Union Membership Access Act, Pub. L. No. 105-219, 112 Stat. 918 
(1998). This part prescribes the responsibilities of the Supervisory 
Committee to obtain an annual audit of the credit union according to 
its charter type and asset size, and to conduct a verification of 
members' accounts.


Sec. 715.2  Definitions used in this part.

    As used in this part:
    (a) Balance sheet audit refers to the examination of a credit 
union's assets, liabilities, and equity under generally accepted 
auditing standards (GAAS) by an independent public accountant for the 
purpose of opining on the fairness of the presentation on the balance 
sheet. Credit unions required to file call reports consistent with GAAP 
should ensure the audited balance sheet is likewise prepared on a GAAP 
basis. The opinion under this type of engagement would not address the 
fairness of the presentation of the credit union's income statement, 
statement of changes in equity (including comprehensive income), or 
statement of cash flows.
    (b) Compensated person refers to any accounting/auditing 
professional, excluding a credit union employee, who is compensated for 
performing more than one supervisory committee audit and/or 
verification of members' accounts per calendar year.
    (c) Financial statements refers to a presentation of financial 
data, including accompanying notes, derived from accounting records of 
the credit union, and intended to disclose a credit union's economic 
resources or obligations at a point in time, or the changes therein for 
a period of time, in conformity with GAAP, as defined herein, or 
regulatory accounting procedures. Each of the following is considered 
to be a financial statement: a balance sheet or statement of financial 
condition; statement of income or statement of operations; statement of 
undivided earnings; statement of cash flows; statement of changes in 
members' equity; statement of revenue and expenses; and statement of 
cash receipts and disbursements.
    (d) Financial statement audit (also known as an ``opinion audit'') 
refers to an audit of the financial statements of a credit union 
performed in accordance with GAAS by an independent person who is 
licensed by the appropriate State or jurisdiction. The objective of a 
financial statement audit is to express an opinion as to whether those 
financial statements of the credit union present fairly, in all 
material respects, the financial position and the results of its 
operations and its cash flows in conformity with GAAP, as defined 
herein, or regulatory accounting practices.
    (e) GAAP is an acronym for ``generally accepted accounting 
principles'' which refers to the conventions, rules, and procedures 
which define accepted accounting practice. GAAP includes both broad 
general guidelines and detailed practices and procedures, provides a 
standard by which to measure financial statement presentations, and 
encompasses not only accounting principles and practices but also the 
methods of applying them.
    (f) GAAS is an acronym for ``generally accepted auditing 
standards'' which refers to the standards approved and adopted by the 
American Institute of Certified Public Accountants which apply when an 
``independent, licensed certified public accountant'' audits financial 
statements. Auditing standards differ from auditing procedures in that 
``procedures'' address acts to be performed, whereas ``standards'' 
measure the quality of the performance of those acts and the objectives 
to be achieved by use of the procedures undertaken. In addition, 
auditing standards address the auditor's professional qualifications as 
well as the judgment exercised in performing the audit and in preparing 
the report of the audit.
    (g) Independent means the impartiality necessary for the 
dependability of the compensated auditor's findings. Independence 
requires the exercise of fairness toward credit union officials, 
members, creditors and others who may rely upon the report of a 
supervisory committee audit report.
    (h) Internal control refers to the process, established by the 
credit union's board of directors, officers and employees, designed to 
provide reasonable assurance of reliable financial reporting and 
safeguarding of assets against unauthorized acquisition, use, or 
disposition. A credit union's internal control structure consists of 
five components: control environment; risk assessment; control 
activities; information and communication; and monitoring. Reliable 
financial reporting refers to preparation of Call Reports (NCUA Forms 
5300 and 5310) that meet management's financial reporting objectives. 
Internal control over safeguarding of assets against unauthorized 
acquisition, use, or disposition refers to prevention or timely 
detection of transactions involving such unauthorized access, use, or 
disposition of assets which could result in a loss that is material to 
the financial statements.
    (i) Reportable conditions refers to a matter coming to the 
attention of the independent, compensated auditor which, in his or her 
judgment, represents a significant deficiency in the design or 
operation of the internal control structure of the credit union, which 
could adversely affect its ability to record, process, summarize, and 
report financial data consistent with the representations of management 
in the financial statements.
    (j) Report on Examination of Internal Control over Call Reporting 
refers to an engagement in which an independent, licensed, certified 
public accountant or public accountant, consistent with attestation 
standards, examines and reports on management's written assertions 
concerning the effectiveness of its internal control over financial 
reporting in its most recently filed semiannual or year-end Call 
Report, with a concentration in high risk areas. For credit unions, 
such high risk areas most often include: lending activity; investing 
activity; and cash handling and deposit-taking activity.
    (k) State-licensed person refers to a certified public accountant 
or public accountant who is licensed by the State or jurisdiction where 
the credit union is principally located to perform accounting or 
auditing services for that credit union.
    (l) Supervisory committee refers to a supervisory committee as 
defined in Section 111(b) of the Federal Credit Union Act, 12 U.S.C. 
1786(r). For some federally-insured state chartered credit unions, the 
``audit committee'' designated by state statute or regulation is the 
equivalent of a supervisory committee.

[[Page 41037]]

    (m) Supervisory committee audit refers to an engagement under 
either Sec. 715.5 or Sec. 715.6 of this part.
    (n) Working papers refers to the principal record, in any form, of 
the work performed by the auditor and/or supervisory committee to 
support its findings and/or conclusions concerning significant matters. 
Examples include the written record of procedures applied, tests 
performed, information obtained, and pertinent conclusions reached in 
the engagement, proprietary audit programs, analyses, memoranda, 
letters of confirmation and representation, abstracts of credit union 
documents, reviewer's notes, if retained, and schedules or commentaries 
prepared or obtained in the course of the engagement.


Sec. 715.3  General responsibilities of the Supervisory Committee.

    (a) Basic. The supervisory committee is responsible for ensuring 
that the board of directors and management of the credit union--
    (1) Meet required financial reporting objectives;
    (2) And establish practices and procedures sufficient to safeguard 
members' assets.
    (b) Specific. To carry out the responsibilities set forth in 
paragraph (a) of this section, the supervisory committee must determine 
whether:
    (1) Internal controls are established and effectively maintained to 
achieve the credit union's financial reporting objectives which must be 
sufficient to satisfy the requirements of the supervisory committee 
audit, verification of members' accounts and its additional 
responsibilities;
    (2) The credit union's accounting records and financial reports are 
promptly prepared and accurately reflect operations and results;
    (3) The relevant plans, policies, and control procedures 
established by the board of directors are properly administered; and
    (4) Policies and control procedures are sufficient to safeguard 
against error, conflict of interest, self-dealing and fraud.
    (c) Mandates. In carrying out the responsibilities set forth in 
paragraphs (a) and (b) of this section, the Supervisory Committee must:
    (1) Ensure that the credit union adheres to the measurement and 
filing requirements for reports filed with the NCUA Board under 
Sec. 741.6 of this chapter;
    (2) Perform or obtain a supervisory committee audit, as prescribed 
in Sec. 715.4 of this part;
    (3) Verify or cause the verification of members' passbooks and 
accounts against the records of the credit union, as prescribed in 
Sec. 715.8 of this part;
    (4) Act to avoid imposition of sanctions for failure to comply with 
the requirements of this part, as prescribed in Sec. 715.11 and 
Sec. 715.12 of this part.


Sec. 715.4  Audit responsibility of the Supervisory Committee.

    (a) Annual audit requirement. A federally-insured credit union is 
required to obtain an annual supervisory committee audit which occurs 
at least once every calendar year (period of performance) and must 
cover the period elapsed since the last audit period (period 
effectively covered).
    (b) Financial statement audit option. Any federally-insured credit 
union, whether Federally- or State-chartered and regardless of asset 
size, may choose to fulfill its Supervisory Committee audit 
responsibility by obtaining an annual audit of its financial statements 
performed in accordance with GAAS by an independent person who is 
licensed to do so by the State or jurisdiction in which the credit 
union is principally located. (A ``financial statement audit'' is 
distinct from a ``supervisory committee audit,'' although a financial 
statement audit is included among the options for fulfilling the 
supervisory committee audit requirement. Compare Sec. 715.2(c) and 
(j).)
    (c) Other audit options. A federally insured credit union which 
does not choose to obtain a financial statement audit as permitted by 
subsection (b) must fulfill its supervisory audit responsibility under 
either of Sec. 715.5 or Sec. 715.6 of this part, whichever is 
applicable. See Table 1. For purposes of this part, a credit union's 
asset size is the amount of total assets reported in the year-end Call 
Report (NCUA form 5300) filed for the calendar year-end immediately 
preceding the period under audit.


[[Page 41038]]

[GRAPHIC] [TIFF OMITTED] TR29JY99.000


    \1\ The Supervisory Committee audit responsibility under Part 
715 can always be fulfilled by obtaining a financial statement 
audit. Sec. 715.4(b).


Sec. 715.5  Audit of Federal Credit Unions.

    (a) Total assets of $500 million or greater. To fulfill its 
Supervisory Committee audit responsibility, a federal credit union 
having total assets of $500 million or greater must obtain an annual 
audit of its financial statements performed in accordance with GAAS by 
an independent person who is licensed to do so by the State or 
jurisdiction in which the credit union is principally located.
    (b) Total assets of less than $500 million but more than $10 
million. To fulfill its Supervisory Committee audit responsibility, a 
Federally-chartered credit union having total assets of less than $500 
million but more than $10 Million which does not choose to obtain an 
audit under Sec. 715.5(a), must obtain an annual supervisory committee 
audit as prescribed in Sec. 715.7.
    (c) Total assets of $10 million or less. To fulfill its Supervisory 
Committee audit responsibility, a Federally-chartered credit union 
having total assets of $10 million or less must obtain an annual 
Supervisory Committee audit as prescribed in Sec. 715.7.
    (d) Other requirements. A federally chartered credit union, 
regardless of which audit it is required to obtain under this section, 
must meet other applicable requirements of this part.


Sec. 715.6  Audit of Federally-insured State-chartered credit unions.

    (a) Total assets of $500 million or greater. To fulfill its 
Supervisory Committee audit responsibility, a federally-insured State-
chartered credit union having total assets of $500 million or greater 
must obtain an annual audit of its financial statements performed in 
accordance with GAAS by an independent person who is licensed to do so 
by the State or jurisdiction in which the credit union is principally 
located.
    (b) Total assets of less than $500 million. To fulfill its 
Supervisory Committee audit responsibility, a federally-insured State-
chartered credit union having total assets of less than $500 million 
must obtain either an annual supervisory committee audit as prescribed 
under either Sec. 715.6(a) or Sec. 715.7, or an audit as prescribed by 
the State or jurisdiction in which the credit union is principally 
located, whichever audit is more stringent.
    (c) Other requirements. A federally-insured, state-chartered credit 
union, regardless of which audit it is required to obtain under this 
section, must meet other applicable requirements of this part except 
Secs. 715.5 and 715.12.


Sec. 715.7  Supervisory Committee audit alternatives to a financial 
statement audit.

    A credit union which is not required to obtain a financial 
statement audit may fulfill its supervisory committee responsibility by 
any one of the following engagements:
    (a) Balance sheet audit. A balance sheet audit, as defined in 
Sec. 715.2(a), performed by a person who is licensed to do so by the 
State or jurisdiction in which the credit union is principally located; 
or
    (b) Report on Examination of Internal Control over Call Reporting. 
An engagement and report on management's written assertions concerning 
the effectiveness of internal control over financial reporting in the 
credit union's most recently filed semiannual or year-end call report 
(NCUA Form 5300), as defined in Sec. 715.2(j), performed by a person 
who is licensed to do so by the State or jurisdiction in which the 
credit union is principally located, and in which management specifies 
the criteria on which it based its evaluation of internal control; or
    (c) Audit per Supervisory Committee Guide. An audit performed by 
the supervisory committee, its internal auditor, or any other qualified 
person (such as a certified public accountant, public accountant, 
league auditor, credit union auditor consultant, retired financial 
institutions examiner, etc.) in accordance with the procedures 
prescribed in NCUA's Supervisory Committee Guide. Qualified persons who 
are not State-licensed cannot provide assurance services under this 
subsection.

[[Page 41039]]

Sec. 715.8  Requirements for verification of accounts and passbooks.

    (a) Verification obligation. The Supervisory Committee shall, at 
least once every two years, cause the passbooks (including any book, 
statements of account, or other record approved by the NCUA Board) and 
accounts of the members to be verified against the records of the 
treasurer of the credit union.
    (b) Methods. Any of the following methods may be used to verify 
members' passbooks and accounts, as appropriate:
    (1) Controlled verification. A controlled verification of 100 
percent of members' share and loan accounts;
    (2) Statistical method. A sampling method which provides for:
    (i) Random selection:
    (ii) A sample which is representative of the population from which 
it was selected;
    (iii) An equal chance of selecting each dollar in the population;
    (iv) Sufficient accounts in both number and scope on which to base 
conclusions concerning management's financial reporting objectives; and
    (v) Additional procedures to be performed if evidence provided by 
confirmations alone is not sufficient.
    (3) Non-statistical method. When the verification is performed by 
an Independent person licensed by the State or jurisdiction in which 
the credit union is principally located, the auditor may choose among 
the sampling methods set forth in paragraphs (b)(1) and (2) of this 
section and non-statistical sampling methods consistent with GAAS if 
such methods provide for:
    (i) Sufficient accounts in both number and scope on which to base 
conclusions concerning management's financial reporting objectives to 
provide assurance that the General Ledger accounts are fairly stated in 
relation to the financial statements taken as a whole;
    (ii) Additional procedures to be performed by the auditor if 
evidence provided by confirmations alone is not sufficient; and
    (iii) Documentation of the sampling procedures used and of their 
consistency with GAAS (to be provided to the NCUA Board upon request).
    (c) Retention of records. The supervisory committee must retain the 
records of each verification of members' passbooks and accounts until 
it completes the next verification of members' passbooks and accounts.


Sec. 715.9  Assistance from outside, compensated person.

    (a) Unrelated to officials. A compensated auditor who performs a 
Supervisory Committee audit on behalf of a credit union shall not be 
related by blood or marriage to any management employee, member of 
either the board of directors, the Supervisory Committee or the credit 
committee, or loan officer of that credit union.
    (b) Engagement letter. The engagement of a compensated auditor to 
perform all or a portion of the scope of a financial statement audit or 
supervisory committee audit shall be evidenced by an engagement letter. 
In all cases, the engagement must be contracted directly with the 
Supervisory Committee. The engagement letter must be signed by the 
compensated auditor and acknowledged therein by the Supervisory 
Committee prior to commencement of the engagement.
    (c) Contents of letter. The engagement letter shall:
    (1) Specify the terms, conditions, and objectives of the 
engagement;
    (2) Identify the basis of accounting to be used;
    (3) If a Supervisory Committee Guide audit, include an appendix 
setting forth the procedures to be performed;
    (4) Specify the rate of, or total, compensation to be paid for the 
audit;
    (5) Provide that the auditor shall, upon completion of the 
engagement, deliver to the Supervisory Committee a written report of 
the audit and notice in writing, either within the report or 
communicated separately, of any internal control reportable conditions 
and/or irregularities or illegal acts, if any, which come to the 
auditor's attention during the normal course of the audit (i.e., no 
notice required if none noted);
    (6) Specify a target date of delivery of the written reports, such 
target date not to exceed 120 days from date of calendar or fiscal 
year-end under audit (period covered), unless the supervisory committee 
obtains a waiver from the supervising NCUA Regional Director;
    (7) Certify that NCUA staff and/or the State credit union 
supervisor, or designated representatives of each, will be provided 
unconditional access to the complete set of original working papers, 
either at the offices of the credit union or at a mutually agreed upon 
location, for purposes of inspection; and
    (8) Acknowledge that working papers shall be retained for a minimum 
of three years from the date of the written audit report.
    (d) Complete scope. If the engagement is to perform a Supervisory 
Committee Guide audit intended to fully meet the requirements of 
Sec. 715.7(c), the engagement letter shall certify that the audit will 
address the complete scope of that engagement;
    (e) Exclusions from scope. If the engagement is to perform a 
Supervisory Committee Guide audit which will exclude any item required 
by the applicable section, the engagement letter shall:
    (1) Identify the excluded items;
    (2) State that, because of the exclusion(s), the resulting audit 
will not, by itself, fulfill the scope of a supervisory committee 
audit; and
    (3) Caution that the supervisory committee will remain responsible 
for fulfilling the scope of a supervisory committee audit with respect 
to the excluded items.


Sec. 715.10  Audit report and working paper maintenance and access.

    (a) Audit report. Upon completion and/or receipt of the written 
report of a financial statement audit or a supervisory committee audit, 
the Supervisory Committee must verify that the audit was performed and 
reported in accordance with the terms of the engagement letter 
prescribed herein. The Supervisory Committee must submit the report(s) 
to the board of directors, and provide a summary of the results of the 
audit to the members of the credit union orally or in writing at the 
next annual meeting of the credit union. If a member so requests, the 
Supervisory Committee shall provide the member access to the full audit 
report. If the National Credit Union Administration (``NCUA'') so 
requests, the Supervisory Committee shall provide NCUA a copy of each 
of the audit reports it receives or produces.
    (b) Working papers. The supervisory committee shall be responsible 
for preparing and maintaining, or making available, a complete set of 
original working papers supporting each supervisory committee audit. 
The supervisory committee shall, upon request, provide NCUA staff 
unconditional access to such working papers, either at the offices of 
the credit union or at a mutually agreeable location, for purposes of 
inspecting such working papers.


Sec. 715.11  Sanctions for failure to comply with this part.

    (a) Sanctions. Failure of a supervisory committee and/or its 
independent compensated auditor or other person to comply with the 
requirements of this section, or the terms of an engagement letter 
required by this section, is grounds for:
    (1) The regional director to reject the supervisory committee audit 
and provide a reasonable opportunity to correct deficiencies;
    (2) The regional director to impose the remedies available in 
Sec. 715.12, provided

[[Page 41040]]

any of the conditions specified therein is present; and
    (3) The NCUA Board to seek formal administrative sanctions against 
the supervisory committee and/or its independent, compensated auditor 
pursuant to section 206(r) of the Federal Credit Union Act, 12 U.S.C. 
1786(r).
    (b) State Charters. In the case of a federally-insured state 
chartered credit union, NCUA shall provide the state regulator an 
opportunity to timely impose a remedy satisfactory to NCUA before 
exercising it authority under Sec. 741.202 of this chapter to impose a 
sanction permitted under paragraph (a) of this section.


Sec. 715.12  Statutory audit remedies for Federal credit unions.

    (a) Audit by alternative licensed person. The NCUA Board may compel 
a federal credit union to obtain a supervisory committee audit which 
meets the minimum requirements of Sec. 715.5 or Sec. 715.7, and which 
is performed by an independent person who is licensed by the State or 
jurisdiction in which the credit union is principally located, for any 
fiscal year in which any of the following three conditions is present:
    (1) The Supervisory Committee has not obtained an annual financial 
statement audit or performed a supervisory committee audit; or
    (2) The Supervisory Committee has obtained a financial statement 
audit or performed a supervisory committee audit which does not meet 
the requirements of part 715 including those in Sec. 715.8.
    (3) The credit union has experienced serious and persistent 
recordkeeping deficiencies as defined in paragraph (c) of this section.
    (b) Financial statement audit required. The NCUA Board may compel a 
federal credit union to obtain a financial statement audit performed in 
accordance with GAAS by an independent person who is licensed by the 
State or jurisdiction in which the credit union is principally located 
(even if such audit is not required by Sec. 715.5), for any fiscal year 
in which the credit union has experienced serious and persistent 
recordkeeping deficiencies as defined in paragraph (c) of this section. 
The objective of a financial statement audit performed under this 
paragraph is to reconstruct the records of the credit union sufficient 
to allow an unqualified or, if necessary, a qualified opinion on the 
credit union's financial statements. An adverse opinion or disclaimer 
of opinion should be the exception rather than the norm.
    (c) ``Serious and persistent recordkeeping deficiencies.'' A 
record-keeping deficiency is ``serious'' if the NCUA Board reasonably 
believes that the board of directors and management of the credit union 
have not timely met financial reporting objectives and established 
practices and procedures sufficient to safeguard members' assets. A 
serious recordkeeping deficiency is ``persistent'' when it continues 
beyond a usual, expected or reasonable period of time.

PART 741--REQUIREMENTS FOR INSURANCE

    4. The authority citation for part 741 continues to read as 
follows:

    Authority: 12 U.S.C. 1757, 1766, and 1781-1790. Section 741.4 is 
also authorized by 31 U.S.C. 3717.


Sec. 741.3  [Amended]

    5. Section 741.3 is amended to change both the phrase ``Investment 
Valuation Reserve Account'' and the phrase ``Investment Valuation 
Reserve'' in paragraph (a)(3) to ``Appropriation for Non-conforming 
Investments''.
    6. Section 741.6 is amended to change the phrase in paragraph (a) 
from ``before January 31 and on or before July 31'' to ``before January 
22 and on or before July 22''; and to redesignate paragraph (b) as 
paragraph (d) and to add paragraphs (b) and (c) to read as follows:


Sec. 741.6  Financial and statistical and other reports.

* * * * *
    (b) Consistency with GAAP. The accounts of financial statements and 
reports required to be filed quarterly or semiannually under paragraph 
(a) of this section must reflect GAAP if the credit union has total 
assets of $10 million or greater, but may reflect regulatory accounting 
principles other than GAAP if the credit union has total assets of less 
than $10 million (except that a Federally-insured State-chartered 
credit union may be required by its state credit union supervisor to 
follow GAAP regardless of asset size).
    (c) GAAP sources. GAAP means generally accepted accounting 
principles, as defined in Sec. 715.2(e) of this chapter. GAAP is 
distinct from GAAS, which means generally accepted auditing standards, 
as defined in Sec. 715.2(f) of this chapter. Authoritative sources of 
GAAP include, but are not limited to, pronouncements of the Financial 
Accounting Standards Board (FASB) and its predecessor organizations, 
the Accounting Standards Executive Committee (AcSEC) of the American 
Institute of Certified Public Accountants (AICPA), the FASB's Emerging 
Issues Task Force (EITF), and the applicable AICPA Audit and Accounting 
Guide.
* * * * *


Sec. 741.202  [Amended]

    7. Section 741.202 is amended to change: the references in 
paragraph (a) from ``requirements set forth in Secs. 701.12 and 
701.13'' to ``applicable requirements set forth in part 715''; to add 
at the ending of paragraph (a) after ``of this chapter'' the phrase 
``or applicable state law, whichever requirement is more stringent.''; 
and to change references in paragraph (b) from ``Secs. 701.12(e) and 
701.13'' to ``Sec. 715.8''.

[FR Doc. 99-19254 Filed 7-28-99; 8:45 am]
BILLING CODE 7535-01-U