Regulation  209 CMR 43.00: Audit and security requirements for credit unions

The purpose of 209 CMR 43.00 is to establish examination and audit requirements for credit unions and their auditing committees.  The frequency, scope and minimum requirements for credit union audits and share verifications are specified within 209 CMR 43.00.  In addition, 209 CMR 43.00 includes provisions relative to compliance with federal regulations relative to security and protection of credit unions.

As used in 209 CMR 43.00, the following words shall have the following meanings:

Audit:  an examination of the books, securities, cash, assets, liabilities, equity, income and expenditures of a credit union, including trial balance of the deposit and share account, in which a certified public accountant conducts an audit using generally accepted auditing standards (GAAS) and issues an opinion on whether the financial statements conform with generally accepted accounting principles (GAAP), subject to such other conditions and requirements that the Commissioner may impose from time to time under M.G.L. c. 171, § 16.

Auditing Committee:  the committee elected by the credit union's Board of Directors under M.G.L. c. 171, § 15 and which operates under M.G.L. c. 171, § 16.

Auditing Committee Review:  a review performed by the Auditing Committee or a qualified  individual that conforms, at a minimum, to the standards set forth in the National Credit Union Administration’s (NCUA) Supervisory Committee Guide for Federal Credit Unions.

Commissioner:  the Commissioner of Banks.

Credit Union:  a credit union as defined by M.G.L. c. 171, § 1 and subject to supervision and examination by the Commissioner.

Members of their immediate families:  a spouse, or a child, parent, grandchild, grandparent, brother or sister, or the spouse of any such individual.

NCUA: The National Credit Union Administration, or any successor to such entity.

Qualified individual:  any accounting or auditing professional, excluding a credit union employee, who performs the Auditing Committee Review or verification of members' accounts.  Examples of such an individual could include a certified public accountant, a credit union auditor consultant, or an individual experienced in financial statement audits. 

As a member of the Auditing Committee, you are responsible for determining that the financial condition of the credit union is accurately and fairly presented in the credit union's statements and that management practices and procedures are sufficient to safeguard members' shares.  This includes ensuring the timely and adequate completion of the annual audit under GAAS auditing procedures or Auditing Committee Review, as well as the verification of members’ accounts.

To meet the requirements of 209 CMR 43.00, the Auditing Committee shall determine that the credit union's accounting records and reports are prepared promptly and accurately reflect operations and results, that internal controls are established and effectively maintained to safeguard the credit union's assets, and that the plans, policies, and control procedures established by the board of directors are being properly administered.  The Auditing Committee is also responsible for reviewing policies and control procedures to safeguard against error, carelessness, fraud, and conflicts of interest.

The activities generally used to carry out these responsibilities include performing or obtaining the annual audit and the verification of members' accounts; however, as a member of the Auditing Committee you are expected to oversee such other tests and reviews as may be necessary in the Auditing Committee's judgment to meet its responsibilities, such as ensuring high-risk areas of the credit union are audited or reviewed regularly.

The Auditing Committee shall verify or cause to be verified all share/deposit and loan accounts with the records of the treasurer not less frequently than once every two years.  The verification of members' accounts shall be made using either of the following methods:

1. Controlled verification of 100% of members' share/deposit and loan accounts; or
2. Controlled random statistical sampling method that accurately tests sufficient accounts in both number and scope to provide assurance that the General Ledger accounts are fairly stated and that members' accounts are properly safeguarded.  That sampling procedure must provide each member account an equal chance of being selected.

Records of those accounts verified and the procedures used to perform the verification must be maintained and retained until the next verification of members' accounts is completed.

1. Your credit union must be audited annually for each fiscal year.  The audit must cover the period elapsed since the prior annual audit.  The requirements differ based on the credit union’s total asset size, as described in 209 CMR 43.05(1)(a) through (c).

(a) If your credit union has less than $5,000,000 in total assets, the Auditing Committee can choose to either: (1) have the audit performed by an independent certified public accountant; (2) conduct an Auditing Committee Review; or (3) engage a qualified individual other than a certified public accountant to conduct such a review.

If you choose to conduct an Auditing Committee Review, in all cases the review shall follow, at a minimum, the procedures specified in the NCUA Supervisory Committee Guide for Federal Credit Unions.  Each of your credit union's annual audits shall, at a minimum, test the credit union's assets, liabilities, equity, income, and expenses for existence, proper cut off, valuations, ownership, disclosures and classification, and internal controls.

(b) If your credit union has between $5,000,000 and $50,000,000 in total assets, the annual audit requirements described above for those credit unions under $5,000,000 in total assets apply.  However, your credit union must have an audit performed by an independent certified public accountant at least every three years.

(c) If your credit union has greater than $50,000,000 in total assets, you must have an audit performed by an independent certified public accountant annually.

2. During the course of such audit, the Auditing Committee shall make themselves reasonably available for consultation with the qualified individual conducting the audit.  At the conclusion of the audit, the Auditing Committee shall review the audit report prepared by the qualified individual.  Operating management of the credit union may also be present for the purpose of responding to specific questions raised by the audit report.  It should be emphasized that the qualified individual shall report only to the Auditing Committee, and not to the management of the credit union.  The Auditing Committee shall report the findings of the annual audit, including significant deficiencies and material weaknesses, to the board of directors of the credit union upon completion of the audit.  The written report shall be available for review by any examiner of the Commissioner.  The Auditing Committee shall ensure the timely and adequate completion of the annual audit or Auditing Committee Review under GAAS auditing procedures.  The annual audit required by 209 CMR 43.03 shall constitute the annual audit required by M.G.L. c. 171, § 16.

3. A duly licensed certified public accountant or qualified individual, performing audits for the Auditing Committee, must be independent of the credit union's employees; members of the board of directors, auditing and credit committees or the credit union's loan officers; and members of their immediate families.  Such auditors shall not be members of the credit union.

A credit union shall obtain an opinion audit by an independent certified public accountant for any fiscal year during which any one of the following conditions is present:

1. the credit union's Auditing Committee has not conducted an annual audit under 209 CMR 43.03;
2. the credit union's annual audit did not meet the audit requirements of 209 CMR 43.05; or
3. the credit union has experienced serious and persistent recordkeeping deficiencies, which continue to exist past a usual, expected, or reasonable period of time.  The Commissioner shall consider persistent recordkeeping deficiencies serious if there is a reasonable doubt that the financial condition of the credit union is accurately and fairly presented in the credit union's statements and that management practices and procedures are sufficient to safeguard members' share accounts.

In the event the Auditing Committee utilizes a certified public accountant or qualified individual, in all cases the Auditing Committee must contract the engagement directly.  The qualified individual must sign an engagement letter and the Auditing Committee must acknowledge it therein prior to the commencement of the engagement.  At a minimum, the letter must specify the terms and conditions of the engagement, the basis of accounting to be used, the rate of compensation to be paid, the target date of delivery of the written audit report, and access to workpapers by the Commissioner.  Such engagement letter must be noted in the Auditing Committee minutes and made available to the Division upon request.  The auditor shall deliver the audit report directly to the Auditing Committee. 

The Auditing Committee or its independent auditors shall be responsible for the preparation and the maintenance of workpapers and other documentation used to support annual audits.  The Auditing Committee shall make such workpapers and other documentation available for review by the Commissioner.

A credit union which complies with the provisions of 12 CFR Part 748 (Security Program, Report of Suspected Crimes, Suspicious Transactions, Catastrophic Acts and Bank Secrecy Act Compliance) or other applicable regulations of the NCUA, which regulations govern substantially the same subject matter as is governed by 209 CMR 43.09, shall be deemed to be in compliance with M.G.L. c. 167, § 1A and 209 CMR 43.09.