Armagh Credit Union
Internal Audit Policy This policy was adopted by the Board of Directors of Armagh Credit Union Limited.
Signed:Position
________________
Position
________________
Date:
Internal Audit Plan
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
1. Introduction
The first step in preparing an Internal Audit Plan for a Credit Union is to identify where things might go wrong for the credit union, i.e. what are the key risk areas. It is then necessary to assess the identified risks in order to understand the impact if any of the risks materialised. The risk assessment exercise will enable us to define the areas requiring audit and to rank these areas in order of priority. Audit resources will be applied to the various risk areas to assess if the controls in place are effective in mitigating the risk identified. The frequency of review will be dependent on how the risk has been prioritised. We will use an internal audit work programme (given by Cavanagh Kelly Chartered Accountants) to focus our work on each risk area. .
2. Identify Key Risks
Based on our knowledge of Credit Unions, an internal audit work programme should assess the following key risk areas:
Checking new and existing loans to ensure compliance with lending and bad debt provisioning policies;
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
Ensuring transactions with officers occur under same terms as transactions with other credit union members;
Verification of cash i.e. counting and reconciliation without prior notification;
Bank reconciliation to check records against bank statements; Verifying share and loan balances; Checking share withdrawals and disbursements to ensure that they have been authorised in accordance with procedures;
Verification of the credit union’s bank and investment account balances; Verification of the credit union's fixed assets and other assets; Compliance – having in place all necessary policies and procedures and ensuring ongoing compliance with relevant Acts, Legislation and rules; and
Ensuring appropriate Corporate Governance measures are in place.
3. Assess Impact and Likelihood of Risks and Prioritise Risks
We will undertake a risk assessment of each of the above areas, by considering: The likelihood of the risk materialising, taking into consideration the volume of transactions, the complexity of the processes, the adequacy of specific controls, prior experience of the risk; and
The impact that the risk would have on the Credit Union if the risk materialised; in terms of impact on financial resources, reputation, sensitivity of information, relationships with stakeholders and compliance with laws and regulations. Both the risk impact and risk likelihood will be assessed separately on a scale of high to low, with a corresponding numerical value assigned to each attribute as per the table below.
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
Scale High Medium Low
Impact Has a significant impact on the achievement of the strategic objectives Has a limited impact on the achievement of the strategic objectives Has a small impact on the achievement of the strategic objectives
Likelihood Risk may occur often Risk is likely to occur Risk may occasionally occur
The overall risk score will then be quantified by multiplying together the values for the risk likelihood and risk impact. Finally, the risk scores will be grouped as per the table below and each auditable area will be assigned an overall risk category based on the following scores: Risk Category High Medium Low
Priority 1 3 3
Review Required Quarterly Every six months Annually
The priority classification will determine the scope and extent of the internal audit plan to be completed. 4. Adequacy of Controls
As part of our risk analysis, we will document the controls in place in each of the areas above and consider the adequacy of these controls in addressing the risks. In order to ensure that these controls are being operated as outlined and are effective, it will be necessary to make enquiry about and perform walkthrough tests on the identified “risk areas” in line with our Internal Audit Plan as covered in the next section.
5. Internal Audit Plan
The detailed risk analysis exercise should be used to develop an Internal Audit Plan for the credit union as per Appendix 1. This is a rolling audit plan that covers all aspects of the credit union’s business.
Those areas deemed to be higher risk will be covered more frequently than areas deemed to be lower risk.
The risk analysis and internal audit plan need to be reviewed on a regular basis and updated accordingly.
6. Work Programmes
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
Work programmes should be prepared for the risks areas identified in Section 2: A B C D E F G H I
Review of Lending Activities Review of Transactions with Officers & Staff Cash Transactions Bank Reconciliations Share Balances Circularisation of Members Review of Investments Fixed Assets & Other Assets Review of Governance Measures
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
A: Lending – To be reviewed quarterly Review of Lending Activities: 1 Has the board of directors adopted written loan policies and procedures in line with PRA Regulations? 2 Are complete minutes prepared of every credit committee meeting? 3 Are loan officer records incorporated in the credit committee minutes? 4 Are credit committee minutes totalled and ruled off (i.e. double underlined in red underneath the total line) in such a manner that prevents additions or alterations? For a sample of new loans issued in the period: 1 Review evidence on file to ensure that appropriate pre approval screening procedures have been carried out on borrower in line with credit union’s lending policy (an affordability assessment and obtaining a copy of bank statements, payslips etc. to confirm income). 2 Has loan been approved at the correct level (loan officer/ credit committee) in line with Lending Policy? Correct number of signatures to reflect approval on loan application? 3 Has Promissory note been signed by member and witnessed? Details agreed to initial loan application form? 4 Do promissory note details agree to loan amount entered on member’s account on system? 5 Was there appropriate segregation of duties between staff/officer making loan application, approving loan and paying loan out to member? 6 Are members making full payments on both interest and principal in line with terms of promissory note? 7 Ensure that adequate bad debt provision is being made in line with CREDS requirements. For a sample of existing loans balances: 1 Is interest being calculated properly? 2 Was last interest rebate correctly calculated? 3 Is Bad Debt Provision adequate and calculated in line with the requirements in CREDS? 4 Investigate any large or unusual transactions on the member’s accounts. Rescheduled Loans: Obtain a report of all loans rescheduled in the period: 1 Has the rescheduled loan been entered into a ‘Register of Loan Amendments’ 2 Ensure that a new application form has been completed and that there is evidence of the member’s change in circumstances on file. 3 Has application form being signed by member and credit committee? 4 Has new promissory note been issued and signed by both member and credit union official? 5 Has original level of bad debt provision been maintained until it is evident that loan is performing under the new lendiing terms?
Yes/No
Comments
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
B: Review of Transactions with Officers & Staff – To be reviewed quarterly 1 Does credit union maintain a register of officers and deemed related parties and their loan and share balances – obtain a copy of same? 2 For a sample of loans to officers, employees and their family members entered into in the period, ensure:
Yes/No
Comments
- Appropriate affordability assessments carried out; - Has loan been approved at the correct level (loan officer/ credit committee) in line with Lending Policy? - Is loan application and promissory information appropriately signed and on file? - Is member making full payments on both interest and principal in line with terms of promissory note? - Have loans been advanced with appropriate segregation of duties at all stages? - Ensure that loan terms and conditions are not more favourable than those offered to other credit union members. 3
For a sample of accounts with loan balances in arrears/default, has appropriate action been taken to recover the balance?
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
C: Cash Transactions – To be reviewed quarterly General Review of Controls over cash 1 Is cash on hand counted and verified regularly? 2 Is the safe and float drawers locked at all times? 3 Is cash in the safe under dual control and are adequate safekeeping facilities provided? 4 Are cash floats established and replenished as decided by board policy? 5 Are cameras in place in credit union fully operational? 6 Does each employee have their own float for which they sign? 7 Do all transactions have appropriate receipts and payment vouchers? 8 Are pay-in-slips/collection sheets used when members pay in money? 9 As cheques are received, are they stamped “For Deposit Only to the account of XXX Credit Union”? Daily Cash Transactions 1 Surprise Cash Count to be carried out by the Supervisory Committee of tills and safe. Count to be reconciled to records. 2. Select a sample of daily cash sheets from the period under review: - Confirm accuracy of additions on cash sheet. -
Agree amounts entered to till reports;
-
Are cash over/short items recorded accurately and are such items reviewed monthly by the board of directors?
-
Trace cash receipts to entry in Cash Receipts book and to computer system.
-
Who prepared bank lodgement – was it an individual who does not act as a teller?
-
Trace lodgement to bank statement and ensure no undue delay in lodgement,
Yes / No
Comments
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
D: Bank Reconciliations – To be reviewed twice per annum Yes / No For last monthly bank reconciliations: 1 Check totals on reconciliations and supporting schedules. 2 Agree Bank account balance to bank statement. 3 Review list of outstanding payments and lodgements for large and unusual items. 4 Trace a sample of ___ cheques issued in week prior to period-end to bank statements prior to period-end or to list of outstanding cheques 5 Trace outstanding cheques to subsequent entry in bank statements ensuring that these clear the bank after the end of period. 5 Trace a sample of lodgements in week prior to period-end to bank statements prior to period-end or to list of outstanding lodgements. 6 Trace outstanding lodgements to bank statements after period-end. 7 Enquire into any items un-presented for a significant period of time. 8 Agree reconciled bank balance to trial balance at period end date.
Comments
E: Share Balances – To be reviewed twice per annum Obtain a list of share and loan balances at the period-end:
Comments
Yes / No
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
E: Share Balances – To be reviewed twice per annum 1 Review for any large/ unusual balances which may not be compliant with Credit Union Policies on Share and Loan Balance. 2 For a sample of balances check that the interest/dividend paid has been correctly calculated. 3 For a sample of shares issued and deposits received:
4
5 6
Yes / No
Comments
- Trace amounts and details to paying in slip. - Trace amounts and details to ledger. For share/deposit withdrawals: - Trace amounts and details to counter slip. -Trace amounts and details to copy cheque if available. - Trace amounts and details to ledger. For a sample of accounts (including dormant accounts), vouch the years’ transactions from the statement to supporting documentation i.e. vouchers, paying in slips, cash book, minutes for dividend amounts, etc. For a sample of new members in the period, verify the authenticity of membership by ensuring application has been approved by the directors by reference to board minutes and director’s signature on the application card. Ensure that appropriate identification documents have been obtained in order to confirm identity for money laundering purposes.
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
F: Circularisation of Member Balances - To be reviewed quarterly 1 Carry out circularisation of share and loan balances. Include dormant and delinquent accounts in your sample.
Yes / No
Comments
Ensure requests are properly addressed and contain return information for responses to be sent directly to the supervisory committee. Follow up nonreplies with second or subsequent request. 2 3 4
Investigate and follow up any differences between responses and credit union records, or any responses highlighting issues, and record results. Where there has been no response to a circularisation letter, perform alternative audit procedures. (For example, consider reviewing the documentation of the approval of the loan. Document results accordingly.
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
1
G: Review of Investments- To be reviewed twice per annum Obtain a list of investments at last month end. Confirm that investments are limited to those allowed by CREDS. The following types of investment are allowed:
Yes No
/
Comments
(i)
Deposits or loans to a UK domestic firm with Part IV permission to accept deposits; (ii) Deposits or loans to an institution which is authorised in any other EEA State to accept deposits; (iii) Sterling-denominated securities issued by the government of any EEA State; (iv) Fixed-interest sterling-denominated securities guaranteed by the government of any EEA State, provided that any guarantee is unconditional in respect of the payment of both principal and interest on those securities. 2 3
4 5
6
Review and check that all investments have a maturity date of not more than 5 years from the date on which the investment is made. Review reconciliations for each account and vouch to supporting documentation, ensuring that major transactions were properly authorised in line with the credit union’s investment policy, board minutes, investment sub-committee minutes. Where investments are managed by an external investment manager, obtain an investment report from the investment manager directly Where the investments are not managed by an external investment manager, or where otherwise deemed necessary, check all or a sample of the valuation of investments by reference to an authoritative and independent source. Investment Income Ensure this is reflected in the accounts on an accruals basis. Check income for a sample of investments to ensure it is complete for the period.
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
1
H : Fixed Assets & Other Assets – To be reviewed annually Obtain a copy of the Credit Union’s fixed asset register: Select a sample of fixed assets on register and physically verify that these are still held by the credit union. The sample should include additions in the period and older assets.
Yes No
/
Comments
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
1
I : Review of Governance Measures – To be reviewed once per annum Ensure that the credit union maintains a manual of its policies and procedures in line with CREDS 2.2.6 R covering the following areas: -
3
/
Comments
Cash handling and disbursements; -
Collection procedures;
-
Lending, including large exposures
-
Arrears management
-
Provisioning
-
Liquidity management
-
Financial Risk Management
-
Money Laundering Prevention
-
Internal Audit
-
Information technology
-
Business Continuity
-
Marketing
-
Training
Connected conflicts of interest
2
Yes No
Persons
-
Complaints Handling
-
Single Customer View
and
managing
Review Policies and Procedures Manual to ensure that these have been approved by Board of Directors and are reviewed at regular intervals (at least once per annum). Review minutes of meetings of Board of Directors. Ensure that: - meetings occur regularly (monthly) -
regular attendance by Board members
-
minutes are suitably detailed
-
agreed actions are circulated and followed up at next meeting
-
Minutes are signed as approved by secretary
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
4
I : Review of Governance Measures – To be reviewed once per annum Ensure that the credit union is maintaining an up to date Business Plan. There should be evidence that this Business Plan has been reviewed and updated on a regular basis.
Yes No
/
Comments
The Business Plan needs to include key compliance ratios such as the capital and liquidity ratio. The Business Plan should maintain rolling financial projections. It is recommended that this covers a period of three years (current financial year plus two additional years).
7. Documenting and Reporting Findings The supervisory committee will retain documentation of all work carried out. This will include:
-
A one page summary (see Appendix ) summarising work done, results and conclusion;
-
Explanation as to sample size and sampling methodology used where relevant; and
-
Copies of all working papers to support work carried out.
-
A suggested schedule is given below
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Armagh Credit Union
Appendix Internal Audit Report Risk Area: 1 Risk Area: Date of last Review: 2
Risk definition: Existing place: Control out:
controls tests
in
carried
Sample size: 3
Summary of key findings:
4
Recommendations:
Review of previous recommendations 5
Overall conclusion:
6
Comments:
Carried out by:
Date:
Presented to the Board on:
Date:
Armagh Credit Union is authorized/regulated by the FCA/PRA Registration Number 573925
Risk Area
What is the Risk
Controls in Place
Likelihood Impact Score Priority Review
J F MA M J J A S O N D
Lending
Loans not issued in line with the CU policy
Procedures in place
1
1
2
High
quarterly
x
Loans to officers
Loans may be on more favourable terms
Done by a special comm. 1
2
3
High
quarterly
Cash Verification
Misappropriation of cash Cash reconciliation done dally
1
1
2
High
quarterly
Verification of loan & share balance
Unusual transactions
Checked by supervisors
2
2
4
Med
Twice per year
Bank reconciliation
Error or fraud of member accounts
Checked by supervisors
1
2
3
High
quarterly
Share transactions Not authorized by member
Username of all transactions recorded
1
3
4
Med
Twice per year
Verification of bank & investments balance
Checked by supervisors
3
1
4
Med
Twice per year
Dormant accounts Un-authorized access
Only the Manager can re-active dormant accounts
2
3
5
Low
annually
Policies & procedures
Not in line with PRA guidelines
Polices & procedures reviewed regularly
3
3
6
Low
annually
Assets (fixed & others)
Misappropriation
Checked by supervisors
3
2
5
Low
annually
Checked by supervisors
3
3
6
Low
annually
Misappropriation of funds
Minutes & reports Inappropriate governance in place
x x
x x
x
x x
x
x
x x
x
x
x
x
x
x x
x x
x
x
x x x