THE AUDIT OF CREDIT UNIONS IN THE
UNITED KINGDOM
This helpsheet is designed to assist firms in the audit of credit
unions in Scotland, England and Wales.
While these audits are often small, there is always a public interest
element to them. This, combined with the specialist requirements
that must be met, can increase the risks to auditors when carrying
out the audit of a credit union. The ICAS Audit Monitoring (ICAS AM)
team regularly review credit union audits to ensure that the specialist
aspects have been properly addressed and often find that these are not
approached in a consistent manner. This helpsheet aims to assist firms
in the consideration of particular areas of interest, including developing
an understanding of credit union related risks; compliance with laws and
regulations; appropriately tailored engagement letters; and audit reports.
What is a Credit Union?
A Credit Union is a democratic financial cooperative owned and controlled
by its own members. All Credit Union members have something in
common (the common bond) and every member has an equal vote in
the running of the Credit Union. Credit Unions are non-profit making
financial co-operatives run entirely by the people for the people. They
offer a convenient savings and low interest loans service. Members save
by investing in the credit union’s shares and it is an effective way of
creating a pool of available money in a particular locality.
For credit unions with their registered office in England and Scotland
their name must always include the words ‘Credit Union’ and have
‘Limited’ as the last word. Credit Unions in Wales may use ‘undeb
credyd’ and ‘cyfyngedig’ instead.
The common bond between members of a credit union must be one the
following. Members must:
• follow a particular occupation; or
• be employed by a particular employer; or
• be resident or employed in a particular locality; or
• be a member of an organisation or society which has been formed for
the purposes other than that of registration of a credit union; or
• have any other common bond approved by the regulators.
A credit union must base the membership qualification in its registered
rules on one of the common bonds listed above.
Details of the regulatory framework relating to the audit of a credit
union, including when a credit union may be subject to an audit can
be found at Appendix 1.
How to develop an effective approach to the audit of credit
unions
Whilst credit union audit clients may be considered small in comparison
to other clients, it is crucial that not only is sufficient time and resource
applied to their audits, but that they are approached with the same rigour
and professional scepticism as other audits.
There are some factors that firms should consider in developing
an effective audit approach to the audit of their credit union clients,
including:
Audit Procedures
Firms have choices regarding specialist audits – either purchase a
specialist set of audit programmes or tailor purchased or internally
developed standard company programmes.
In the experience of ICAS AM, firms using specialist programmes
tend to have a greater level of compliance, as the other options
require firms to dedicate significant time and resource to ensuring a
tailored set of programmes remain up to date.
Whatever option is taken, it is important that these procedures are fully
applied to all relevant audit clients, as specialist aspects apply regardless
of the size of the entity.
Disclosure checklists
There are a considerable number of specific disclosures required in the
accounts of a credit union, and given the additional legislative references
and accounting policies required it is recommended that firms utilise a
relevant disclosure checklist.
In the experience of ICAS AM, accounts where no such checklist
has been used tend to result in more areas of non-compliance.
Training
Given the nature of the specialist aspects in the audit of credit unions, it is
important that Responsible Individuals (RIs) who have credit union audit
clients remain up to date in this area.
It is crucial that RIs remain up to date with changes in legislation or
regulations affecting their clients and this should be demonstrated in
their training records.
Firms are reminded that International Education Standard 8 (IES8)
requires that engagement partners ensure that necessary specialist
knowledge is obtained and maintained. Attendance at a credit union audit
course is still one of the most effective ways of maintaining specialist
audit competence, however there are other available options, including
webinars and other on-line training solutions.
What are the common areas of non-compliance to look out
for in credit union audits?
There are a number of areas that ICAS AM would advise credit union
audit teams to keep in mind when conducting such audits. The following
are those most commonly identified on monitoring visits:
Agreement of client engagement terms
Signed engagement letters should be received prior to the
commencement of the audit engagement, and the following should be
considered when addressing this ISA 210 requirement:
• the letter should refer to the most up to date legislation;
• the letter should refer to the responsibility of directors to comply with
legislation and PRA Handbook;
• the letter should refer to the requirement to co-operate with the
auditor;
• given the board of directors are unlikely to be financial experts, it
may be appropriate for the engagement letter to specify the role and
responsibilities of the directors;
• the letter should refer to the most recent auditing standards, being the
International Standards (ISAs) (UK and Ireland); and
• the letter should also refer to reporting responsibilities to the Financial
Conduct Authority (FCA), including the duty and right of auditors to
report to the FCA as regulators.
Credit Union specific laws and regulations
ISA 250A requires auditors to identify, and consider the impact of, key
laws and regulations relevant to an audit client. In the audit of credit
unions firms should:
• Identify and consider the impact of all up to date and relevant
legislation in relation to the credit union, including, where relevant:
-The Credit Unions Act 1979;
-The Industrial & Provident Societies Act 1965;
-The Legislative Reform (Industrial & Provident Societies and Credit
Unions) Order 2011;
-The Friendly and Industrial and Provident Societies Act 1968
(FIPSA)
-The Companies Act 2006; and
-The Money Laundering Regulations 2007.
• Review and consider the requirements of the PRA rules (CREDS).
Credit unions have custody of valuable and fungible assets including money.
As a result fraud is an inherent risk of undertaking credit union business.
Frauds relating to most types of transactions can be facilitated by identity
theft and so ‘know your customer’ procedures are an important component
of the procedures taken by credit unions to mitigate the risk of fraud.
The above laws and regulations, and any others relevant to the
credit union, should be identified and considered in the risk
assessment process at the planning stage of the audit.
At the fieldwork and completion stages the auditor should then
consider whether the credit union is in compliance with these, and
identify the impact of any instances of non-compliance.
Some of the audit procedures that ICAS AM would expect to see on a
credit union audit file would include, but are not limited to a review of:
• expenditure compliance against authorisation requirements;
• the entity’s procedures for compliance with the regulations;
• the procedures for communication of regulatory requirements to staff;
• any correspondence with the regulator;
• any compliance reports prepared; and
• the minutes of director / committee meetings.
In addition to the above, firms are reminded that there is a duty to report
matters of ‘material significance’ to the FCA (previously the FSA), and
further guidance on this duty is included in Practice Note 27.
Understanding the credit union and its risks
Obtaining an understanding of an audit client is the key requirement of
ISA 315. Practice Note 27 provides guidance on this, and listed below
are some of the areas that should be considered. Firms are advised to
utilise Practice Note 27, and this list, to ensure sufficient understanding is
obtained of:
• the audit and accounts requirements;
• the ownership and governance structure;
• the credit union’s rules and founding document;
• the legal and operational structure;
• the main areas of expenditure;
• the legal impact of recent legislation, government initiatives and
changes to CREDS;
• investments held;
• the competence and experience of management;
• the reporting and compliance responsibilities;
• the assessment of controls over key risks;
• the accounting systems and controls;
• risk assessments at the assertion level; and
• the audit response to risks.
Specific risk areas the auditor may need to address include:
• The risk that arises from the possibility that a credit union has
insufficient liquid funds to meet the demands of members. Particular
attention must be given to the nature of investments acquired by the
credit union;
• The risk of failure to comply with the regulator’s rules regarding
investments;
• The risk of loss, arising from inadequate or failed internal processes,
people and systems or from external events; and
• The risk of public censure, fines (together with related compensation
payments) and restriction or withdrawal of authorisation to conduct
some or all of the credit union’s activities. This could arise from
enforcement activity by the regulators.
Requirements of auditors in relation to control systems
Legislation also requires the auditor of a credit union to state in the
auditor’s report on the financial statements if the credit union has
failed to maintain a satisfactory system of internal control (Practice
note 27, para 108). Accordingly this should be considered as part
of the audit planning process and the appropriate work planned and
documented to allow the auditor to conclude in this area.
Guidance on the auditors’ consideration of internal control (including
accounting systems) is provided in ISA 315. Examples of weaknesses
in control that could give rise to fraud risk factors are also set out.
Some of the most effective planning that ICAS AM sees is where a
detailed audit planning memorandum has been prepared. Such a
document helps to ensure all the key areas are covered and provides
useful, informative, commentary on the audit approach and significant
risks identified. If an audit team decides to prepare such a document, it
is important to ensure that this has not merely been carried forward from
the previous year, but that additional thought and consideration is given in
the current year.
Communication with the client and consideration of fraud risks
The requirements in ISA 240 and ISA 260 are the same as those in the
audit of trading companies. However, it can sometimes be more difficult
to undertake direct communication with the directors / supervisory
committee. As a result, ICAS AM often see that there has been
communication with those charged with the day to day running of the
credit union, but not necessarily with the committee or those charged
with governance. Firms are advised to ensure that adequate planning
is carried out to meet the requirements and that there is evidence
of communication with those charged with governance, including
discussions on fraud risks and controls.
Obtaining and documenting audit evidence
In the development of a credit union audit plan all relevant financial
statements assertions and risks require to be addressed, including:
• the completeness of all sources of income;
• bank confirmation letters;
• the audit of expenditure, including authorisation;
• the completeness and cut-off of creditors;
• the existence and recoverability of members loans;
• the valuation of investments;
• the valuation of assets and title to property; and
• the audit of payroll costs.
There are also a number of specific areas to be addressed with regard to
the credit unions compliance with PRA rules / CREDS in relation to:
• Investments;
• Liquidity requirements;
• Capital requirements;
• Shareholding levels;
• Lending to members; and
• Provision for bad debts.
Implementation of the Legislative Reform (Industrial & Provident
Societies and Credit Unions) Order 2011 has resulted in a number
of rule changes from 8 January 2012. These changes have affected
thresholds and minimum requirements in the areas noted – further
guidance is available on the PRA website here.
The importance of recording audit evidence properly cannot be stressed
enough. Firms can help themselves by using a standard format for their
working papers, which encourages staff to record why they have carried
out a particular audit test, what work they have actually performed, the
results achieved and conclusions drawn.
ISA 230 specifically states that:
‘The auditor should prepare the audit documentation so as to enable
an experienced auditor, having no previous connection with the
audit, to understand:
(a)The nature, timing, and extent of the audit procedures
performed to comply with ISAs (UK and Ireland) and applicable
legal and regulatory requirements;
(b)The results of the audit procedures and the audit evidence
obtained; and
(c)Significant matters arising during the audit and the conclusions
reached thereon.’
Consideration of service organisations and reliance on an expert
Credit unions will often use service organisations such as accountancy
firms, IT administrators, internal auditors and investment managers. ISA
402 is clear that there should be consideration of the controls within
the service organisation, the terms of the arrangement with the credit
union, the supervision and control by the directors / committee, and the
consideration of the impact of this on audit risk.
Similarly, it is common for auditors of credit union audit clients to require
the involvement of experts, or to rely on the work of a management
expert. These can commonly be in relation to investment and property
valuations. ISA 500 and ISA 620 state there should be documented
consideration of the experts’ professional competence, qualifications,
experience or objectivity. Further, firms are required to document
whether they consider the scope of the expert’s work to be adequate; or
how they have evaluated the appropriateness of the expert’s work. Audit firms must ensure that these areas are considered at the planning
stage and that any experts or service organisation are identified at this
time. It is not sufficient to identify them during the course of the audit,
as comprehensive planning should identify that experts will need to be
involved and demonstrate the impact on the firm’s assessment of risk
and planned work.
Consideration of related parties
The principles and procedures set out in ISA 550 apply to the audit of
credit unions as for other undertakings. Related party transactions likely
to arise include shares held by and/or loans to directors or members of
the supervisory committee of the credit union.
The auditor should enquire as to the procedures required under the rules
of the individual credit union governing the authorisation, recording and
monitoring of any related party transactions. The auditor should then
assess the operation of those procedures during the financial year and
consider whether appropriate disclosure has been made in the financial
statements.
Consideration of going concern
In reviewing the going the concern status of a credit union, the auditor
should consider the following areas in addition to those set out in ISA)
570:
• capital adequacy ratios – including a review of management’s
analysis and rationale for ensuring that the credit union is capable of
maintaining adequate financial resources in excess of the minimum
requirement;
• liquidity indicators – including a review of the credit union’s liquidity
management process for signs of undue deterioration;
• review of correspondence with regulators.
Further details of possible factors that may indicate going concern issues
in these areas are set out in Appendix 4 to Practice Note 27.
Management representation letters
The key factor to address here is to obtain a signed letter of
representation before the audit report is signed.
In addition, written representations should not be relied upon where
substantive evidence should have been available.
In addition to the examples of other representations given in ISA (UK and
Ireland) 580, the auditor also considers obtaining confirmation:
• as to the adequacy of provisions for loan impairment (including
provisions relating to individual loans if material) and the
appropriateness of other accounting estimates (such as investment
valuations or adequate provisions for liabilities);
• that all contingent transactions or commitments have been adequately
disclosed and/or included in the balance sheet as appropriate; and
• that all correspondence with regulators has been made available to the
auditor.
What are the common disclosure issues in credit union
accounts?
There are some common matters identified on monitoring visits:
• Accounting policies should be relevant to the credit union. The main
issues identified relate to the income policy not covering all types of
income, no policy on member’s loans or related interest, no policy on
the provision of bad debts, and a lack of policies disclosed around the
funds of the credit union.
• The notes to the accounts should include disclosure of committee
remuneration and expenses (including nil statements), disclosure of
member shares, disclosure of transfers to general reserves in the
year, adequate disclosure of related party transactions, and disclosure
of auditor remuneration.
Other matters to consider when a firm audits a credit
union
When a firm has credit union audit clients ICAS AM would also advise
that the following areas, (all of which are include in their reviews when
conducting a monitoring visit) are considered:
The auditor’s report on a credit union
The auditor’s report should refer to the most relevant and up to date
legislation, as outlined in the laws and regulations considerations above,
and should refer to the most up to date auditing standards, being the
current ISAs.
ICAS AM would also advise firms to refer to the APB Bulletin 2010/2
‘Compendium of Illustrative Auditor’s Reports on United Kingdom Private
Sector Financial Statements for periods ended on or after 15 December
2010 (Revised)’. This Bulletin, at Appendix 25 contains an example audit
report for use in the audit of credit unions in Great Britain. A copy of the
bulletin can be accessed here
Firm’s annual return (FAR)
The firm should ensure that the audit client list on the FAR correctly
reflects the total number of credit union audits conducted by the firm.
The audit compliance review (ACR)
When selecting files for cold file review, as part of the ACR, firms are
advised to include credit union audits as a representative sample of audit
work conducted.
Additional assistance from ICAS and useful references:
• Members with any query in relation to the information found in this
helpsheet can contact Audit Monitoring by telephone on 0131 347
0284.
• T
he ICAS Practice Review Service provides support to registered
auditor firms. It offers a variety of services on all aspects of audit
regulation, which can be tailored to meet the needs of your firm, and
provides standard audit programmes that may be useful for your firm.
For more information on any of these services, contact Linda Laurie
on 0131 347 0249 or email [email protected].
• T
he Audit Monitoring team, on an annual basis, publish an Annual
Report detailing key findings from the visits carried out during the
year. Around 50 firms are visited each year and this provides a useful
summary of the most common weaknesses on audit files, including
those of specialist entities. A copy of the 2012 Annual Report can be
downloaded here
• T
he APB Practice Note 27, and the Bulletin 2010/2, referred to in this
helpsheet can be accessed at the FRC website
• T
he Accounting and Auditing team are happy to receive queries on
these and many other issues. Members should submit their queries
via e-mail to: [email protected]
• F
urther helpsheets on other specialist audits have also been prepared
and these can be accessed here
LINKS
More information on the Prudential Regulation Authority can be found on
the Bank of England website at: www.bankofengland.co.uk
More information on the Financial Conduct Authority can be found on
their website at: www.fca.org.uk
Audit News can be accessed here
The APB Practice Note 27, and the Bulletin 2010/2 can be accessed at:
www.frc.org.uk
Further helpsheets on other specialist audits can be accessed at:
http://icas.org.uk/regulation/news/helpsheets/
APPENDIX 1
The regulatory framework relating to the audit of a credit
union
Key legislation relevant to credit unions is detailed in the laws and
regulations section below, however the following are the key matters that
auditors should consider when undertaking such an audit:
A credit union is a body corporate registered under the Industrial and
Provident Societies Act 1965 in accordance with the Credit Unions Act
1979. The Credit Unions Act 1979 sets out the objects of a credit union:
• the promotion of thrift among the members of the society by the
accumulation of their savings;
• the creation of sources of credit for the benefit of the members of
the society at a fair and reasonable rate of interest;
• the use and control of the members’ savings for their mutual
benefit; and
• the training and education of the members in the wise use of money
and in the management of their financial affairs.
A new regulatory framework came into force on 1 April 2013, when the
Financial Services Authority (FSA) ceased to exist and the Credit Unions
Supervision Team became part of the Prudential Regulation Authority
(PRA). The PRA is a part of the Bank of England.
There have been no changes to the core legislation or reporting
requirements as a result of the change, however, Credit Unions are
now authorised by the Prudential Regulation Authority and regulated
by the Financial Conduct Authority (FCA) and the Prudential Regulation
Authority (PRA). The performance of each credit union is monitored by
the PRA and staff and volunteers involved in the running of the credit
union must be approved by the PRA.
The PRA’s approach to supervision
The PRA takes a risk-based approach to supervision, using a combination
of tools including:
• desk-based reviews;
• liaison with other agencies or regulators;
• meetings with management and other representatives of a credit
union;
• on-site inspections;
• reviews and analysis of periodic returns and notifications; and
• reviews of past business.
The PRA also has the power to:
• make recommendations for preventative or remedial action;
• set individual requirements;
• give individual guidance to a credit union;
• vary a credit union’s permission (i.e. the range of activities it is
authorised to conduct); ;
• require the provision of information;
• to require reports from skilled persons;
• to appoint investigators; and
• to apply for a warrant to enter premises.
Regulatory requirements
The following guidance has been taken from: PRA Credit Union
Sourcebook (“CRED”). Every credit union is either a version 1 credit union
or a version 2 credit union. The difference is that a version 1 credit union
is subject to stricter requirements for lending, borrowing and so on. Most
smaller credit unions will be version 2 however this can be verified by
reference to the Financial Services Register maintained by the Financial
Conduct Authority.
The following are the main areas where regulatory requirements are
imposed by the CRED:
• Members;
• Directors;
• Investments;
• Borrowing by credit union;
• Capital requirements;
• Liquidity requirements;
• Shareholding and dividend requirements;
• Deposits;
• Insurance against fraud or other dishonesty; and
• Returns and reporting (including proper and accurate completion of
FSA returns on time and lodging of accounts within 7 months)
From 8 January 2012, the Legislative Reform (Industrial & Provident
Societies and Credit Unions) Order 2011 has made significant changes
to the scope of activities that credit unions in Great Britain can carry out.
As a result, the CRED rules were updated, and there are a number of
important changes and transitional arrangements to existing rules on:
• Members;
• Initial capital;
• Capital requirements;
• Liquidity requirements;
• Bad debt provisions;
• Shareholding limits.
It is crucial that audit firms remain up to date with changes in
legislation or regulations affecting their clients and this should be
demonstrated in their training records.
When is a credit union required to be subject to an audit?
Under CRED s8.2.3, every credit union must send to the PRA copy of its
audited accounts published in accordance with section 3A of the Friendly
and Industrial and Provident Societies Act 1968 (FIPSA).
Section 4 of FIPSA also provides that a credit union is to appoint a
qualified auditor or auditors to audit the accounts unless:
• the aggregate of the receipts and payments in respect of the
preceding year of account did not exceed £5,000;
• the number of members at the end of the preceding year did not
exceed 500;
• the aggregate value of assets at the end of that year did not exceed
£5,000; and
• If all these conditions apply the credit union may appoint two or
more “lay auditors” subject to any direction given by the PRA.
Auditors are bound by the duties imposed by the Act. This requires
them, in preparing their audit report to members, to carry out such
investigations as will enable them to form an opinion on:
(a)whether the credit union has kept proper books of account in
accordance with the requirements of section 1(1)(a) of FIPSA;
(b)whether the credit union has maintained a satisfactory system of
control over its transactions in accordance with the requirements
of section 1(1)(b) of FIPSA;
(c)whether the revenue account or the other accounts (if any) to
which the report relates and the balance sheet are in agreement
with the books of account of the credit union; and
(d)If the auditors are of the opinion that the credit union has failed to
comply with any of the requirements of (a) to (c) above then they
must state that fact in their report.
APB Practice Note 27 (revised) ‘The audit of credit unions in the
UK’
The Practice Note gives guidance on the application of ISAs to the audit
of credit unions in the UK. It will be referred to throughout this helpsheet
and firms are advised to ensure that they are familiar with this prior to
undertaking any credit union audits. A copy of the Practice Note can be
accessed here.
CA House 21 Haymarket Yards Edinburgh EH12 5BH
[email protected] +44 (0)131 347 0284 icas.org.uk