If credit unions legally don't have to comply with the Sarbanes-Oxley Act, why was it standing room only at the session on SOX compliance at NAFCU's annual meeting?
"If you're here in Vegas on a Thursday afternoon to learn about Sarbanes Oxley, you need to get a life," joked Tom Glatt, EVP of Portland Teachers CU, who made the SOX presentation. "Why is this so important? Just look at Enron, WorldCom and all the rest, and inevitably there's an accounting problem behind what happened, and it was an accounting problem that slipped by because boards weren't doing their jobs."
So, while compliance with SOX is voluntary for credit unions, ensuring that their boards are doing all of their due diligence and fulfilling their duties, isn't, he explained, and that's why CUs should be interested in SOX.
Still not convinced? Then consider the level of interest that has been shown by NCUA, Glatt suggested.
As the agency moves towards risk-based exams, one of the "risks" examiners will look at is reputation risk, and that can become a SOX issue.
A Tale Of Two Daughters
"My two daughters, who are here in this room right now, are a perfect example," he related. "I have one daughter who did all the right things because they're the right things to do. I have another daughter-and she knows who she is-who didn't.
"If the daughter who did all the right things because they're the right things to do came to me and asked if she could go see an X-rated movie, I'd have let her do it, because I would assume it was for a Bible study class," he continued. "I wouldn't let the other daughter go see so much as 'The Lion King.' We get points for doing the rights things because they are the rights things to do."
And if that's not enough, consider the greater public scrutiny in this area, and the higher expectations of boards of acting responsibly. Moreover, it's unlikely that the average CU member realizes that credit unions aren't required to comply with SOX, which increases their expectations, as well.
And there's always a value to prophylactic compliance, Glatt noted, pointing at the Community Reinvestment Act as another example of "regulation that we aren't saddled with" currently, but proving that credit unions are already fulfilling CRA requirements is one of the best ways to keep it that way.
"In 2004, the NCUA granted 96 underserved areas to credit unions," Glatt related. "We have to be very careful that we don't fall into the trap of being willing to take deposits from those areas but then not make any loans there. We don't have to comply with CRA, but we have people's money, we have people's lives in our hands. We make people's dreams come true, so we need to do this."
There are three categories of corporate responsibilities under SOX: auditing/accounting responsibilities, corporate governance responsibilities and financial disclosures.
In some ways, many credit unions may already be engaged in "backdoor compliance"-they are audited by a CPA, and CPAs must comply with SOX, Glatt explained.
In addition to hiring an independent outside auditor, SOX requires the maintenance of an arm's length relationship with that auditor, by requiring rotation of audit partners.
Moreover, if the credit union hires someone away from the audit firm, that firm cannot be hired as the independent auditor for at least one year.
It is incumbent upon the audit committee or the supervisory committee to hire an outside auditor and to oversee the credit union's audit.
SOX would require that these committees have at least one person with financial expertise.
SOX also calls for a prohibition on loans to directors and officers.
The CU version of this calls for any loan greater than $50,000 to go before the entire board for approval.
After the paper-shredding extravaganza at Enron, SOX has provisions for the protection of corporate records, requiring accounting firms to hold those documents for seven years.
There are also protections for whistleblowers, establishing procedures for processing employee inquiries on accounting, internal control and auditing.
Reporting Requirements
Under SOX, financial reports must be reviewed and certified by the CEO and CFO personally.
Required financial disclosures include:
* material corrections
* material relationships and off-balance sheet transactions
* internal control procedures
* financial code of ethics
* audit committee financial expertise
While CUs aren't required to comply with SOX, they can use it as a set of guidelines.
For example, credit unions should make sure that its supervisory committee is truly independent by making it so that only one member of the committee can be a member of the board, and that one board member must not be the board chairman.
And one member should be a financial expert.
"At the end of the day, what you're doing is making sure that no one person is in a position to make an error and cover it up and have a theft and cover it," Glatt advised. "There should be no one person who can approve a loan, book a loan, fund a loan, collect a loan and write it off."
Credit unions should consider having a written financial code of ethics and have every one at the credit union sign it every year.
"People change; circumstances change," Glatt noted. "Someone who never would have stolen from you before could be in a situation where now they are tempted."
Other Areas Credit Unions Can Work On
Other areas credit unions can work on:
* In addition to the 5300 call report, monthly disclosures of income statement and balance sheet should be certified by the CEO and CFO;
* Train front-line staff to be able to answer questions like "Is my money safe here?" This is particularly important in times of earnings crunch;
* Evaluate the credit union by-laws periodically;
* Assess corporate practices and standards, including records management, access and disclosure of CU records, board access to senior management, member access to management and board, supervisory committee access and responsibilities.
* "Credit union boards set policy, management teams implement procedures," Glatt offered. "There should be an annual sign-off on our policies."
