Although it is aimed at corporations that have registered equity or debt securities with the U.S. Securities and Exchange Commission, one credit union is reporting it has benefitted enormously from reviewing its own operation in light of the Sarbanes-Oxley Act.
Sarbanes-Oxley (Sarbox) was passed to curb the kind of corporate financial data reporting abuse seen in the Enron and Worldcom scandals, and wasn't related to credit unions.
But Orange County Teachers FCU has used the regulation as "an amazing tool to look back at our control structure and therefore to make our membership safer," according to Jeff Malloch, manager of internal auditing at the $4.5- billion CU.
Furthermore, CUs may feel obliged to double-check on internal controls after reading the NCUA's Letter No. 03-FCU-07, Guidance on Selected Provisions of the Sarbanes-Oxley Act of 2002 for Federal Credit Unions, Malloch said.
The state's second largest CU made the decision to measure its internal controls against Sarbox provisions in 2002, said Malloch. OCTFCU used a self-assessment tool with a Microsoft Word document interface, which laid out each section of what is often referred to as "Sarbox."
In the end, Sarbox acted as confirmation that the 300,000-member CU "is a very competent shop," Malloch said.
Certainly, technology has enabled OCTFCU to maintain its control structure, and therefore meet Sarbox standards, especially Sections 302: Certification of Financial Reports; 404: Certification of Internal Controls; and 409: Material Event Reporting.
Section 404 of Sarbanes-Oxley is of particular concern for IT departments. Senior management must sign affidavits as to adequate internal control over financial reporting, much of which is integral to IT systems.
"Technology is used to document and test our internal controls," explained Cindy Stout, senior vice president of lending at OCTFCU. "Technology helps us demonstrate to management that our internal controls are sufficient."
But the technology price tag has been negligible, according to Stout.
OCTFCU was able to document, test and demonstrate internal controls without overhauling manual processes or investing in new compliance automation, she said.
"Did Sarbox mean we had to spend $100,000 on technology or hire 10 more bodies?" asked Malloch. "No."
OCTFCU's approach may not enthrall compliance vendors, many of whom were looking to Sarbanes-Oxley as a fresh marketing wave.
In fact, TowerGroup recently wrote that financial institutions should expect to spend less than 10% of their Sarbox compliance budget on technology.
"Off-the-shelf compliance products don't meet our business needs," Malloch continued. "Why should I go and buy a product that just tells me to pay attention to the technology I already have in place?"
Instead, Sarbox should be encouragement for credit unions to take a closer look at how their existing technologies mitigate risk and increase operational efficiencies.
Credit unions may already have automation that absolves one person from performing the conflicting jobs of purchasing and receiving, for instance.
Under the NCUA's interpretation, the Sarbanes-Oxley Act of 2002 requires independent auditors; audit review committees; and enhanced financial disclosures, among other provisions.
Sarbox substantiates OCTFCU's commitment to taking "personal responsibility" for financial disclosures, Malloch added.
