Industry
Credit unions.
NCUA-examined, member-owned. Distinct governance, capital, and BSA expectations.
Credit unions are not banks, but their examiners read the same playbook. The NCUA's National Supervision Policy Manual covers ALM, credit risk, BSA, IT, and consumer compliance with expectations that map closely to the FDIC's. The differences sit in the governance — a volunteer board, member-elected directors, and a supervisory committee that operates with a specific NCUA-defined role — and in capital, where the regulatory framework is its own.
Our practice for credit unions is built around the supervisory committee — the NCUA's required member-elected committee that oversees the credit union's audit function. We support the supervisory committee directly, run the internal audit work the committee is responsible for, and partner on examination preparation across BSA, IT, and consumer compliance.
Member-ownership changes the conversation. The findings get presented to a board that is not a typical board. The vocabulary, the patience for jargon, and the appetite for risk look different. We calibrate for it.
| Regulator | Authority |
|---|---|
| NCUA | Federal & federally-insured state CUs |
| State CU dept. | State-chartered credit unions |
| FinCEN | BSA / AML — SAR / CTR filings |
| Risk-Based Capital | RBC ratio for complex CUs |
| CFPB | Over $10B in assets |
| ACET | NCUA's IT examination framework |
- Internal audit — Outsourced or co-sourced to the supervisory committee — partner-led, NCUA-aligned.
- IT audit — ACET-aligned IT controls testing for credit unions of every asset profile.
- AML & sanctions — BSA program reviews, with attention to the typologies most relevant to member-facing CUs.
- Board reporting — Reporting calibrated for a volunteer board and a supervisory committee.
The supervisory committee of a $3.2B federal credit union engaged us as outsourced internal audit after the new CEO's first 90 days. The prior arrangement had been a local CPA firm doing a once-a-year visit. The committee wanted year-round coverage, NCUA-aligned scope, and findings the board would act on. Andres led; the engagement has now run two cycles.
What the audit committee saw
- Finding 01 Year-one risk assessment refactored; audit plan rebalanced from compliance-heavy to risk-driven.
- Finding 02 Two MRAs from the prior examination cycle remediated and re-tested.
- Finding 03 Committee briefings shortened from 90 minutes to 35; action tracking moved into the credit union's GRC tool.