A Performance Audit
An Audit Report on the Credit Union Department: A Self-directed, Semi-independent Agency
December 2016
Summary Analysis
The Credit Union Department (Department) accurately calculated, properly collected, and properly reduced/waived credit union operating fees in compliance with Department requirements, policies, and procedures. It also had a reasonable budget process to ensure that revenue (consisting primarily of operating fees) adequately covered its operational costs. However, the Department should improve controls over waiving late payment penalties.
The Department also should strengthen controls over its reporting processes. It did not have a formal process or documented policies and procedures for the preparation and review of the reports audited. The Department’s fiscal year 2015 Annual Financial Report contained significant financial errors, and one of those errors was carried to the Department’s 2015 Report of Nonfinancial Data. The Department also incorrectly reported assets into the State Property Accounting system, which contributed to the errors in its 2015 Annual Financial Report. The Department should address the identified weaknesses in its accounts payable and inventory processes, which contributed to the Department’s reporting errors.
In addition, while the Department’s 2014 Biennial Self-directed, Semi-independent (SDSI) Report complied with Texas Finance Code requirements and was accurate, its 2015 Annual SDSI Report included incorrect financial information.
The Department accurately calculated all three performance measures tested; however, it should improve certain controls to ensure that it continues to accurately calculate the performance measures audited.
The Department should strengthen controls over internal and contracted information technology operations.
The Credit Union Department (Department) had an adequate process for setting fees that was based on its budgetary needs.
The Department also had processes for adjusting operating fees for all credit unions to ensure that its revenue, which consists primarily of those fees, adequately covered its operational costs.
In calculating and billing operating fees for each credit union, the Department complied with 7 TAC 97.113. The Department also complied with its policies and procedures for the collection of operating fees for fiscal years 2015 and 2016.
However, the Department should improve its controls over waiving late payment fees.
The Department did not have an adequate process or documented policies and procedures for preparing and reviewing its reports. As a result, the Department’s fiscal year 2015 Annual Financial Report; 2015 Annual Self-directed, Semi-independent (SDSI) Report; and 2015 Report of Nonfinancial Data contained errors. However, the Department’s required 2014 Biennial SDSI Report complied with Texas Finance Code requirements and was accurate.
Additionally, the Department incorrectly reported assets in the State Property Accounting (SPA) system, and it had weaknesses in its year-end accounts payable and inventory processes. Those issues contributed to the reporting errors discussed above.
The Department accurately calculated all three performance measures that auditors selected for testing: (1) Percentage of Credit Unions Receiving Regular Examination Annually, (2) Percentage of Reports to Credit Unions Within 20 Days, and (3) Percentage of Complaints Investigated and Responded to Within 30 Days of Receipt.
The Department implemented high-level security policies stating that access to state information resources shall be appropriately managed. Those policies referenced the requirements in Title 1, Texas Administrative Code, Chapter 202, and Texas Government Code, Section 2054.134. However, auditors identified the following areas in which the Department should strengthen its information technology controls:
• The Department did not have detailed documented and approved policies and procedures governing its information technology operations in the areas of (1) assigning administrative access, (2) patching servers, (3) configuring hardware and software, and (4) using firewall hardware and software.
• The Department did not limit access to update data in ACT! based on each user’s job duties. Two users without a business need to update data in ACT! had update access to that application.
• The Department did not provide security requirements to its information technology vendor before it contracted with that vendor to manage the Department’s information technology resources
• The Department did not monitor the activities of its information technology vendor, which operates portions of the Department’s technology environment.