IRR program, info security reports released by NCUA OIG

November 24, 2015

ALEXANDRIA, Va. (11/24/15)--Two reports released by the National Credit Union Administration’s Office of the Inspector General (OIG) this month feature reviews of the agency’s interest-rate risk (IRR) program and its information security program.

The IRR report (OIG-15-11) is a self-initiated audit to determine whether the NCUA’s policy helps to effectively reduce IRR, and what actions have and will be taken to address credit unions with IRR concerns.

The OIG found that NCUA regional staff plays an important role in identifying credit unions with elevated IRR, and NCUA examiners use multiple methods to evaluate IRR.

It also found that the agency may not be effectively capturing IRR when assigning a composite CAMEL relating to a credit union.

“NCUA currently assesses sensitivity to market risk under the ‘L’ in its CAMEL rating,” the report reads. “However, combining sensitivity to market risk with liquidity may understate or obscure instances of high IRR exposure in a credit union.”

The information security report (OIG-15-10) was done to independently evaluate the agency’s information security effectiveness regarding practices required by the Federal Information Security Modernization Act. The review was done by CliftonLarsonAllen LLP.

The evaluations found that the NCUA needs to continue to make improvements in its privacy management program, and identified three areas in which the agency needs to make improvements.

The OIG made six recommendations, three of which are completely or partly redacted in the published report:

  • That NCUA complete the process of assessing, documenting and communications the organization-wide risk tolerance guide;
  • That the senior agency official for privacy complete documentation and implementation of privacy policies and procedures in accordance with National Institute of Science and Technology (NIST) guidance;
  • That the Office of the Chief Information Officer update the agency’s general support security plan to include control implementation descriptions for NIST privacy controls.