How internal auditors in credit unions can communicate effectively with the board

You've prepared a thorough audit report, identified significant risks and spent weeks documenting your findings. But when you present to the board, you're met with glazed eyes, interruptions about operational minutiae and a general sense that your message isn't landing. Sound familiar? 

The challenge isn't your audit work -it's the translation. Board members at credit unions face a unique communication gap. They're elected representatives of the membership, often bringing valuable community perspective but varying levels of financial expertise. Meanwhile, you're speaking the language of risk matrices, control frameworks and regulatory compliance. 

In this article we take a look at how to frame internal audit expertise in ways that connect with how boards think, decide and fulfill their fiduciary duties. 

Why board communication can be a challenge in credit unions 

Most communication breakdowns happen because internal auditors approach board presentations the same way they approach management reports. But boards don't need the same level of detail - they need context, implications and clear decision points. 

• Democratic governance structures mean directors may lack financial industry backgrounds 
• Volunteer positions limit the time directors can dedicate to understanding complex audit concepts 
• Member-owner priorities sometimes conflict with professional risk management standards 
• Regulatory expectations require boards to demonstrate oversight without micromanaging operations 
• When internal auditors miss these dynamics, even critical findings get lost in translation 

Understanding what your board actually needs 

Before you can communicate effectively, you need to understand what keeps your board members up at night. It's rarely the same things that concern you as an internal auditor. 

Board members are asking themselves: Are we protecting our members' money? Will we face regulatory sanctions? Are we making decisions that could expose the credit union to lawsuits? Is management telling us the truth about problems? 

Your audit findings matter only when they connect to these fundamental concerns. A control deficiency in the loan approval process isn't interesting to the board as a procedural gap. It becomes relevant when you frame it as "this weakness allowed three loans totaling $400,000 to bypass our concentration limits, putting the credit union at risk if this borrower defaults." 

The board needs you to answer three questions with every communication: 

1. What's the risk to the credit union and our members? 
2. What's management doing about it? 
3. What should we as a board be concerned about or decide? 

Structuring board communications for impact 

The structure of your communication matters as much as the content. Start with what matters most and provide pathways for directors to dig deeper if they choose. 

Lead with the bottom line 

Open every board communication with your conclusion. Don't make directors wait through methodology, scope and background to understand whether they should be worried. Your first sentence should tell them the answer: "Our audit of the lending function identified three high-risk issues requiring board attention" or "The controls in our information security program are operating effectively." 

This approach feels backward to auditors trained to build a case methodically. But board members need to know the verdict first, then decide whether they want to hear the evidence. 

Use the traffic light method 

Color-coding risk levels helps boards quickly understand what demands their attention. But don't just slap red, yellow and green on your findings without explanation. 

Define what each level means in terms the board understands: 

• High risk (red): Issues that could result in regulatory sanctions, significant financial loss or serious member harm if not addressed immediately 
• Medium risk (yellow): Weaknesses that increase vulnerability but have compensating controls or lower likelihood of occurrence 
• Low risk (green): Improvements that would strengthen controls but don't pose immediate threats 

Then be honest about your ratings. If you mark everything as high risk, the board learns to ignore your warnings. Reserve red for issues that genuinely demand urgent board-level attention. 

Provide context boards can grasp 

Internal auditors live in their institutions daily. Board members drop in quarterly.  

When you identify an issue, explain what normal looks like. "Industry standards suggest credit unions maintain fraud detection systems that flag transactions within 24 hours. Our system takes 5-7 days, which is why we didn't catch the ACH scheme until the member reported it." This gives the board a benchmark for understanding severity. 

Use comparisons to peer credit unions when relevant. "Of the fifteen credit unions in our asset category, twelve have dedicated compliance officers. We're relying on the CFO to handle compliance in addition to financial management." Numbers matter less than whether you're an outlier. 

Speaking the board's language 

The words you choose shape whether your message resonates or gets dismissed. Internal auditors often use technical language that signals expertise to other auditors but creates barriers with boards. 

Replace audit jargon with plain language that maintains precision. Instead of "control environment deficiencies," say "managers aren't consistently following the policies designed to prevent errors." Rather than "inherent risk in the operating environment," explain "this function handles large dollar amounts with limited oversight, making it vulnerable to mistakes or fraud." 

When you must use technical terms, define them in context: "The audit revealed inadequate segregation of duties, meaning the same person can both approve transactions and process them without independent review." 

Watch for passive voice that obscures accountability. "Exceptions were noted" tells the board nothing about who's responsible. "The lending manager approved six loans without required credit reports" creates clarity and accountability. 

Preparing for board questions 

Board members ask questions for different reasons than management does. They're testing whether you've done your homework, whether management is being straight with them and whether they need to worry. 

Anticipate the three questions that follow almost every audit presentation: 

1. How did this happen? 
2. Why didn't we know about it sooner? 
3. What happens if we don't fix it? 

Prepare crisp answers to each. "This happened because two employees left within the same month and their duties were combined without reassessing controls" beats "there were staffing challenges in the department." 

"We identified this during our regular audit cycle, but management discovered smaller instances last year and addressed them without escalating to the board" is honest context that helps directors understand timeline. 

"If we don't address this, the credit union could face penalties up to $100,000 per day under Bank Secrecy Act requirements, plus we'd be placed under a consent order requiring quarterly regulatory reporting" gives the board concrete stakes. 

Managing difficult board dynamics 

Some boards push back on audit findings, question your methodology or try to mediate between you and management. These dynamics require careful navigation. 

When board members defend management's decisions over audit concerns, resist the urge to dig in defensively. Instead, acknowledge their perspective while holding firm on facts. "I understand the CEO has explained the business rationale for these exceptions. Our role is to ensure the board knows they represent a departure from policy and the risks that creates." 

If directors minimize findings you consider serious, provide peer comparison or regulatory context. "You're right that no losses have occurred yet. The NCUA examiner specifically cited this same issue at three credit unions last quarter, resulting in Matters Requiring Board Attention. I want you to have the opportunity to address it before the next examination." 

When boards get stuck in operational details, redirect to governance. "That's a good question about the technical implementation. Management is best positioned to work through those details. The board's decision is whether the proposed remediation timeline is acceptable given the risk level." 

Following up after board meetings 

Your job doesn't end when the presentation concludes. Effective communication with credit union boards includes following through on commitments and keeping directors informed of progress. 

Document agreed-upon actions with specific accountability and timelines. "Management will implement dual approval requirements for wire transfers by June 30, with the CFO responsible for system configuration and testing." This creates clear expectations the board can monitor. 

Provide progress updates between meetings for high-risk items. A brief email that says "Management completed the first two action items from the March audit - added transaction limits to the system and conducted staff retraining - and remains on track for the June 30 completion date" keeps the board informed without requiring their action. 

Circle back when management misses deadlines. Your loyalty is to the credit union's safety and soundness, not to protecting management from board scrutiny. "I want to update you that management has not completed the remediation we discussed in Q1. They've asked for an extension until September due to competing priorities. This means the control gap remains open for an additional quarter." 

Building credibility over time 

Effective board communication isn't just about individual presentations. It's about establishing yourself as a trusted advisor the board relies on for straight answers. 

Demonstrate objectivity by reporting when things go well. If you only appear with problems, the board learns to tune you out. Balance critical findings with acknowledgment of strong controls and management successes. 

Show business acumen by connecting audit work to strategic objectives. "You've prioritized membership growth among younger demographics. Our technology audit identified gaps in mobile banking security that could undermine trust with this segment." 

Be consistent in your risk assessments. If you rated an issue as low risk last quarter, don't suddenly elevate it to high risk without explaining what changed. Boards need to trust your judgment remains steady. 

Tell the truth even when it's uncomfortable. If you made a mistake, own it. If you don't know the answer to a question, say so and commit to following up. If management is upset with your findings, don't soften them to keep the peace. 

The board communication challenge in credit unions is real, but it's not insurmountable. When you focus on translating your expertise into the language of governance, providing context that matters to directors and building credibility through consistency, your voice becomes one the board trusts and acts on. 

That's when internal audit truly protects the credit union and serves its members.