![](https://webarchive.library.unt.edu/eot2008/20090118022404im_/http://www.fdic.gov/images/spacer.gif)
|
[Main Tabs]
[Table of Contents - 5000]
[Index]
[Previous Page]
[Next Page]
[Search]
5000 - Statements of Policy
{{4-30-03 p.5368.01}}
INTERAGENCY POLICY STATEMENT ON THE INTERNAL AUDIT
FUNCTION AND ITS OUTSOURCING
INTRODUCTION
Effective internal control 1
is a foundation for the safe and sound operation of a financial
institution (institution). 2
The board of directors and senior management of an institution are
responsible for ensuring that the system of internal control operates
effectively. Their responsibility cannot be delegated to
others within the institution or to outside parties. An important
element in assessing the effectiveness of the internal control system
is an internal audit function. When properly structured and conducted,
internal audit provides directors and senior management with vital
information about weaknesses in the system of internal control so that
management can take prompt, remedial action. The federal banking
agencies' 3
(agencies) long-standing examination policies call for examiners to
review an institution's internal audit function and recommend
improvements, if needed. In addition, pursuant to Section 39 of the
Federal Deposit Insurance Act (FDI Act)
(12 U.S.C. 1831p-1), the
agencies have adopted Interagency Guidelines Establishing Standards for
Safety and Soundness that apply to insured depository
institutions. 4
Under these guidelines and policies, each institution should have an
internal audit function that is appropriate to its size and the nature
and scope of its activities.
In addressing various quality and resource issues, many institutions
have been engaging independent public accounting firms and other
outside professionals (outsourcing vendors) in recent years to perform
work that traditionally has been done by internal auditors. These
arrangements are often called ``internal audit outsourcing,''
``internal audit assistance,'' ``audit co-sourcing,'' and
``extended audit services'' (hereafter collectively referred to as
outsourcing). Typical outsourcing arrangements are more fully
illustrated in Part II below.
Outsourcing may be beneficial to an institution if it is properly
structured, carefully conducted, and prudently managed. However, the
agencies have concerns that the structure, scope, and management of
some internal audit outsourcing arrangements do not contribute to the
institution's safety and soundness. Furthermore, the agencies want to
ensure that these arrangements with outsourcing vendors do not leave
directors and senior management with the erroneous impression that they
have been relieved of their responsibility for maintaining an effective
system of internal control and for overseeing the internal audit
function.
This policy statement sets forth key characteristics of the internal
audit function in Part I. Sound practices concerning the use of
outsourcing vendors are discussed in Part II. Part III discusses the
effect outsourcing arrangements have on the independence of an
external
{{4-30-03 p.5368.02}}auditor who also provides internal
audit services to an institution. Part III also discusses the
prohibition on internal audit outsourcing to a public company's
external auditor under the Sarbanes-Oxley Act of
2002, 5
the effect of this prohibition on insured depository institutions
subject to the annual audit and reporting requirements of Section 36 of
the FDI Act (12 U.S.C.
1831m), and the agencies' views on compliance with this
provision of the Sarbanes-Oxley Act by institutions not subject to
Section 36 (including smaller depository institutions) that are not
publicly-held. Finally, Part IV of this statement provides guidance to
examiners concerning their reviews of internal audit functions and
related matters.
PART I--THE INTERNAL AUDIT FUNCTION
Board and Senior Management Responsibilities
The board of directors and senior management are responsible for
having an effective system of internal control and an effective
internal audit function in place at their institution. They are also
responsible for ensuring that the importance of internal control is
understood and respected throughout the institution. This overall
responsibility cannot be delegated to anyone else. They may,
however, delegate the design, implementation and monitoring of specific
internal controls to lower-level management and the testing and
assessment of internal controls to others. Accordingly, directors and
senior management should have reasonable assurance that the system of
internal control prevents or detects significant inaccurate,
incomplete, or unauthorized transactions; deficiencies in the
safeguarding of assets; unreliable financial reporting (which includes
regulatory reporting); and deviations from laws, regulations, and the
institution's policies. 6
Some institutions have chosen to rely on so-called "management
self-assessments" or "control self-assessments," wherein
business line managers and their staff evaluate the performance of
internal controls within their purview. Such reviews help to underscore
management's responsibility for internal control, but they are not
impartial. Directors and members of senior management who rely too much
on these reviews may not learn of control weaknesses until they have
become costly problems, particularly if directors are not intimately
familiar with the institution's operations. Therefore, institutions
generally should also have their internal controls tested and evaluated
by units without business-line responsibilities, such as internal audit
groups.
Directors should be confident that the internal audit function
addresses the risks and meets the demands posed by the institution's
current and planned activities. To accomplish this objective, directors
should consider whether their institution's internal audit activities
are conducted in accordance with professional standards, such as the
Institute of Internal Auditors' (IIA) Standards for the
Professional Practice of Internal Auditing. These standards
address independence, professional proficiency, scope of work,
performance of audit work, management of internal audit, and quality
assurance reviews. Furthermore, directors and senior management should
ensure that the following matters are reflected in their institution's
internal audit function.
Structure. Careful thought should be given to the
placement of the audit function in the institution's management
structure. The internal audit function should be positioned so that the
board has confidence that the internal audit function will perform its
duties with impartiality and not be unduly influenced by managers of
day-to-day operations. The audit
committee, 7
using objective criteria it has established, should oversee the
internal audit
{{4-30-03 p.5368.03}}function and evaluate its
performance. 8
The audit committee should assign responsibility for the internal audit
function to a member of management (hereafter referred to as the
manager of internal audit or internal audit manager) who understands
the function and has no responsibility for operating the system of
internal control. The ideal organizational arrangement is for this
manager to report directly and solely to the audit committee regarding
both audit issues and administrative matters, e.g., resources, budget,
appraisals, and compensation. Institutions are encouraged to consider
the IIA's Practice Advisory 2060-2: Relationship with the Audit
Committee, which provides more guidance on the roles and
relationships between the audit committee and the internal audit
manager.
Many institutions place the manager of internal audit under a dual
reporting arrangement: functionally accountable to the audit committee
on issues discovered by the internal audit function, while reporting to
another senior manager on administrative matters. Under a dual
reporting relationship, the board should consider the potential for
diminished objectivity on the part of the internal audit manager with
respect to audits concerning the executive to whom he or she reports.
For example, a manager of internal audit who reports to the chief
financial officer (CFO) for performance appraisal, salary, and approval
of department budgets may approach audits of the accounting and
treasury operations controlled by the CFO with less objectivity than if
the manager were to report to the chief executive officer. Thus, the
chief financial officer, controller, or other similar officer should
ideally be excluded from overseeing the internal audit activities even
in a dual role. The objectivity and organizational stature of the
internal audit function are best served under such a dual arrangement
if the internal audit manager reports administratively to the CEO.
Some institutions seek to coordinate the internal audit function
with several risk monitoring functions (e.g., loan review, market risk
assessment, and legal compliance departments) by establishing an
administrative arrangement under one senior executive. Coordination of
these other monitoring activities with the internal audit function can
facilitate the reporting of material risk and control issues to the
audit committee, increase the overall effectiveness of these monitoring
functions, better utilize available resources, and enhance the
institution's ability to comprehensively manage risk. Such an
administrative reporting relationship should be designed so as to not
interfere with or hinder the manager of internal audit's functional
reporting to and ability to directly communicate with the
institution's audit committee. In addition, the audit committee should
ensure that efforts to coordinate these monitoring functions do not
result in the manager of internal audit conducting control activities
nor diminish his or her independence with respect to the other risk
monitoring functions. Furthermore, the internal audit manager should
have the ability to independently audit these other monitoring
functions.
In structuring the reporting hierarchy, the board should weigh the
risk of diminished independence against the benefit of reduced
administrative burden in adopting a dual reporting organizational
structure. The audit committee should document its consideration of
this risk and mitigating controls. The IIA's Practice Advisory
1110-2: Chief Audit Executive Reporting Lines provides additional
guidance regarding functional and administrative reporting lines.
Management, staffing, and audit quality. In managing the
internal audit function, the manager of internal audit is responsible
for control risk assessments, audit plans, audit programs, and audit
reports.
A control risk assessment (or risk assessment
methodology) documents the internal auditor's understanding of the
institution's significant business activities and their associated
risks. These assessments typically analyze the risks inherent in a
given
{{4-30-03 p.5368.04}}business line, the mitigating
control processes, and the resulting residual risk exposure of the
institution. They should be updated regularly to reflect changes to the
system of internal control or work processes, and to incorporate new
lines of business.
An internal audit plan is based on the control risk
assessment and typically includes a summary of key internal controls
within each significant business activity, the timing and frequency of
planned internal audit work, and a resource budget.
An internal audit program describes the objectives of the
audit work and lists the procedures that will be performed during each
internal audit review.
An audit report generally presents the purpose, scope and
results of the audit, including findings, conclusions and
recommendations. Workpapers that document the work performed and
support the audit report should be maintained.
Ideally, the internal audit function's only role should be to
independently and objectively evaluate and report on the effectiveness
of an institution's risk management, control, and governance
processes. Internal auditors increasingly have taken a consulting role
within institutions on new products and services and on mergers,
acquisitions, and other corporate reorganizations. This role typically
includes helping design controls and participating in the
implementation of changes to the institution's control activities. The
audit committee, in its oversight of the internal audit staff, should
ensure that the function's consulting activities do not interfere or
conflict with the objectivity it should have with respect to monitoring
the institution's system of internal control. In order to maintain its
independence, the internal audit function should not assume a
business-line management role over control activities, such as
approving or implementing operating policies or procedures, including
those it has helped design in connection with its consulting
activities. The agencies encourage internal auditors to follow the
IIA's standards, including guidance related to the internal audit
function acting in an advisory capacity.
The internal audit function should be competently supervised and
staffed by people with sufficient expertise and resources to identify
the risks inherent in the institution's operations and assess whether
internal controls are effective. The manager of internal audit should
oversee the staff assigned to perform the internal audit work and
should establish policies and procedures to guide the audit staff. The
form and content of these policies and procedures should be consistent
with the size and complexity of the department and the institution.
Many policies and procedures may be communicated informally in small
internal audit departments, while larger departments would normally
require more formal and comprehensive written guidance.
Scope. The frequency and extent of internal audit review
and testing should be consistent with the nature, complexity, and risk
of the institution's on- and off-balance-sheet activities. At least
annually, the audit committee should review and approve internal
audit's control risk assessment and the scope of the audit plan,
including how much the manager relies on the work of an outsourcing
vendor. It should also periodically review internal audit's adherence
to the audit plan. The audit committee should consider requests for
expansion of basic internal audit work when significant issues arise or
when significant changes occur in the institution's environment,
structure, activities, risk exposures, or
systems. 9
Communication. To properly carry out their responsibility
for internal control, directors and senior management should foster
forthright communications and critical examination of issues to better
understand the importance and severity of internal control weaknesses
identified by the internal auditor and operating management's
solutions to these weaknesses. Internal auditors should report internal
control deficiencies to the appropriate level of management as soon as
they are identified. Significant matters should be promptly
reported
{{4-30-03 p.5368.05}}directly to the board of directors
(or its audit committee) and senior management. In periodic meetings
with management and the manager of internal audit, the audit committee
should assess whether management is expeditiously resolving internal
control weaknesses and other exceptions. Moreover, the audit committee
should give the manager of internal audit the opportunity to discuss
his or her findings without management being present.
Furthermore, each audit committee should establish and maintain
procedures for employees of their institution to submit confidentially
and anonymously concerns to the committee about questionable
accounting, internal accounting control, or auditing
matters. 10
In addition, the audit committee should set up procedures for the
timely investigation of complaints received and the retention for a
reasonable time period of documentation concerning the complaint and
its subsequent resolution.
Contingency Planning. As with any other function, the
institution should have a contingency plan to mitigate any significant
discontinuity in audit coverage, particularly for high-risk areas. Lack
of contingency planning for continuing internal audit coverage may
increase the institution's level of operational risk.
Small Institutions
An effective system of internal control and an independent internal
audit function form the foundation for safe and sound operations,
regardless of an institution's size. As noted in the Introduction,
each institution should have an internal audit function that is
appropriate to its size and the nature and scope of its activities. The
procedures assigned to this function should include adequate testing
and review of internal controls and information systems.
It is the responsibility of the audit committee and management to
carefully consider the extent of auditing that will effectively monitor
the internal control system after taking into account the internal
audit function's costs and benefits. For institutions that are large
or have complex operations, the benefits derived from a full-time
manager of internal audit or an auditing staff likely outweigh the
cost. For small institutions with few employees and less complex
operations, however, these costs may outweigh the benefits.
Nevertheless, a small institution without an internal auditor can
ensure that it maintains an objective internal audit function by
implementing a comprehensive set of independent reviews of significant
internal controls. The key characteristic of such reviews is that the
person(s) directing and/or performing the review of internal controls
is not also responsible for managing or operating those
controls. A person who is competent in evaluating a system of internal
control should design the review procedures and arrange for their
implementation. The person responsible for reviewing the system of
internal control should report findings directly to the audit
committee. The audit committee should evaluate the findings and ensure
that senior management has or will take appropriate action to correct
the control deficiencies.
U.S. Operations of Foreign Banking Organizations
The internal audit function of a foreign banking organization (FBO)
should cover its U.S. operations in its risk assessments, audit plans,
and audit programs. Its U.S. domiciled audit function, head-office
internal audit staff, or some combination thereof normally performs the
internal audit of the U.S. operations. Internal audit findings
(including internal control deficiencies) should be reported to the
senior management of the U.S. operations of the FBO and the audit
department of the head office. Significant adverse findings also should
be reported to the head office's senior management and the board of
directors or its audit committee.
PART II--INTERNAL AUDIT OUTSOURCING ARRANGEMENTS
Examples of Arrangements
An outsourcing arrangement is a contract between an institution and
an outsourcing vendor to provide internal audit services. Outsourcing
arrangements take many forms and
{{4-30-03 p.5368.06}}are used by institutions of all
sizes. Some institutions consider entering into these arrangements to
enhance the quality of their control environment by obtaining the
services of a vendor with the knowledge and skills to critically
assess, and recommend improvements to, their internal control systems.
The internal audit services under contract can be limited to helping
internal audit staff in an assignment for which they lack expertise.
Such an arrangement is typically under the control of the
institution's manager of internal audit, and the outsourcing vendor
reports to him or her. Institutions often use outsourcing vendors for
audits of areas requiring more technical expertise, such as electronic
data processing and capital markets activities. Such uses are often
referred to as "internal audit assistance" or "audit
co-sourcing."
Some outsourcing arrangements are structured so that an outsourcing
vendor performs virtually all the procedures or tests of the system of
internal control. Under such an arrangement, a designated manager of
internal audit oversees the activities of the outsourcing vendor and
typically is supported by internal audit staff. The outsourcing vendor
may assist the audit staff in determining risks to be reviewed and may
recommend testing procedures, but the internal audit manager is
responsible for approving the audit scope, plan, and procedures to be
performed. Furthermore, the internal audit manager is responsible for
the results of the outsourced audit work, including findings,
conclusions, and recommendations. The outsourcing vendor may report
these results jointly with the internal audit manager to the audit
committee.
Additional Considerations for Internal Audit Outsourcing
Arrangements
Even when outsourcing vendors provide internal audit services, the
board of directors and senior management of an institution are
responsible for ensuring that both the system of internal control and
the internal audit function operate effectively. In any outsourced
internal audit arrangement, the institution's board of directors and
senior management must maintain ownership of the internal audit
function and provide active oversight of outsourced activities. When
negotiating the outsourcing arrangement with an outsourcing vendor, an
institution should carefully consider its current and anticipated
business risks in setting each party's internal audit
responsibilities. The outsourcing arrangement should not increase the
risk that a breakdown of internal control will go undetected.
To clearly distinguish its duties from those of the outsourcing
vendor, the institution should have a written contract, often taking
the form of an engagement
letter. 11
Contracts between the institution and the vendor typically include
provisions that:
Define the expectations and responsibilities
under the contract for both parties;
Set the scope and frequency of, and the fees to be paid
for, the work to be performed by the vendor;
Set the responsibilities for providing and receiving
information, such as the type and frequency of reporting to senior
management and directors about the status of contract work;
Establish the process for changing the terms of the
service contract, especially for expansion of audit work if significant
issues are found, and stipulations for default and termination of the
contract;
State that internal audit reports are the property of the
institution, that the institution will be provided with any copies of
the related workpapers it deems necessary, and that employees
authorized by the institution will have reasonable and timely access to
the workpapers prepared by the outsourcing vendor;
Specify the locations of internal audit reports and the
related workpapers;
{{4-30-03 p.5368.07}}
Specify the period of time (for example, seven years)
that vendors must maintain the
workpapers; 12
State that outsourced internal audit services provided by
the vendor are subject to regulatory review and that examiners will be
granted full and timely access to the internal audit reports and
related workpapers prepared by the outsourcing vendor;
Prescribe a process (arbitration, mediation, or other
means) for resolving disputes and for determining who bears the cost of
consequential damages arising from errors, omissions, and negligence;
and
State that the outsourcing vendor will not perform
management functions, make management decisions, or act or appear to
act in a capacity equivalent to that of a member of management or an
employee and, if applicable, will comply with AICPA, U.S. Securities
and Exchange Commission (SEC), Public Company Accounting Oversight
Board (PCAOB), or regulatory independence guidance.
Vendor Competence. Before entering an outsourcing
arrangement, the institution should perform due diligence to satisfy
itself that the outsourcing vendor has sufficient staff qualified to
perform the contracted work. The staff's qualifications may be
demonstrated, for example, through prior experience with financial
institutions. Because the outsourcing arrangement is a
personal-services contract, the institution's internal audit manager
should have confidence in the competence of the staff assigned by the
outsourcing vendor and receive timely notice of key staffing changes.
Throughout the outsourcing arrangement, management should ensure that
the outsourcing vendor maintains sufficient expertise to effectively
perform its contractual obligations.
Management. Directors and senior management should ensure
that the outsourced internal audit function is competently managed. For
example, larger institutions should employ sufficient competent staff
members in the internal audit department to assist the manager of
internal audit in overseeing the outsourcing vendor. Small institutions
that do not employ a full-time audit manager should appoint a competent
employee who ideally has no managerial responsibility for the areas
being audited to oversee the outsourcing vendor's performance under
the contract. This person should report directly to the audit committee
for purposes of communicating internal audit issues.
Communication. Communication between the internal audit
function and the audit committee and senior management should not
diminish because the institution engages an outsourcing vendor. All
work by the outsourcing vendor should be well documented and all
findings of control weaknesses should be promptly reported to the
institution's manager of internal audit. Decisions not to report the
outsourcing vendor's findings to directors and senior management
should be the mutual decision of the internal audit manager and the
outsourcing vendor. In deciding what issues should be brought to the
board's attention, the concept of "materiality," as the term is
used in financial statement audits, is generally not a good indicator
of which control weakness to report. For example, when evaluating an
institution's compliance with laws and regulations, any exception may
be important.
Contingency Planning. When an institution enters into an
outsourcing arrangement (or significantly changes the mix of internal
and external resources used by internal audit), it may increase its
operational risk. Because the arrangement may be terminated suddenly,
the institution should have a contingency plan to mitigate any
significant discontinuity in audit coverage, particularly for high-risk
areas.
PART III--INDEPENDENCE OF THE INDEPENDENT PUBLIC ACCOUNTANT
This part of the policy statement relates only to an
outsourcing vendor who is a public accountant and is considering
providing both external audit and internal audit services to an
institution.
{{4-30-03 p.5368.08}}
When one accounting firm performs both the external audit and the
outsourced internal audit function, the firm risks compromising its
independence. These concerns arise because, rather than having two
separate functions, this outsourcing arrangement places the independent
public accounting firm in the position of appearing to audit, or
actually auditing, its own work. For example, in auditing an
institution's financial statements, the accounting firm will consider
the extent to which it may relay on the internal control system,
including the internal audit function, in designing audit procedures.
The next three sections outline the applicability of the SEC's
auditor independence requirements to public companies, insured
depository institutions subject to Section 36 of the FDI Act, and
non-public institutions that are not subject to Section 36. They are
followed by information on the AICPA's independence guidance.
Institutions that are Public Companies
To strengthen auditor independence, Congress passed the
Sarbanes-Oxley Act of 2002. Title II of this act applies to any company
that has a class of securities registered with the SEC or the
appropriate federal banking agency under Section 12 of the Securities
Exchange Act of 1934 or that is required to file reports with the SEC
under Section 15(d) of that
act, 13
i.e., a public company. Within Title II, Section 201(a) prohibits an
accounting firm from acting as the external auditor of a public company
during the same period that the firm provides internal audit
outsourcing services to the
company. 14
In addition, if a public company's external auditor will be providing
auditing services and non-audit services, such as tax services, that
are not otherwise prohibited by Section 201(a) of the Sarbanes-Oxley
Act, Title II also provides that the company's audit committee must
pre-approve each of these services.
The SEC adopted final rules implementing the non-audit service
prohibitions and audit committee pre-approval requirements of Title II
on January 22, 2003. 15
According to these rules, an accountant is not independent if, at any
point during the audit and professional engagement period, the
accountant provides internal audit outsourcing or other prohibited
non-audit services to a public company audit client. These rules
generally become effective on May 6, 2003, although a one-year
transition period is provided for contractual arrangements in place as
of that date. Under this transition rule, an external auditor's
independence will not be deemed to be impaired until May 6, 2004, if
the auditor is performing internal audit outsourcing and other
prohibited non-audit services for a public company audit client
pursuant to a contract in existence on May 6, 2003. However, the
services being provided must not have impaired the auditor's
independence under the pre-existing independence requirements of the
SEC, the Independence Standards Board, and the AICPA.
The SEC's pre-existing auditor independence requirements are
contained in regulations that were adopted in November 2000 and became
fully effective in August
2002. 16
Although the SEC's November 2000 regulations do not prohibit the
outsourcing of internal
{{4-30-03 p.5368.09}}audit services to a public
company's independent public accountant, they place conditions and
limitations on internal audit outsourcing.
Depository Institutions Subject to the Annual Audit and Reporting
Requirements of Section 36 of the FDI Act
Under Section 36 as implemented by
Part 363 of the FDIC's
regulations, each FDIC-insured depository institution with total assets
of $500 million or more is required to have an annual audit performed
by an independent public
accountant. 17
The Part 363 guidelines address the qualifications of an independent
public accountant engaged by such an institution by stating that
"[t]he independent public accountant should also be in compliance
with the AICPA's Code of Professional Conduct and meet the
independence requirements and interpretations of the SEC and its
staff." 18
Thus, the guidelines provide for each FDIC-insured depository
institution with $500 million or more in total assets, whether or not
it is a public company, and its external auditor to comply with the
SEC's auditor independence requirements that are in effect during the
period covered by the audit. These requirements include the non-audit
service prohibitions and audit committee pre-approval requirements
implemented by the SEC's January 2003 auditor independence rules once
they take effect May 6, 2003, subject to the transition rule for
internal audit outsourcing and other contracts in existence on that
date described in the preceding section. That transition rule provides
that such outsourcing arrangements will not impair an auditor's
independence until May 6, 2004, provided certain conditions are
met. 19
Institutions not Subject to Section 36 of the FDI Act that are
Neither Public Companies nor Subsidiaries of Public Companies
The agencies have long encouraged each institution not subject to
Section 36 of the FDI Act 20
that is neither a public company nor a subsidiary of a public company
to have its financial statements audited by an independent public
accountant. 21
The agencies also encourage each such non-public institution to follow
the internal audit outsourcing prohibition in Section 201(a) of the
Sarbanes-Oxley Act when the SEC's January 2003 regulations
implementing this prohibition take effect, as discussed above for
institutions that are public companies.
As previously mentioned, some institutions seek to enhance the
quality of their control environment by obtaining the services of an
outsourcing vendor who can critically assess their internal control
system and recommend improvements. The agencies believe that a small
non-public institution with less complex operations and limited staff
can, in certain circumstances, use the same accounting firm to perform
both an external audit and some or all of the institution's internal
audit activities. These circumstances include, but are not limited to,
situations where:
Splitting the audit activities poses significant
costs or burden;
Persons with the appropriate specialized knowledge and
skills are difficult to locate and obtain;
{{4-30-03 p.5368.10}}
The institution is closely held and investors are not
solely reliant on the audited financial statements to understand the
financial position and performance of the institution; and
The outsourced internal audit services are limited in
either scope or frequency.
In circumstances such as these, the agencies view an internal audit
outsourcing arrangement between a small non-public institution and its
external auditor as not being inconsistent with their safety and
soundness objectives for the institution.
When a small non-public institution decides to hire the same firm to
perform internal and external audit work, the audit committee and the
external auditor should pay particular attention to preserving the
independence of both the internal and external audit functions.
Furthermore, the audit committee should document both that it has
pre-approved the internal audit outsourcing to its external auditor and
has considered the independence issues associated with this
arrangement. 22
In this regard, the audit committee should consider the independence
standards described in Parts I and II of this policy statement, the
AICPA guidance discussed in the following section, and the broad
principles that the auditor should not perform management functions or
serve in an advocacy role for the client.
Accordingly, the agencies will not consider an auditor who performs
internal audit outsourcing services for a small non-public audit client
to be independent unless the institution and its auditor have
adequately addressed the associated independence issues. In addition,
the institution's board of directors and management must retain
ownership of an accountability for the internal audit function and
provide active oversight of the outsourced internal audit relationship.
A small non-public institution may be required by another law or
regulation, an order, or another supervisory action to have its
financial statements audited by an independent public accountant. In
this situation, if warranted for safety and soundness reasons, the
institution's primary federal regulator may require that the
institution and its independent public accountant comply with the
auditor independence requirements of Section 201(a) of the
Sarbanes-Oxley Act. 23
AICPA Guidance
As noted above, the independent public accountant for a depository
institution subject to Section 36 of the FDI Act also should be in
compliance with the AICPA's Code of Professional Conduct.
This code includes professional ethics standards, rules, and
interpretations that are binding on all certified public accountants
(CPAs) who are members of the AICPA in order for the member to remain
in good standing. Therefore, this code applies to each member CPA who
provides audit services to an institution, regardless of whether the
institution is subject to Section 36 or is a public company.
The AICPA has issued guidance indicating that a member CPA would be
deemed not independent of his or her client when the CPA acts or
appears to act in a capacity equivalent to a member of the client's
management or as a client employee. The AICPA's guidance includes
illustrations of activities that would be considered to compromise a
CPA's independence. Among these are activities that involve the CPA
authorizing, executing, or consummating transactions or otherwise
exercising authority on behalf of the client. For additional details,
refer to Interpretation 101--3--Performance of Other Services and
Interpretation 101--13--Extended Audit Services in the
AICPA's Code of Professional Conduct.
{{4-30-03 p.5368.11}}
PART IV--EXAMINATION GUIDANCE
Review of the Internal Audit Function and Outsourcing Arrangements
Examiners should have full and timely access to an institution's
internal audit resources, including personnel, workpapers, risk
assessments, work plans, programs, reports, and budgets. A delay may
require examiners to widen the scope of their examination work and may
subject the institution to follow-up supervisory actions.
Examiners will assess the quality and scope of an institution's
internal audit function, regardless of whether it is performed by the
institution's employees or by an outsourcing vendor. Specifically,
examiners will consider whether:
The internal audit function's control risk
assessment, audit plans, and audit programs are appropriate for the
institution's activities;
The internal audit activities have been adjusted for
significant changes in the institution's environment, structure,
activities, risk exposures, or systems;
The internal audit activities are consistent with the
long-range goals and strategic direction of the institution and are
responsive to its internal control needs;
The audit committee promotes the internal audit
manager's impartiality and independence by having him or her directly
report audit findings to it;
The internal audit manager is placed in the management
structure in such a way that the independence of the function is not
impaired;
The institution has promptly responded to significant
identified internal control weaknesses;
The internal audit function is adequately managed to
ensure that audit plans are met, programs are carried out, and results
of audits are promptly communicated to senior management and members of
the audit committee and board of directors;
Workpapers adequately document the internal audit work
performed and support the audit reports;
Management and the board of directors use reasonable
standards, such as the IIA's Standards for the Professional
Practice of Internal Auditing, when assessing the performance of
internal audit; and
The audit function provides high-quality advice and
counsel to management and the board of directors on current
developments in risk management, internal control, and regulatory
compliance.
The examiner should assess the competence of the institution's
internal audit staff and management by considering the education,
professional background, and experience of the principal internal
auditors.
In addition, when reviewing outsourcing arrangements, examiners
should determine whether:
The arrangement maintains or improves the
quality of the internal audit function and the institution's internal
control;
Key employees of the institution and the outsourcing
vendor clearly understand the lines of communication and how any
internal control problems or other matters noted by the outsourcing
vendor are to be addressed;
The scope of the outsourced work is revised appropriately
when the institution's environment, structure, activities, risk
exposures, or systems change significantly;
The directors have ensured that the outsourced internal
audit activities are effectively managed by the institution;
The arrangement with the outsourcing vendor satisfies the
independence standards described in this policy statement and thereby
preserves the independence of the internal audit function, whether or
not the vendor is also the institution's independent public
accountant; and
The institution has performed sufficient due diligence to
satisfy itself of the vendor's competence before entering into the
outsourcing arrangement and has adequate
{{4-30-03 p.5368.12}}procedures for ensuring that the
vendor maintains sufficient expertise to perform effectively throughout
the arrangement.
Concerns about the Adequacy of the Internal Audit Function
If the examiner concludes that the institution's internal audit
function, whether or not it is outsourced, does not sufficiently meet
the institution's internal audit needs, does not satisfy the
Interagency Guidelines Establishing Standards for Safety and Soundness,
if applicable, 24
or is otherwise inadequate, he or she should consider adjusting the
scope of the examination. The examiner should also discuss his or her
concerns with the internal audit manager or other person responsible
for reviewing the system of internal control. If these discussions do
not resolve the examiner's concerns, he or she should bring these
matters to the attention of senior management and the board of
directors or audit committee. Should the examiner find material
weaknesses in the internal audit function or the internal control
system, he or she should discuss them with appropriate agency staff in
order to determine the appropriate actions the agency should take to
ensure that the institution corrects the deficiencies. These actions
may include formal and informal enforcement actions.
The institution's management and composite ratings should reflect
the examiner's conclusions regarding the institution's internal audit
function. The report of examination should contain comments concerning
the adequacy of this function, significant issues or concerns, and
recommended corrective actions.
Concerns about the Independence of the Outsourcing Vendor
An examiner's initial review of an internal audit outsourcing
arrangement, including the actions of the outsourcing vendor, may raise
questions about the institution's and its vendor's adherence to the
independence standards described in Parts I and II of this policy
statement, whether or not the vendor is an accounting firm, and in Part
III if the vendor provides both external and internal audit services to
the institution. In such cases, the examiner first should ask the
institution and the outsourcing vendor how the audit committee
determined that the vendor was independent. If the vendor is an
accounting firm, the audit committee should be asked to demonstrate how
it assessed that the arrangement has not compromised applicable SEC,
PCAOB, AICPA, or other regulatory standards concerning auditor
independence. If the examiner's concerns are not adequately addressed,
the examiner should discuss the matter with appropriate agency staff
prior to taking any further action.
If the agency staff concurs that the independence of the external
auditor or other vendor appears to be compromised, the examiner will
discuss his or her findings and the actions the agency may take with
the institution's senior management, board of directors (or audit
committee), and the external auditor or other vendor. In addition, the
agency may refer the external auditor to the state board of
accountancy, the AICPA, and SEC, the PCAOB, or other authorities for
possible violations of applicable independence standards. Moreover, the
agency may conclude that the institution's external auditing program
is inadequate and that it does not comply with auditing and reporting
requirements, including Sections 36 and 39 of the FDI Act and related
guidance and regulations, if applicable.
[Source: FDIC Financial Institution Letter (FIL--133--97). dated
December 22, 1997; amended at
(FIL--21--2003),
dated March 17, 2003)
1 In summary, internal control is a process designed to
provide reasonable assurance that the institution will achieve the
following internal control objectives: efficient and effective
operations, including safeguarding of assets; reliable financial
reporting; and, compliance with applicable laws and regulations.
Internal control consists of five components that are a part of the
management process: control environment, risk assessment, control
activities, information and communication, and monitoring activities.
The effective functioning of these components, which is brought about
by an institution's board of directors, management, and other
personnel, is essential to achieving the internal control objectives.
This description of internal control is consistent with the Committee
of Sponsoring Organizations of the Treadway Commission (COSO) report
Internal Control--Integrated Framework. In addition, under
the COSO framework, financial reporting is defined in terms of
published financial statements, which, for purposes of this policy
statement, encompasses both financial statements prepared in accordance
with generally accepted accounting principles and regulatory reports
(such as the Reports of Condition and Income and the Thrift Financial
Report). Institutions are encouraged to evaluate their internal control
against the COSO framework if they are not already doing so. Go Back to Text
2 The term "institution" includes depository
institutions insured by the Federal Deposit Insurance Corporation
(FDIC), U.S. financial holding companies and bank holding companies
supervised by the Federal Reserve System, thrift holding companies
supervised by the Office of Thrift Supervision (OTS), and the U.S.
operations of foreign banking organizations. Go Back to Text
3 Board of Governors of the Federal Reserve System, FDIC,
Office of the Comptroller of the Currency, and OTS. Go Back to Text
4 For national banks, Appendix A to Part 30; for state member
banks, Appendix D-1 to Part 208; for insured state nonmember banks and
insured state-licensed branches of foreign banks,
Appendix A to Part
364; for savings associations, Appendix A to Part 570. Go Back to Text
5 Pub. L. 107--204, 116 Stat. 745 (2002). Go Back to Text
6 Under Section 36 of the FDI Act, as implemented by Part 363
of the FDIC's regulations (12 CFR
363), FDIC-insured depository institutions with total assets of
$500 million or more must submit an annual management report signed by
the chief executive officer (CEO) and chief accounting or chief
financial officer. This report must discuss management's
responsibility for financial reporting controls and assess the
effectiveness of those controls as well as the institution's
compliance with designated laws and regulations. Go Back to Text
7 Depository institutions subject to Section 36 of the FDI Act
and Part 363 of the FDIC's regulations must maintain independent audit
committees (i.e., comprised of directors who are not members of
management). Consistent with the 1999 Interagency Policy Statement on
External Auditing Programs of Banks and Savings Associations, the
agencies also encourage the board of directors of each depository institution that is not otherwise required to do so to establish
an audit committee consisting entirely of outside directors. Where the
term "audit committee" is used in this policy statement, the
board of directors may fulfill the audit committee responsibilities if
the institution is not subject to an audit committee requirement. Go Back to Text
8 For example, the performance criteria could include the
timeliness of each completed audit, comparison of overall performance
to plan, and other measures. Go Back to Text
9 Major changes in an institution's environment and
conditions may compel changes to the internal control system and also
warrant additional internal audit work. These include: (a) new
management; (b) areas or activities experiencing rapid growth or rapid
decline; (c) new lines of business, products, or technologies or
disposals thereof; (d) corporate restructurings, mergers, and
acquisitions; and (e) expansion or acquisition of foreign operations
(including the impact of changes in the related economic and regulatory
environments). Go Back to Text
10 Where the board of directors fulfills the audit committee
responsibilities, the procedures should provide for the submission of
employee concerns to an outside director. Go Back to Text
11 The engagement letter provisions described are comparable
to those outlined by the American Institute of Certified Public
Accountants (AICPA) for financial statement audits (see AICPA
Professional Standards, AU section 310). These provisions are
consistent with the provisions customarily included in contracts for
other outsourcing arrangements, such as those involving data processing
and information technology. Therefore, the federal banking agencies
consider these provisions to be usual and customary business
practices. Go Back to Text
12 If the workpapers are in electronic format, contracts often
call for the vendor to maintain proprietary software that enables the
bank and examiners to access the electronic workpapers for a specified
time period. Go Back to Text
13 15 U.S.C. 781 and 78o(d). Go Back to Text
14 In addition to prohibiting internal audit outsourcing,
Section 201(a) of the Sarbanes-Oxley Act also identifies other
non-audit services that an external auditor is prohibited from
providing to a public company whose financial statements it audits. The
legislative history of Section 201(a) indicates that three broad
principles should be considered when determining whether an auditor
should be prohibited from providing a non-audit service to an audit
client. These principles are that an auditor should not (1) audit his
or her own work, (2) perform management functions for the client, or
(3) serve in an advocacy role for the client. To do so would impair
the auditor's independence. Based on these three broad principles, the
other non-audit services that Section 201(a) prohibits an auditor from
providing for a public company audit client include bookkeeping or
other services related to the client's accounting records or financial
statements; financial information systems design and implementation;
appraisal or valuation services, fairness opinions, or
contribution-in-kind reports; actuarial services; management functions
or human resources; broker or dealer, investment adviser, or investment
banking services; legal services and expert services unrelated to the
audit; and any other service determined to be impermissible by the
PCAOB. Go Back to Text
15 68 Fed. Reg. 6006, February 5, 2003. Go Back to Text
16 65 Fed. Reg. 76007, December 5, 2000. Go Back to Text
17 12 CFR
363.3(a). Go Back to Text
18 Appendix
A to Part 363--Guidelines and Interpretations, Paragraph 14.
Independence. Go Back to Text
19 If a depository institution subject to Section 36 and Part
363 satisfies the annual independent audit requirement by relying on
the independent audit of its parent holding company, once the SEC's
January 2003 regulations prohibiting an external auditor from
performing internal audit outsourcing services for an audit client take
effect May 6, 2003, or May 6, 2004, depending on the circumstances, the
holding company's external auditor cannot perform internal audit
outsourcing work for that holding company or the subsidiary
institution. Go Back to Text
20 FDIC-insured depository institutions with less than $500
million in total assets are not subject to Section 36 of the FDI Act.
Section 36 does not apply directly to holding companies, but it
provides that, for an insured depository institution that is a
subsidiary of a holding company, its audited financial statements
requirement and certain of its other requirements may be satisfied by
the holding company. Go Back to Text
21 See, for example, the 1999
Interagency
Policy Statement on External Auditing Programs of Banks and Savings
Institutions. Go Back to Text
22 If a small non-public institution is considering having its
external auditor perform other non-audit services (see footnote 14 for
examples of such services), its audit committee may wish to discuss the
implications of the performance of these services on the auditor's
independence. Go Back to Text
23 For OTS-required audits under 12 CFR 562.4, independent
public accountants performing such audits must meet the independence
requirements and interpretations of the SEC and its staff. Go Back to Text
24 See footnote 4. Go Back to Text
[Main Tabs]
[Table of Contents - 5000]
[Index]
[Previous Page]
[Next Page]
[Search]
|