AUDIT SYSTEMS—Internal Audit Function and Its Outsourcing; Interagency Policy Statement

Effective internal control¹ is a foundation for the safe and sound operation of a financial institution (institution).² The board of directors and senior management of an institution are responsible for ensuring that the system of internal control operates effectively. Their responsibility cannot be delegated to others within the institution or to outside parties. An important element in assessing the effectiveness of the internal control system is an internal audit function. When properly structured and conducted, internal audit provides directors and senior management with vital information about weaknesses in the system of internal control so that management can take prompt, remedial action. The federal banking agencies’ (agencies)³ long-standing examination policies call for examiners to review an institution’s internal audit function and recommend improvements, if needed. In addition, pursuant to section 39 of the Federal Deposit Insurance Act (FDI Act) (12 USC 1831p-1), the agencies have adopted Interagency Guidelines Establishing Standards for Safety and Soundness that apply to insured depository institutions.⁴ Under these guidelines and policies, each institution should have an internal audit function that is appropriate to its size and the nature and scope of its activities.

In addressing various quality and resource issues, many institutions have been engaging independent public accounting firms and other outside professionals (outsourcing vendors) in recent years to perform work that traditionally has been done by internal auditors. These arrangements are often called “internal audit outsourcing,” “internal audit assistance,” “audit co-sourcing,” and “extended audit services” (hereafter collectively referred to as outsourcing). Typical outsourcing arrangements are more fully illustrated in part II below.

Outsourcing may be beneficial to an institution if it is properly structured, carefully conducted, and prudently managed. However, the agencies have concerns that the structure, scope, and management of some internal audit outsourcing arrangements do not contribute to the institution’s safety and soundness. Furthermore, the agencies want to ensure that these arrangements with outsourcing vendors do not leave directors and senior management with the erroneous impression that they have been relieved of their responsibility for maintaining an effective system of internal control and for overseeing the internal audit function.

This policy statement sets forth key characteristics of the internal audit function in part I. Sound practices concerning the use of outsourcing vendors are discussed in part II. Part III discusses the effect outsourcing arrangements have on the independence of an external auditor who also provides internal audit services to an institution. Part III also discusses the prohibition on internal audit outsourcing to a public company’s external auditor under the Sarbanes-Oxley Act of 2002,⁵ the effect of this prohibition on insured depository institutions subject to the annual audit and reporting requirements of section 36 of the FDI Act (12 USC 1831m), and the agencies’ views on compliance with this provision of the Sarbanes-Oxley Act by institutions not subject to section 36 (including smaller depository institutions) that are not publicly held. Finally, part IV of this statement provides guidance to examiners concerning their reviews of internal audit functions and related matters.

The board of directors and senior management are responsible for having an effective system of internal control and an effective internal audit function in place at their institution. They are also responsible for ensuring that the importance of internal control is understood and respected throughout the institution. This overall responsibility cannot be delegated to anyone else. They may, however, delegate the design, implementation, and monitoring of specific internal controls to lower-level management and the testing and assessment of internal controls to others. Accordingly, directors and senior management should have reasonable assurance that the system of internal control prevents or detects significant inaccurate, incomplete, or unauthorized transactions; deficiencies in the safeguarding of assets; unreliable financial reporting (which includes regulatory reporting); and deviations from laws, regulations, and the institution’s policies.⁶

Some institutions have chosen to rely on so-called management self-assessments or control self-assessments, wherein business-line managers and their staff evaluate the performance of internal controls within their purview. Such reviews help to underscore management’s responsibility for internal control, but they are not impartial. Directors and members of senior management who rely too much on these reviews may not learn of control weaknesses until they have become costly problems, particularly if directors are not intimately familiar with the institution’s operations. Therefore, institutions generally should also have their internal controls tested and evaluated by units without business-line responsibilities, such as internal audit groups.

Directors should be confident that the internal audit function addresses the risks and meets the demands posed by the institution’s current and planned activities. To accomplish this objective, directors should consider whether their institution’s internal audit activities are conducted in accordance with professional standards, such as the Institute of Internal Auditors’ (IIA) Standards for the Professional Practice of Internal Auditing. These standards address independence, professional proficiency, scope of work, performance of audit work, management of internal audit, and quality-assurance reviews. Furthermore, directors and senior management should ensure that the following matters are reflected in their institution’s internal audit function.

Structure. Careful thought should be given to the placement of the audit function in the institution’s management structure. The internal audit function should be positioned so that the board has confidence that the internal audit function will perform its duties with impartiality and not be unduly influenced by managers of day-to-day operations. The audit committee,⁷ using objective criteria it has established, should oversee the internal audit function and evaluate its performance.⁸ The audit committee should assign responsibility for the internal audit function to a member of management (hereafter referred to as the manager of internal audit or internal audit manager) who understands the function and has no responsibility for operating the system of internal control. The ideal organizational arrangement is for this manager to report directly and solely to the audit committee regarding both audit issues and administrative matters, e.g., resources, budget, appraisals, and compensation. Institutions are encouraged to consider the IIA’s Practice Advisory 2060-2: Relationship with the Audit Committee, which provides more guidance on the roles and relationships between the audit committee and the internal audit manager.

Many institutions place the manager of internal audit under a dual reporting arrangement: functionally accountable to the audit committee on issues discovered by the internal audit function, while reporting to another senior manager on administrative matters. Under a dual reporting relationship, the board should consider the potential for diminished objectivity on the part of the internal audit manager with respect to audits concerning the executive to whom he or she reports. For example, a manager of internal audit who reports to the chief financial officer (CFO) for performance appraisal, salary, and approval of department budgets may approach audits of the accounting and treasury operations controlled by the CFO with less objectivity than if the manager were to report to the chief executive officer. Thus, the chief financial officer, controller, or other similar officer should ideally be excluded from overseeing the internal audit activities even in a dual role. The objectivity and organizational stature of the internal audit function are best served under such a dual arrangement if the internal audit manager reports administratively to the CEO.

Some institutions seek to coordinate the internal audit function with several risk-monitoring functions (e.g., loan review, market-risk assessment, and legal compliance departments) by establishing an administrative arrangement under one senior executive. Coordination of these other monitoring activities with the internal audit function can facilitate the reporting of material risk and control issues to the audit committee, increase the overall effectiveness of these monitoring functions, better utilize available resources, and enhance the institution’s ability to comprehensively manage risk. Such an administrative reporting relationship should be designed so as to not interfere with or hinder the manager of internal audit’s functional reporting to and ability to directly communicate with the institution’s audit committee. In addition, the audit committee should ensure that efforts to coordinate these monitoring functions do not result in the manager of internal audit conducting control activities nor diminish his or her independence with respect to the other risk-monitoring functions. Furthermore, the internal audit manager should have the ability to independently audit these other monitoring functions.

In structuring the reporting hierarchy, the board should weigh the risk of diminished independence against the benefit of reduced administrative burden in adopting a dual reporting organizational structure. The audit committee should document its consideration of this risk and mitigating controls. The IIA’s Practice Advisory 1110-2: Chief Audit Executive Reporting Lines provides additional guidance regarding functional and administrative reporting lines.

Management, staffing, and audit quality. In managing the internal audit function, the manager of internal audit is responsible for control risk assessments, audit plans, audit programs, and audit reports.

Ideally, the internal audit function’s only role should be to independently and objectively evaluate and report on the effectiveness of an institution’s risk management, control, and governance processes. Internal auditors increasingly have taken a consulting role within institutions on new products and services and on mergers, acquisitions, and other corporate reorganizations. This role typically includes helping design controls and participating in the implementation of changes to the institution’s control activities. The audit committee, in its oversight of the internal audit staff, should ensure that the function’s consulting activities do not interfere or conflict with the objectivity it should have with respect to monitoring the institution’s system of internal control. In order to maintain its independence, the internal audit function should not assume a business-line management role over control activities, such as approving or implementing operating policies or procedures, including those it has helped design in connection with its consulting activities. The agencies encourage internal auditors to follow the IIA’s standards, including guidance related to the internal audit function acting in an advisory capacity.

The internal audit function should be competently supervised and staffed by people with sufficient expertise and resources to identify the risks inherent in the institution’s operations and assess whether internal controls are effective. The manager of internal audit should oversee the staff assigned to perform the internal audit work and should establish policies and procedures to guide the audit staff. The form and content of these policies and procedures should be consistent with the size and complexity of the department and the institution. Many policies and procedures may be communicated informally in small internal audit departments, while larger departments would normally require more formal and comprehensive written guidance.

Scope. The frequency and extent of internal audit review and testing should be consistent with the nature, complexity, and risk of the institution’s on- and off-balance-sheet activities. At least annually, the audit committee should review and approve internal audit’s control risk assessment and the scope of the audit plan, including how much the manager relies on the work of an outsourcing vendor. It should also periodically review internal audit’s adherence to the audit plan. The audit committee should consider requests for expansion of basic internal audit work when significant issues arise or when significant changes occur in the institution’s environment, structure, activities, risk exposures, or systems.⁹

Communication. To properly carry out their responsibility for internal control, directors and senior management should foster forthright communications and critical examination of issues to better understand the importance and severity of internal control weaknesses identified by the internal auditor and operating management’s solutions to these weaknesses. Internal auditors should report internal control deficiencies to the appropriate level of management as soon as they are identified. Significant matters should be promptly reported directly to the board of directors (or its audit committee) and senior management. In periodic meetings with management and the manager of internal audit, the audit committee should assess whether management is expeditiously resolving internal control weaknesses and other exceptions. Moreover, the audit committee should give the manager of internal audit the opportunity to discuss his or her findings without management being present.

Furthermore, each audit committee should establish and maintain procedures for employees of their institution to submit confidentially and anonymously concerns to the committee about questionable accounting, internal accounting control, or auditing matters.¹⁰ In addition, the audit committee should set up procedures for the timely investigation of complaints received and the retention for a reasonable time period of documentation concerning the complaint and its subsequent resolution.

Contingency planning. As with any other function, the institution should have a contingency plan to mitigate any significant discontinuity in audit coverage, particularly for high-risk areas. Lack of contingency planning for continuing internal audit coverage may increase the institution’s level of operational risk.

An effective system of internal control and an independent internal audit function form the foundation for safe and sound operations, regardless of an institution’s size. As noted in the introduction, each institution should have an internal audit function that is appropriate to its size and the nature and scope of its activities. The procedures assigned to this function should include adequate testing and review of internal controls and information systems.

It is the responsibility of the audit committee and management to carefully consider the extent of auditing that will effectively monitor the internal control system after taking into account the internal audit function’s costs and benefits. For institutions that are large or have complex operations, the benefits derived from a full-time manager of internal audit or an auditing staff likely outweigh the cost. For small institutions with few employees and less complex operations, however, these costs may outweigh the benefits. Nevertheless, a small institution without an internal auditor can ensure that it maintains an objective internal audit function by implementing a comprehensive set of independent reviews of significant internal controls. The key characteristic of such reviews is that the person(s) directing and/or performing the review of internal controls is not also responsible for managing or operating those controls. A person who is competent in evaluating a system of internal control should design the review procedures and arrange for their implementation. The person responsible for reviewing the system of internal control should report findings directly to the audit committee. The audit committee should evaluate the findings and ensure that senior management has or will take appropriate action to correct the control deficiencies.

The internal audit function of a foreign banking organization (FBO) should cover its U.S. operations in its risk assessments, audit plans, and audit programs. Its U.S.-domiciled audit function, head-office internal audit staff, or some combination thereof normally performs the internal audit of the U.S. operations. Internal audit findings (including internal control deficiencies) should be reported to the senior management of the U.S. operations of the FBO and the audit department of the head office. Significant adverse findings also should be reported to the head office’s senior management and the board of directors or its audit committee.

An outsourcing arrangement is a contract between an institution and an outsourcing vendor to provide internal audit services. Outsourcing arrangements take many forms and are used by institutions of all sizes. Some institutions consider entering into these arrangements to enhance the quality of their control environment by obtaining the services of a vendor with the knowledge and skills to critically assess, and recommend improvements to, their internal control systems.

The internal audit services under contract can be limited to helping internal audit staff in an assignment for which they lack expertise. Such an arrangement is typically under the control of the institution’s manager of internal audit, and the outsourcing vendor reports to him or her. Institutions often use outsourcing vendors for audits of areas requiring more technical expertise, such as electronic data processing and capital markets activities. Such uses are often referred to as “internal audit assistance” or “audit co-sourcing.”

Some outsourcing arrangements are structured so that an outsourcing vendor performs virtually all the procedures or tests of the system of internal control. Under such an arrangement, a designated manager of internal audit oversees the activities of the outsourcing vendor and typically is supported by internal audit staff. The outsourcing vendor may assist the audit staff in determining risks to be reviewed and may recommend testing procedures, but the internal audit manager is responsible for approving the audit scope, plan, and procedures to be performed. Furthermore, the internal audit manager is responsible for the results of the outsourced audit work, including findings, conclusions, and recommendations. The outsourcing vendor may report these results jointly with the internal audit manager to the audit committee.

Even when outsourcing vendors provide internal audit services, the board of directors and senior management of an institution are responsible for ensuring that both the system of internal control and the internal audit function operate effectively. In any outsourced internal audit arrangement, the institution’s board of directors and senior management must maintain ownership of the internal audit function and provide active oversight of outsourced activities. When negotiating the outsourcing arrangement with an outsourcing vendor, an institution should carefully consider its current and anticipated business risks in setting each party’s internal audit responsibilities. The outsourcing arrangement should not increase the risk that a breakdown of internal control will go undetected.

To clearly distinguish its duties from those of the outsourcing vendor, the institution should have a written contract, often taking the form of an engagement letter.¹¹ Contracts between the institution and the vendor typically include provisions that—

Vendor competence. Before entering an outsourcing arrangement, the institution should perform due diligence to satisfy itself that the outsourcing vendor has sufficient staff qualified to perform the contracted work. The staff’s qualifications may be demonstrated, for example, through prior experience with financial institutions. Because the outsourcing arrangement is a personal-services contract, the institution’s internal audit manager should have confidence in the competence of the staff assigned by the outsourcing vendor and receive timely notice of key staffing changes. Throughout the outsourcing arrangement, management should ensure that the outsourcing vendor maintains sufficient expertise to effectively perform its contractual obligations.

Management. Directors and senior management should ensure that the outsourced internal audit function is competently managed. For example, larger institutions should employ sufficient competent staff members in the internal audit department to assist the manager of internal audit in overseeing the outsourcing vendor. Small institutions that do not employ a full-time audit manager should appoint a competent employee who ideally has no managerial responsibility for the areas being audited to oversee the outsourcing vendor’s performance under the contract. This person should report directly to the audit committee for purposes of communicating internal audit issues.

Communication. Communication between the internal audit function and the audit committee and senior management should not diminish because the institution engages an outsourcing vendor. All work by the outsourcing vendor should be well documented and all findings of control weaknesses should be promptly reported to the institution’s manager of internal audit. Decisions not to report the outsourcing vendor’s findings to directors and senior management should be the mutual decision of the internal audit manager and the outsourcing vendor. In deciding what issues should be brought to the board’s attention, the concept of “materiality,” as the term is used in financial statement audits, is generally not a good indicator of which control weakness to report. For example, when evaluating an institution’s compliance with laws and regulations, any exception may be important.

Contingency planning. When an institution enters into an outsourcing arrangement (or significantly changes the mix of internal and external resources used by internal audit), it may increase its operational risk. Because the arrangement may be terminated suddenly, the institution should have a contingency plan to mitigate any significant discontinuity in audit coverage, particularly for high-risk areas.

When one accounting firm performs both the external audit and the outsourced internal audit function, the firm risks compromising its independence. These concerns arise because, rather than having two separate functions, this outsourcing arrangement places the independent public accounting firm in the position of appearing to audit, or actually auditing, its own work. For example, in auditing an institution’s financial statements, the accounting firm will consider the extent to which it may rely on the internal control system, including the internal audit function, in designing audit procedures.

The next three sections outline the applicability of the SEC’s auditor independence requirements to public companies, insured depository institutions subject to section 36 of the FDI Act, and nonpublic institutions that are not subject to section 36. They are followed by information on the AICPA’s independence guidance.

To strengthen auditor independence, Congress passed the Sarbanes-Oxley Act of 2002. Title II of this act applies to any company that has a class of securities registered with the SEC or the appropriate federal banking agency under section 12 of the Securities Exchange Act of 1934 or that is required to file reports with the SEC under section 15(d) of that act,¹³ i.e., a public company. Within title II, section 201(a) prohibits an accounting firm from acting as the external auditor of a public company during the same period that the firm provides internal audit outsourcing services to the company.¹⁴ In addition, if a public company’s external auditor will be providing auditing services and nonaudit services, such as tax services, that are not otherwise prohibited by section 201(a) of the Sarbanes-Oxley Act, title II also provides that the company’s audit committee must preapprove each of these services.

The SEC adopted final rules implementing the nonaudit-service prohibitions and audit committee preapproval requirements of title II on January 22, 2003.¹⁵ According to these rules, an accountant is not independent if, at any point during the audit and professional-engagement period, the accountant provides internal audit outsourcing or other prohibited nonaudit services to a public company audit client. These rules generally become effective on May 6, 2003, although a one-year transition period is provided for contractual arrangements in place as of that date. Under this transition rule, an external auditor’s independence will not be deemed to be impaired until May 6, 2004, if the auditor is performing internal audit outsourcing and other prohibited nonaudit services for a public-company audit client pursuant to a contract in existence on May 6, 2003. However, the services being provided must not have impaired the auditor’s independence under the preexisting-independence requirements of the SEC, the Independence Standards Board, and the AICPA.

The SEC’s preexisting-auditor-independence requirements are contained in regulations that were adopted in November 2000 and became fully effective in August 2002.¹⁶ Although the SEC’s November 2000 regulations do not prohibit the outsourcing of internal audit services to a public company’s independent public accountant, they place conditions and limitations on internal audit outsourcing.

Under section 36 as implemented by part 363 of the FDIC’s regulations, each FDIC-insured depository institution with total assets of $500 million or more is required to have an annual audit performed by an independent public accountant.¹⁷ The part 363 guidelines address the qualifications of an independent public accountant engaged by such an institution by stating that “[t]he independent public accountant should also be in compliance with the AICPA’s Code of Professional Conduct and meet the independence requirements and interpretations of the SEC and its staff.”¹⁸

Thus, the guidelines provide for each FDIC-insured depository institution with $500 million or more in total assets, whether or not it is a public company, and its external auditor to comply with the SEC’s auditor-independence requirements that are in effect during the period covered by the audit. These requirements include the nonaudit-service prohibitions and audit committee preapproval requirements implemented by the SEC’s January 2003 auditor-independence rules once they take effect May 6, 2003, subject to the transition rule for internal audit outsourcing and other contracts in existence on that date described in the preceding section. That transition rule provides that such outsourcing arrangements will not impair an auditor’s independence until May 6, 2004, provided certain conditions are met.¹⁹

The agencies have long encouraged each institution not subject to section 36 of the FDI Act²⁰ that is neither a public company nor a subsidiary of a public company to have its financial statements audited by an independent public accountant.²¹ The agencies also encourage each such nonpublic institution to follow the internal audit outsourcing prohibition in section 201(a) of the Sarbanes-Oxley Act when the SEC’s January 2003 regulations implementing this prohibition take effect, as discussed above for institutions that are public companies.

As previously mentioned, some institutions seek to enhance the quality of their control environment by obtaining the services of an outsourcing vendor who can critically assess their internal control system and recommend improvements. The agencies believe that a small nonpublic institution with less-complex operations and limited staff can, in certain circumstances, use the same accounting firm to perform both an external audit and some or all of the institution’s internal audit activities. These circumstances include, but are not limited to, situations where—

In circumstances such as these, the agencies view an internal audit outsourcing arrangement between a small nonpublic institution and its external auditor as not being inconsistent with their safety-and-soundness objectives for the institution.

When a small nonpublic institution decides to hire the same firm to perform internal and external audit work, the audit committee and the external auditor should pay particular attention to preserving the independence of both the internal and external audit functions. Furthermore, the audit committee should document both that it has preapproved the internal audit outsourcing to its external auditor and has considered the independence issues associated with this arrangement.²² In this regard, the audit committee should consider the independence standards described in parts I and II of this policy statement, the AICPA guidance discussed in the following section, and the broad principles that the auditor should not perform management functions or serve in an advocacy role for the client.

Accordingly, the agencies will not consider an auditor who performs internal audit outsourcing services for a small nonpublic audit client to be independent unless the institution and its auditor have adequately addressed the associated independence issues. In addition, the institution’s board of directors and management must retain ownership of and accountability for the internal audit function and provide active oversight of the outsourced internal audit relationship.

A small nonpublic institution may be required by another law or regulation, an order, or another supervisory action to have its financial statements audited by an independent public accountant. In this situation, if warranted for safety-and-soundness reasons, the institution’s primary federal regulator may require that the institution and its independent public accountant comply with the auditor independence requirements of section 201(a) of the Sarbanes-Oxley Act.²³

As noted above, the independent public accountant for a depository institution subject to section 36 of the FDI Act also should be in compliance with the AICPA’s Code of Professional Conduct. This code includes professional ethics standards, rules, and interpretations that are binding on all certified public accountants (CPAs) who are members of the AICPA in order for the member to remain in good standing. Therefore, this code applies to each member CPA who provides audit services to an institution, regardless of whether the institution is subject to section 36 or is a public company.

The AICPA has issued guidance indicating that a member CPA would be deemed not independent of his or her client when the CPA acts or appears to act in a capacity equivalent to a member of the client’s management or as a client employee. The AICPA’s guidance includes illustrations of activities that would be considered to compromise a CPA’s independence. Among these are activities that involve the CPA authorizing, executing, or consummating transactions or otherwise exercising authority on behalf of the client. For additional details, refer to Interpretation 101-3, Performance of Other Services, and Interpretation 101-13, Extended Audit Services, in the AICPA’s Code of Professional Conduct.

Examiners should have full and timely access to an institution’s internal audit resources, including personnel, workpapers, risk assessments, work plans, programs, reports, and budgets. A delay may require examiners to widen the scope of their examination work and may subject the institution to follow-up supervisory actions.

Examiners will assess the quality and scope of an institution’s internal audit function, regardless of whether it is performed by the institution’s employees or by an outsourcing vendor. Specifically, examiners will consider whether—

The examiner should assess the competence of the institution’s internal audit staff and management by considering the education, professional background, and experience of the principal internal auditors.

In addition, when reviewing outsourcing arrangements, examiners should determine whether—

If the examiner concludes that the institution’s internal audit function, whether or not it is outsourced, does not sufficiently meet the institution’s internal audit needs, does not satisfy the Interagency Guidelines Establishing Standards for Safety and Soundness, if applicable,²⁴ or is otherwise inadequate, he or she should consider adjusting the scope of the examination. The examiner should also discuss his or her concerns with the internal audit manager or other person responsible for reviewing the system of internal control. If these discussions do not resolve the examiner’s concerns, he or she should bring these matters to the attention of senior management and the board of directors or audit committee. Should the examiner find material weaknesses in the internal audit function or the internal control system, he or she should discuss them with appropriate agency staff in order to determine the appropriate actions the agency should take to ensure that the institution corrects the deficiencies. These actions may include formal and informal enforcement actions.

The institution’s management and composite ratings should reflect the examiner’s conclusions regarding the institution’s internal audit function. The report of examination should contain comments concerning the adequacy of this function, significant issues or concerns, and recommended corrective actions.

An examiner’s initial review of an internal audit outsourcing arrangement, including the actions of the outsourcing vendor, may raise questions about the institution’s and its vendor’s adherence to the independence standards described in parts I and II of this policy statement, whether or not the vendor is an accounting firm, and in part III if the vendor provides both external and internal audit services to the institution. In such cases, the examiner first should ask the institution and the outsourcing vendor how the audit committee determined that the vendor was independent. If the vendor is an accounting firm, the audit committee should be asked to demonstrate how it assessed that the arrangement has not compromised applicable SEC, PCAOB, AICPA, or other regulatory standards concerning auditor independence. If the examiner’s concerns are not adequately addressed, the examiner should discuss the matter with appropriate agency staff prior to taking any further action.

If the agency staff concurs that the independence of the external auditor or other vendor appears to be compromised, the examiner will discuss his or her findings and the actions the agency may take with the institution’s senior management, board of directors (or audit committee), and the external auditor or other vendor. In addition, the agency may refer the external auditor to the state board of accountancy, the AICPA, the SEC, the PCAOB, or other authorities for possible violations of applicable independence standards. Moreover, the agency may conclude that the institution’s external auditing program is inadequate and that it does not comply with auditing and reporting requirements, including sections 36 and 39 of the FDI Act and related guidance and regulations, if applicable.