TO THE OFFICER IN CHARGE OF SUPERVISION AND APPROPRIATE SUPERVISION AND EXAMINATION PERSONNEL AT EACH FEDERAL RESERVE BANK AND TO DOMESTIC AND FOREIGN BANKING ORGANIZATIONS SUPERVISED BY THE FEDERAL RESERVE
On December 22, 1997, the Federal Reserve Board and the other federal banking
regulators issued a joint policy statement that describes sound practices for managing the internal
audit function, with a major section on internal audit outsourcing. The policy statement
reiterates that directors and senior managers are responsible for ensuring the system of internal
control is adequate for the nature and scope of the banking organization's business. To properly
meet this responsibility, directors should have in place a means for assessing the effectiveness of
the internal control process. This assessment is typically performed by an internal audit function.
The policy focuses on issues that directors should consider in establishing and maintaining an internal audit function:
When the internal audit function is outsourced, the directors need to ensure that
these principles continue to be addressed. Furthermore, since the internal audit function has
shifted from an employee/employer relationship to a vendor contractual arrangement, additional
issues must be considered. The institution and the vendor also must make provisions that allow
examiners to have access to the vendor's audit reports and related workpapers.
The policy statement provides examiners with guidance for assessing the quality
and effectiveness of an organization's internal audit function. It guides the examiner in
appraising how well the institution has responded to the issues raised in the policy statement for
managing its internal audit function. When the internal audit function is outsourced to a vendor,
the examiner will appraise how the arrangement affects the quality of the internal audit function.
The policy statement also summarizes and interprets for the examiner the
AICPA's ethics guidelines for accountants who serve as a bank's external auditor and act as its
internal-audit outsourcing vendor. Under the ethics rules, CPAs who audit a firm's financial
statements (or other assurance services requiring independence) are generally permitted to
provide outsourcing services to the firm, so long as the CPA does not assume a management or
employee role in either fact or appearance. The policy statement establishes a process for
examiners to follow with the organization and supervisory staff for resolving instances where the
CPA's independence appears to the examiner to be impaired.
This guidance is effective immediately for all bank holding companies, FDIC-insured banks and savings associations, and the U.S. operations of foreign banking organizations.
A copy of this SR letter and the interagency statement should be sent to senior managers of all
banking organizations supervised by your Federal Reserve Bank. If you have any questions,
please call Gerald A. Edwards, Jr., Deputy Associate Director, (202/452-2741), or Gregory Eller,
Senior Supervisory Financial Analyst (202/452-5277).
SUBJECT: Interagency Guidance on the Internal Audit Function and its Outsourcing
The enclosed letter from the Board's Division of Banking Supervision and
Regulation transmits a joint policy statement developed by the Federal Reserve and the other
federal banking agencies. The policy describes sound practices for managing the internal audit
function and contains a major section on internal audit outsourcing.
The supervisory letter and the interagency policy statement are being distributed to organizations supervised by the Federal Reserve because they contain important information
and guidance on the responsibilities of directors and senior management for ensuring that a
banking organization's systems of internal control, including the internal audit function, are
adequate for the nature and scope of the organization's lines of business. To properly meet their
responsibilities, directors should have in place a means for assessing the effectiveness of the
internal control process.
The policy statement also provides guidance on sound practices for audit
outsourcing arrangements and provides examiner guidance when questions arise about the
independence of an outsourcing firm that serves as a bank's external auditor.
If you have any questions regarding the attached policy statement, please call [name, title] of the Federal Reserve Bank of [district]. You may also contact Gerald A. Edwards,
Jr., Deputy Associate Director, (202/452-2741) or Gregory Eller, Senior Supervisory Financial
Analyst, (202/452-5277) of the Federal Reserve Board.
Home | SR letters | 1997
For comments on this site, please fill out our feedback