On December 22, 1997, the Federal Reserve Board and the other federal banking regulators issued a joint policy statement that describes sound practices for managing the internal audit function, with a major section on internal audit outsourcing.  The policy statement reiterates that directors and senior managers are responsible for ensuring the system of internal control is adequate for the nature and scope of the banking organization's business.  To properly meet this responsibility, directors should have in place a means for assessing the effectiveness of the internal control process.  This assessment is typically performed by an internal audit function.

                        The policy focuses on issues that directors should consider in establishing and maintaining an internal audit function:

• Organizational structure:  The reporting lines of the internal audit function should be such that the information directors receive is impartial and not unduly influenced by management.
  

• Internal audit management, staff and quality control:  The internal audit manager should have the competence to deal with the organization's current and planned business lines.  Similarly, staff should have the expertise and resources to adequately assess the effectiveness of internal controls.  Furthermore, organizations are encouraged to compare themselves against professional standards (such as those of the Institute of Internal Auditors) as a benchmark for judging the quality of their internal audit work.
  

• Scope:  The frequency and extent of internal audit review and testing should be consistent with the nature, complexity, and risk of the institution's on- and off- balance-sheet activities.  Directors should approve the scope of internal audit's work to ensure that all important areas are covered.
  

• Communication:  Directors need to promote forthright discussion of audit issues and critical examination of problems.  This will help ensure that the directors are fully informed about malfunctions in the system of internal control and that management is accountable if the problems are not promptly resolved.  Internal control deficiencies should be promptly reported by internal audit to the appropriate manager as they are identified; more serious matters should also be reported to the board of directors.  Periodically, the board or audit committee should meet with management and internal audit to determine whether these deficiencies are being promptly resolved. 
  

                        When the internal audit function is outsourced, the directors need to ensure that these principles continue to be addressed.  Furthermore, since the internal audit function has shifted from an employee/employer relationship to a vendor contractual arrangement, additional issues must be considered.  The institution and the vendor also must make provisions that allow examiners to have access to the vendor's audit reports and related workpapers.

                        The policy statement provides examiners with guidance for assessing the quality and effectiveness of an organization's internal audit function.  It guides the examiner in appraising how well the institution has responded to the issues raised in the policy statement for managing its internal audit function.  When the internal audit function is outsourced to a vendor, the examiner will appraise how the arrangement affects the quality of the internal audit function.

                        The policy statement also summarizes and interprets for the examiner the AICPA's ethics guidelines for accountants who serve as a bank's external auditor and act as its internal-audit outsourcing vendor.  Under the ethics rules, CPAs who audit a firm's financial statements (or other assurance services requiring independence) are generally permitted to provide outsourcing services to the firm, so long as the CPA does not assume a management or employee role in either fact or appearance.  The policy statement establishes a process for examiners to follow with the organization and supervisory staff for resolving instances where the CPA's independence appears to the examiner to be impaired.

                        This guidance is effective immediately for all bank holding companies, FDIC-insured banks and savings associations, and the U.S. operations of foreign banking organizations. A copy of this SR letter and the interagency statement should be sent to senior managers of all banking organizations supervised by your Federal Reserve Bank.  If you have any questions, please call Gerald A. Edwards, Jr., Deputy Associate Director, (202/452-2741), or Gregory Eller, Senior Supervisory Financial Analyst (202/452-5277).

Attachments

Suggested transmittal letter to state member banks, bank holding companies, and U.S. offices of foreign banking organizations supervised by the Federal Reserve:

[To the Chief Executive Officer of the Banking Organization]

SUBJECT:    Interagency Guidance on the Internal Audit Function and its Outsourcing

                        The enclosed letter from the Board's Division of Banking Supervision and Regulation transmits a joint policy statement developed by the Federal Reserve and the other federal banking agencies.  The policy describes sound practices for managing the internal audit function and contains a major section on internal audit outsourcing. 

                        The supervisory letter and the interagency policy statement are being distributed to organizations supervised by the Federal Reserve because they contain important information and guidance on the responsibilities of directors and senior management for ensuring that a banking organization's systems of internal control, including the internal audit function, are adequate for the nature and scope of the organization's lines of business.  To properly meet their responsibilities, directors should have in place a means for assessing the effectiveness of the internal control process.

                        The policy statement also provides guidance on sound practices for audit outsourcing arrangements and provides examiner guidance when questions arise about the independence of an outsourcing firm that serves as a bank's external auditor.

                        If you have any questions regarding the attached policy statement, please call [name, title] of the Federal Reserve Bank of [district].  You may also contact Gerald A. Edwards, Jr., Deputy Associate Director, (202/452-2741) or Gregory Eller, Senior Supervisory Financial Analyst, (202/452-5277) of the Federal Reserve Board.

Interagency Policy Statement on the Internal Audit Function and its Outsourcing (33K PDF3)

AICPA Professional Rulings and Interpretations Referenced in the Interagency Policy Statement (15K PDF3)

Return to top

For comments on this site, please fill out our feedback form.
Last update: December 23, 1997 12:00 PM