FDIC Publishes New Internal Audit Guidance

Federal Financial Regulators Release New Audit Independence Guidance

The federal banking and thrift regulatory agencies recently revised their guidance on the independence of accountants who provide institutions with both external and internal audit services to reflect the provisions of the Sarbanes-Oxley Act of 2002.

The updated Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, which replaces a policy issued in 1997, also reflects the agencies' experience with the 1997 policy and incorporates recent developments in internal auditing. It was issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

Legislative and Regulatory Background

The Sarbanes-Oxley Act and recently adopted Securities and Exchange Commission (SEC) rules prohibit an accounting firm from acting as the external auditor of a public company during the same period that the firm provides internal audit services to the company. The revised policy statement separately discusses the applicability of this prohibition to institutions that are public companies and insured depository institutions with $500 million or more in assets that are subject to annual audits.

In addition to changes related to the Sarbanes-Oxley Act, the agencies enhanced the 1997 policy statement's discussion of the responsibilities of the board of directors and senior management with respect to the internal audit function and its placement within an organization, its management and staffing, and the communication of concerns and weaknesses in accounting and internal control. The policy also reiterates the need for institutions to maintain strong systems of internal control, including internal controls over financial and regulatory reporting, and high quality internal audit programs. Expanded guidance has been provided on the use of independent reviews of significant internal controls by small institutions that do not have a formal internal audit manager or staff. The policy statement also includes guidance for examiners on addressing concerns they may have about the adequacy of the internal audit function or related outsourcing arrangements.

Introduction

To address various quality and resource issues, many institutions have been engaging independent public accounting firms and other outside professionals (outsourcing vendors) in recent years to perform work that traditionally has been done by internal auditors. These arrangements are often called "internal audit outsourcing," "internal audit assistance," "audit co-sourcing," and "extended audit services" (hereafter collectively referred to as outsourcing).

Internal audit outsourcing may be beneficial to an institution if it is properly structured, carefully conducted, and prudently managed. However, the agencies have concerns that the structure, scope, and management of some internal audit outsourcing arrangements do not contribute to the institution's safety and soundness. Furthermore, the agencies want to ensure that these arrangements with outsourcing vendors do not leave directors and senior management with the erroneous impression that they have been relieved of their responsibility for maintaining an effective system of internal control and for overseeing the internal audit function.

An effective system of internal control and an independent internal audit function form the foundation for safe and sound operations, regardless of an institution's size. As noted in the Introduction, each institution should have an internal audit function that is appropriate to its size and the nature and scope of its activities. The procedures assigned to this function should include adequate testing and review of internal controls and information systems.

It is the responsibility of the audit committee and management to carefully consider the extent of auditing that will effectively monitor the internal control system after taking into account the internal audit function's costs and benefits. For institutions that are large or have complex operations, the benefits derived from a full-time manager of internal audit or an auditing staff likely outweigh the cost. For small institutions with few employees and less complex operations, however, these costs may outweigh the benefits. Nevertheless, a small institution without an internal auditor can ensure that it maintains an objective internal audit function by implementing a comprehensive set of independent reviews of significant internal controls. The key characteristic of such reviews is that the person(s) directing and/or performing the review of internal controls is not also responsible for managing or operating those controls. A person who is competent in evaluating a system of internal control should design the review procedures and arrange for their implementation. The person responsible for reviewing the system of internal control should report findings directly to the audit committee. The audit committee should evaluate the findings and ensure that senior management has or will take appropriate action to correct the control deficiencies.

Outsourcing Arrangements

An outsourcing arrangement is a contract between an institution and an outsourcing vendor to provide internal audit services. Outsourcing arrangements take many forms and are used by institutions of all sizes. Some institutions consider entering into these arrangements to enhance the quality of their control environment by obtaining the services of a vendor with the knowledge and skills to critically assess, and recommend improvements to, their internal control systems.

The internal audit services under contract can be limited to helping internal audit staff in an assignment for which they lack expertise. Such an arrangement is typically under the control of the institution's manager of internal audit, and the outsourcing vendor reports to him or her. Institutions often use outsourcing vendors for audits of areas requiring more technical expertise, such as electronic data processing and capital markets activities. Such uses are often referred to as "internal audit assistance" or "audit co-sourcing."

Some outsourcing arrangements are structured so that an outsourcing vendor performs virtually all the procedures or tests of the system of internal control. Under such an arrangement, a designated manager of internal audit oversees the activities of the outsourcing vendor and typically is supported by internal audit staff. The outsourcing vendor may assist the audit staff in determining risks to be reviewed and may recommend testing procedures, but the internal audit manager is responsible for approving the audit scope, plan, and procedures to be performed. Furthermore, the internal audit manager is responsible for the results of the outsourced audit work, including findings, conclusions, and recommendations. The outsourcing vendor may report these results jointly with the internal audit manager to the audit committee.

Considerations When Outsourcing Internal Audit

When outsourcing vendors provide internal audit services, the board of directors and senior management of an institution are responsible for ensuring that both the system of internal control and the internal audit function operate effectively. In any outsourced internal audit arrangement, the institution's board of directors and senior management must maintain ownership of the internal audit function and provide active oversight of outsourced activities. When negotiating the outsourcing arrangement with an outsourcing vendor, an institution should carefully consider its current and anticipated business risks in setting each party's internal audit responsibilities. The outsourcing arrangement should not increase the risk that a breakdown of internal control will go undetected.

To clearly distinguish its duties from those of the outsourcing vendor, the institution should have a written contract, often taking the form of an engagement letter. Contracts between the institution and the vendor typically include provisions that:

• Define the expectations and responsibilities under the contract for both parties;
• Set the scope and frequency of, and the fees to be paid for, the work to be performed by the vendor;
• Set the responsibilities for providing and receiving information, such as the type and frequency of reporting to senior management and directors about the status of contract work;
• Establish the process for changing the terms of the service contract, especially for expansion of audit work if significant issues are found, and stipulations for default and termination of the contract;
• State that internal audit reports are the property of the institution, that the institution will be provided with any copies of the related workpapers it deems necessary, and that employees authorized by the institution will have reasonable and timely access to the workpapers prepared by the outsourcing vendor;
• Specify the locations of internal audit reports and the related workpapers;
• Specify the period of time that vendors must maintain the workpapers;
• State that outsourced internal audit services provided by the vendor are subject to regulatory review and that examiners will be granted full and timely access to the internal audit reports and related workpapers prepared by the outsourcing vendor;
• Prescribe a process (arbitration, mediation, or other means) for resolving disputes and for determining who bears the cost of consequential damages arising from errors, omissions, and negligence; and
• State that the outsourcing vendor will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of management or an employee and, if applicable, will comply with AICPA, U.S. Securities and Exchange Commission (SEC), Public Company Accounting Oversight Board (PCAOB), or regulatory independence guidance.

Vendor Competence

Before entering an outsourcing arrangement, the institution should perform due diligence to satisfy itself that the outsourcing vendor has sufficient staff qualified to perform the contracted work. The staff's qualifications may be demonstrated, for example, through prior experience with financial institutions. Because the outsourcing arrangement is a personal-services contract, the institution's internal audit manager should have confidence in the competence of the staff assigned by the outsourcing vendor and receive timely notice of key staffing changes. Throughout the outsourcing arrangement, management should ensure that the outsourcing vendor maintains sufficient expertise to effectively perform its contractual obligations.

Portions excerpted from FDIC Interagency Policy Statement on the Internal Audit Function and its Outsourcing (March 17, 2003)