Date: March 17, 2003
Description: Revised guidance on internal audit and its outsourcing
The guidance attached to this bulletin continues to apply to federal savings associations.
The attached "Interagency Policy Statement on the Internal Audit Function and its Outsourcing" replaces the original policy statement issued on December 22, 1997. The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (agencies) jointly issued the revised policy statement on March 17, 2003.
The agencies revised the policy statement to reflect recent events and current directions within the financial, audit, and regulatory industries. Chief among these is the passage of the Sarbanes–Oxley Act of 2002 (Sarbanes-Oxley). That act, signed into law on July 30, 2002, establishes numerous independence parameters for audit firms that provide external audit, outsourced internal audit, and other non-audit services for financial institutions.
Consistent with Sarbanes-Oxley, the attached policy statement prohibits publicly-held national banks, publicly held national bank holding companies, and national banks subject to 12 CFR 363 from using the same accounting firm to perform both external audit and outsourced internal audit work. Other national banks required to have a financial statement audit by an independent public accountant, or that are not subject to 12 CFR 363, are encouraged to follow the auditor independence guidance contained in the interagency statement, consistent with their size and complexity. The guidance reflects the broad principles that audit firms that perform a bank's internal and external audit should not audit their own work, perform management functions for the same bank, or act as an advocate for the same bank.
The revised policy statement also contains additional discussion and guidance pertaining to:
- Board and audit committee responsibilities.
- Internal audit function reporting lines within the bank's organizational structure.
- Internal audit's role as a consultant to the bank's board or management.
- Independent reviews of significant internal controls for small banks that don't have a formal internal audit manager or staff.
- U.S. operations of foreign banking organizations.
- Oversight of outsourced internal audit activities, including expanded provisions for engagement letters.
- Examiner guidance.
The OCC encourages bank boards and audit committees, their internal and external auditors, and examiners to meet and discuss the revised policy statement to ensure compliance with relevant provisions of the statement. To that end, bank CEOs are requested to distribute copies of this policy statement to all members of their boards of directors.
For more information, contact the Office of the Chief Accountant (202) 649-6550.
Emory W. Rushton Senior Deputy Comptroller and Chief National Bank Examiner