The federal
banking and thrift regulatory agencies today revised their guidance on the
independence of accountants who provide institutions with both external and
internal audit services to reflect the provisions of the Sarbanes-Oxley Act of
2002.
The updated
Interagency Policy Statement on the Internal Audit Function and Its
Outsourcing, which replaces a policy issued in 1997, also reflects the
agencies’ experience with the 1997 policy and incorporates recent developments
in internal auditing. It was
issued by the Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation, the Office of the Comptroller of the Currency,
and the Office of Thrift Supervision.
The
Sarbanes-Oxley Act and recently adopted Securities and Exchange Commission
(SEC) rules prohibit an accounting firm from acting as the external auditor of
a public company during the same period that the firm provides internal audit
services to the company. The
revised policy statement separately discusses the applicability of this
prohibition to institutions that are public companies; insured depository
institutions with $500 million or more in assets that are subject to the annual
audit and reporting requirements of Section 36 of the Federal Deposit Insurance
Act; and non-public institutions that are not subject to Section 36.
The existing
guidelines for institutions subject to Section 36 provide for their external
auditors to meet the SEC’s independence requirements.
Auditors for these institutions, whether or not they are public
companies, should comply with the prohibition on internal audit outsourcing in
the SEC’s rules.
The policy
statement encourages non-public institutions not subject to Section 36, which
includes non-public depository institutions with less than $500 million in
assets, to refrain from outsourcing internal audit activities to their external
auditor. If such an institution
decides to use the same firm for both internal and external audit work,
however, the audit committee should document its consideration of the
independence issues associated with this arrangement.
In addition to
changes related to the Sarbanes-Oxley Act, the agencies enhanced the 1997
policy statement’s discussion of the responsibilities of the board of directors
and senior management with respect to the internal audit function and its
placement within an organization, its management and staffing, and the
communication of concerns and weaknesses in accounting and internal control.
The policy also reiterates the need for institutions to maintain strong
systems of internal control, including internal controls over financial and
regulatory reporting, and high quality internal audit programs.
Expanded guidance has been provided on the use of independent reviews of
significant internal controls by small institutions that do not have a formal
internal audit manager or staff. The
policy statement also includes guidance for examiners on addressing concerns
they may have about the adequacy of the internal audit function or related
outsourcing arrangements.
# # #
Attachment
Media Contacts:
Federal Reserve
Dave Skidmore
(202) 452-2955
FDIC
David Barr
(202) 898-6992
OCC
Bob Garsson
(202) 874-5770
OTS
Sam Eskenazi
(202) 906-6677