Regulators Issue Joint Policy Statement on Internal Audit Outsourcing

The Federal Reserve Board, FDIC, OCC and OTS issued an Interagency Policy Statement on the Internal Audit Function and its Outsourcing on March 17, 2003. The Policy Statement, which replaces previous policy statements on the issue, revises the regulators' guidance on the independence of accountants who provide both external and internal audit services.

The Policy Statement was necessary as a result of the Sarbanes-Oxley Act of 2002, broad corporate governance legislation adopted in response to the Enron, Global Crossing, WorldCom and other corporate scandals.

Existing Audit Guidelines

Under Section 36 of the Federal Deposit Insurance Act (the "FDI Act"), as implemented by the FDIC's regulations (12 CFR Part 363), FDIC-insured depository institutions with total assets of $500 million or more must prepare annual financial statements in accordance with GAAP, which must be audited by independent public accountants. They must submit to the banking regulators the audit reports along with an annual management report signed by the CEO and chief accounting or chief financial officer. The management report must discuss management's responsibility for financial reporting controls and assess the effectiveness of those controls as well as the institution's compliance with designated laws and regulations.

The agencies' long-standing examination policies call for examiners to review an institution's internal audit function and recommend improvements, if needed. In addition, the agencies have adopted Interagency Guidelines Establishing Standards for Safety and Soundness (the "Guidelines") that apply to insured institutions. Under these Guidelines and policies, each institution should have an internal audit function that is appropriate to its size and the nature and scope of its activities.

Concerns Raised by Outsourcing of Internal Audit Functions

Outsourcing arrangements take varied forms and are used by institutions of all sizes. The banking regulators recognize that an outsourcing arrangement may be beneficial to an institution if it is properly structured, carefully conducted and prudently managed. However, when the auditors engaged to perform internal audit functions are also an institution's external auditors, the audit firm risks compromising its independence because the outsourcing arrangement places the firm in the position of appearing to audit, or actually auditing, its own work.

The agencies have also expressed concern that the structure, scope and management of some internal audit outsourcing arrangements may give directors and senior management the erroneous impression that they have been relieved of their responsibilities for maintaining an effective system of internal control and for overseeing the internal audit function.

Existing Audit Guidelines

The Policy Statement was prompted by the adoption of the Sarbanes-Oxley Act, and the promulgation of related rules by the Securities and Exchange Commission in January 2003. Section 201(a) of Sarbanes-Oxley prohibits an accounting firm from acting as the external auditor of a public company during the same period that the firm provides internal audit outsourcing services to the company. In addition, if a public company's external auditor will be providing non-audit services, such as tax services, that are not otherwise prohibited by Section 201(a), the company's audit committee must pre-approve each of these services.

Under the new SEC rules, an accountant is not deemed "independent" if, at any point during the audit engagement period, the accountant provides internal audit outsourcing or other prohibited non-audit services to a public company audit client. The rules are effective on May 6, 2003. However, under a transition rule, an external auditor's independence will not be deemed to be impaired until May 6, 2004, if the auditor is performing internal audit outsourcing and other prohibited non-audit services pursuant to a contract in existence on May 6, 2003.

Effect on Depository Institutions

The Guidelines' provisions for auditor independence key to the SEC's rules. They state that the independent public accountant should also be in compliance with the Code of Professional Conduct of the American Institute of Certified Public Accountants and must "meet the independence requirements and interpretations of the SEC and its staff."

Consequently, the Policy Statement advises that each covered FDIC-insured institution, whether or not it is a public company, and its external auditor must comply with the SEC's auditor independence requirements that are in effect during the period covered by the audit. These requirements will include the SEC's non-audit service prohibitions and audit committee pre-approval requirements, subject to the transition rule described above.

Effect on Institutions Not Subject to the Annual Audit Requirements

Federal banking agencies have long encouraged all financial institutions, even if not subject to Section 36 of the FDI Act, to have their financial statements audited by an independent public accountant. The Policy Statement makes clear that the agencies now also encourage non-public institutions to follow the Sarbanes-Oxley internal audit outsourcing prohibition.

The agencies believe that small non-public institutions with less complex operations and limited staff can, in certain circumstances, use the same accounting firm to perform both an external audit and some or all of the institution's internal audit activities. As set forth in the Policy Statement, these circumstances include, but are not limited to, situations where:

  • Splitting the audit activities poses significant costs or burden;

  • Persons with the appropriate specialized knowledge and skills are difficult to locate and retain;

  • The institution is closely held and investors are not solely reliant on the audited financial statements to understand the financial position and performance of the institution; and

  • The outsourced internal audit services are limited in either scope or frequency.
In circumstances such as these, the agencies view an internal audit outsourcing arrangement between a small non-public institution and its external auditor as not being inconsistent with the safety and soundness objectives for the institution.

When a small non-public institution decides to hire the same firm to perform internal and external audit work, the agencies warn that the audit committee and the external auditor should pay particular attention to preserving the independence of both functions. Further, the audit committee should document both that it has pre-approved the internal audit outsourcing and has considered the related independence issues.

Accordingly, the agencies will not consider an auditor who performs internal audit outsourcing services for a small non-public client to be independent unless the institution and its auditor have adequately addressed the associated independence issues. In addition, the institution's board and management must take all necessary steps to retain ownership of and accountability for the internal audit function and provide active oversight of the outsourced relationship.

Quarles & Brady Comment

Corporate governance issues have become a hot topic for companies of all kinds, given the publicity that has been given to corporate scandals and Congress' response in the Sarbanes-Oxley Act. Although most provisions of Sarbanes-Oxley apply only to publicly-traded companies, the recent Policy Statement is an important example of how these new provisions may begin to apply, even if indirectly, to financial institutions.

In this climate, financial institutions would also do well to examine their corporate governance generally, whether or not changes are required by Sarbanes-Oxley or by the regulators. Given public and congressional concern, a review of an entity's procedures for dealing with shareholders, board and committee membership, adequacy and accuracy of its financial information, and other matters of corporate ethics is more timely than ever.

The Policy Statement may be found at on the FDIC's website. For more information on how the Policy Statement may affect you, please contact Kenneth V. Hallett at (414) 277-5345 /, Hoyt R. Stastney at (414) 277-5143 / or your Quarles & Brady attorney.

Quarles & Brady's Corporate Services Group has prepared numerous client updates focusing on publicly-held clients relating to Sarbanes-Oxley and related issues. You may access copies of these updates at or by request to your Quarles & Brady attorney. We encourage you to contact your Quarles & Brady attorney to discuss any concerns or questions you may have relating to the Policy Statement. Please let us know if you would like a paper copy of the release, or assistance in complying with the new requirements.