Seal of the Board of Governors of the Federal Reserve System
BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C.  20551
DIVISION OF BANKING
SUPERVISION AND REGULATION
SR 03-5
April 22, 2003

TO THE OFFICER IN CHARGE OF SUPERVISION AND APPROPRIATE SUPERVISORY AND EXAMINATION STAFF AT EACH FEDERAL RESERVE BANK AND TO DOMESTIC AND FOREIGN BANKING ORGANIZATIONS SUPERVISED BY THE FEDERAL RESERVE
SUBJECT:  Amended Interagency Guidance on the Internal Audit Function and its Outsourcing

The Federal Reserve Board, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have issued the attached, amended policy statement, Internal Audit Function and its Outsourcing. The amended policy statement supersedes the interagency policy statement on this subject that was issued December 22, 1997 (SR letter 97-35). The amendments to the 1997 policy statement provide more guidance to institutions seeking to enhance the independence and effectiveness of their internal audit function.

The 1997 policy statement was amended to bring supervisory policy regarding the external auditor in concordance with the prohibition on internal audit outsourcing imposed by the Sarbanes-Oxley Act of 2002 and pertinent regulations of the U.S. Securities and Exchange Commission. The FDIC guidelines implementing Section 36 of the Federal Deposit Insurance Act refer to SEC auditor independence regulations for the purpose of meeting Section 36's audit requirements. As a result, banking organizations subject to Section 36 -- essentially those with $500 million or more in assets -- should comply with the Sarbanes-Oxley Act prohibition on internal audit outsourcing to their external auditor. Institutions that are neither subject to Section 36 nor SEC registrants are encouraged in the amended policy statement not to use their external auditor to perform internal audit services. 

In explaining the prohibitions on non-audit services, the Sarbanes-Oxley Act describes three broad principles that define potential conflicts of interest for an external auditor. The principles are that an external auditor should not: (i) audit his or her own work; (ii) perform management functions; or (iii) act in an advocacy role for the client. Institutions should use these principles as a framework for analyzing existing or proposed non-audit services in order to avoid potential conflicts of interest for the external auditor.

Other issues besides outsourcing internal audit to the external auditor can significantly affect the internal audit function. Management reporting and corporate governance issues have an important bearing on the independence of the internal audit function. Staff competence and resources are key determinants in the effectiveness of the internal audit function. 

This guidance is effective immediately for all bank holding companies, state member banks, and the U.S. operations of foreign banking organizations. Reserve Banks are asked to send a copy of this SR letter and the amended interagency statement to senior management at domestic and foreign banking organizations supervised by the Federal Reserve.

If you have any questions, please call Gerald A. Edwards, Jr., Associate Director and Chief Accountant - Supervision (202/452-2741), Charles Holm, Assistant Director (202/452-3502), or Gregory Eller, Project Manager (202/452-5277).

Herbert A.  Biern
Senior Associate Director


Attachment:
Interagency Policy Statement on the Internal Audit Function and its Outsourcing (1,199 KB PDF)
Supersede:
SR letter 97-35
SR letters | 2003
Home | Banking information and regulation
Accessibility | Contact Us
Last update: February 21, 2006