ICBA - Publications - Agencies Revise Internal Audit Guidance

Agencies Revise Internal Audit Guidance

MARCH 21, 2003


Agencies Revise Internal Audit Guidance

In the wake of SEC regulations implementing the Sarbanes-Oxley Act's public company auditor independence provisions, bank regulators have revised guidance for all banks on using the same accounting firm for both internal and external audits. The revised interagency policy statement on the internal audit function and its outsourcing replaces a policy issued in 1997.

The Federal Deposit Insurance Act requires banks with $500 million or more in assets to have an annual external audit performed by a public accountant that meets SEC independence standards. Thus, such banks, whether public or not, must comply with the SEC's new auditor independence requirements (and transitional rules) that take effect on May 6, 2003, and must separate the internal and external audit function. The revised policy encourages non-public institutions with less than $500 million in assets to refrain from outsourcing internal audit activities to their external auditor. If a bank does use the same firm, the audit committee should document its consideration of independence issues.

Each bank should have an internal audit function appropriate to its size and the nature and scope of its activities. For institutions that are large or have complex operations, the benefits of having a full-time manager of internal audit or an auditing staff will likely outweigh the cost, the policy says. In the case of small banks with few employees and less complex operations, these costs may outweigh the benefits.

The guidance says a small non-public bank with less complex operations and limited staff can, in some circumstances, use the same accounting firm to perform both an external audit and some or all of its internal audit activities-for example, where: splitting audit activities poses significant costs or burden, people with the appropriate specialized knowledge and skills are difficult to locate and obtain, the bank is closely held or outsourced internal audit services are limited in scope of frequency.

ICBA had raised concerns that requiring smaller banks to use different firms for internal and external audit functions could force them to forego voluntary external audits in order to continue outsourcing internal audit functions. For more see www.fdic.gov/news/news/financial/2003/fil0321.html.