The FRB issued a supplemental policy statement on the internal audit function and its outsourcing (the “Supplemental Policy Statement”). The Supplemental Policy Statement supplements, but does not supersede, the 2003 interagency guidance distributed by the FRB in SR Letter 03-5, “Amended Interagency Guidance on the Internal Audit Function and its Outsourcing” (the “2003 Interagency Guidance”). The FRB said that the Supplemental Policy Statement reflects supervisory concerns noted in the aftermath of the recent financial crisis and applies to supervised financial institutions (“Institutions”) with greater than $10 billion in total consolidated assets.
Enhanced Internal Audit Practices. The Supplemental Policy Statement states that Institutions should strengthen their internal audit function by, among other things: (1) analyzing the effectiveness of all critical risk management functions both with respect to individual risk dimensions (e.g., credit risk) and the Institution’s overall risk management function; (2) identifying thematic macro control issues and considering the overall impact of such issues on the Institution’s risk profile; (3) where deficiencies are identified, challenging management to adopt appropriate policies, procedures and internal controls; (4) reviewing the design and implementation of the Institution’s infrastructure enhancements and alerting management to potential internal control issues; (5) confirming that the Board of Directors and senior management of the Institution are actively involved in setting and monitoring compliance with the Institution’s risk tolerance limits; and (6) evaluating the adequacy and effectiveness of controls to respond to risks within the Institution’s governance, operations and information systems that could adversely affect the Institution’s achievement of its strategic objectives.
Internal Audit Function. The Supplemental Policy Statement next provides guidance that supplements and updates the 2003 Interagency Guidance concerning the characteristics, governance and operational effectiveness of an Institution’s internal audit function. Among the topics covered in the Supplemental Policy Statement are the independence, professional competence, staffing and the elements of an internal audit charter for an Institution’s internal audit function. Also discussed are the responsibilities of the Audit Committee with respect to the internal audit function and strategies for evaluating the adequacy of the internal audit function’s risk assessment methodology, the internal audit plan, the internal audit function’s use of continuing monitoring practices and the internal audit function’s overall performance.
Internal Audit Outsourcing Arrangements. The Supplemental Policy Statement discusses the responsibilities of an Institution’s Board of directors and senior management to provide appropriate oversight to outsourcing arrangements of the internal audit function. The FRB reminds Institutions that the responsibility for maintaining an effective system of internal controls cannot be delegated to a third party. The Supplemental Policy Statement discusses the need for a written contract with the vendor of internal audit outsourced services, policies and procedures for selection and oversight of internal audit vendors, and the need for contingency planning for managing temporary or permanent disruptions in outsourced internal audit services.
Independence Guidance for the Independent Public Accountant. The Supplemental Policy Statement updates the 2003 Interagency Guidance by noting the 2009 amendments to Section 36 of the Federal Deposit Insurance Act (applicable to insured depository institutions with total assets of $500 million or more) and pointing out that since 2009 the external auditor of an insured depository institution with total assets of $500 million or more is precluded from also providing outsourced internal audit services.
Examination Guidance. The FRB next discusses supervisory assessments of an Institution’s internal audit function and the ability of FRB examiners to rely on work performed by the internal audit function. The Supplemental Policy Statement states that in determining the overall effectiveness of the internal audit function, the function will generally be considered effective by the FRB if the function’s structure and practices are consistent with the 2003 Interagency Guidance and the Supplemental Policy Statement.