Considerations When Outsourcing Internal Audit at Community Banks
by Cynthia L. Course, CPA, Principal, Federal Reserve Bank of San Francisco
Community banks often use outsourcing arrangements to obtain cost-effective expertise in a variety of areas. Internal audit outsourcing is no exception, with many financial institutions of all sizes outsourcing all or a portion of their internal audit activities to public accounting firms or other professional organizations.
While outsourcing internal audit can provide many benefits to community banks, it is not without risk. Effective boards of directors recognize the risks of such arrangements and take appropriate mitigating actions as part of the outsourcing engagement agreement. This article provides an overview of some of the benefits and risks of outsourcing internal audit at community banks, reviews statutory and regulatory requirements for this practice that apply to community banks, and provides some thoughts on managing an outsourced internal audit function.
Historical Views on Outsourcing Internal Audit
Although outsourcing back-office and technical functions has been a long-standing and accepted practice at many financial institutions, it was not until the 1990s that financial institutions increasingly began to outsource their internal audit functions. Even then, though, there was not universal acceptance of such arrangements.
Twenty years ago, the Institute of Internal Auditors (IIA) wrote in its 1994 paper A Professional Briefing for Chief Audit Executives: The IIA's Perspective on Outsourcing Internal Auditing that auditing is best performed by an independent entity that is an integral part of the management structure of an organization. The paper further stated that a competent internal auditing department "can perform the internal auditing function more efficiently and effectively than a contracted audit service."1
At the time, the federal banking agencies were more open to outsourced internal audit activities than was the IIA, but they still expressed concerns about certain arrangements. In their 1997 Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, the federal banking agencies noted that:
- Such outsourcing may be beneficial to an institution if it is properly structured, carefully conducted, and prudently managed. However, the federal banking agencies have concerns that the structure, scope, and management of some internal audit outsourcing arrangements may not contribute to the institution's safety and soundness. Furthermore, the agencies want to ensure that these arrangements with outsourcing vendors do not leave directors and senior managers with the impression that they have been relieved of their responsibility for maintaining an effective system of internal control and for overseeing the internal audit function.2
The IIA came to recognize the value that outsourced internal audit can play in organizations. In 2009, the IIA reconsidered its position, stating in its paper The Role of Internal Auditing in Resourcing the Internal Audit Activity that "a fully resourced and professionally competent staff that is a key part of the organization, whether in-house or outsourced, best provides internal audit services."3 The IIA further acknowledged that the optimal solution for sourcing internal audit varies not only by organization but also for a given organization as the nature of its business activities change over time.
More recently, in December 2013, the Board of Governors of the Federal Reserve System issued Supervision and Regulation (SR) letter 13-19/CA letter 13-21, "Guidance on Managing Outsourcing Risk."4 While this guidance applies to all outsourced activities, including internal audit outsourcing arrangements, the letter also refers financial institutions to SR letter 03-5, "Amended Interagency Guidance on the Internal Audit Function and Its Outsourcing," issued in 2003, which directly discusses the outsourcing of internal audit to independent public accounting firms and other outside professionals.5 Although this amended interagency guidance was issued more than 10 years ago, it remains relevant today.
When considering the outsourcing of internal audit activities, it is important to recognize that there is not a one-size-fits-all solution. While there are many advantages to outsourced internal audit, there are also disadvantages. And, of course, regulatory requirements differ depending on the institution's size and ownership structure.
Advantages of Outsourcing
If conducted in a prudent manner, outsourcing some or all of a community bank's internal audit function has several advantages. First, outsourcing gives community banks access to a level of expertise that may be expensive and impractical to maintain internally. This particularly benefits banks in smaller communities, but it also becomes increasingly important as banks offer new products or services or enter new markets requiring new or expanded controls and broader audit expertise.
Second, outsourcing allows community banks to replace the fixed staffing and overhead costs of employees with the variable cost of consultants. This could be a particularly important consideration when staffing for peak audit periods or for special projects.
Third, the rotation of auditors, which can more easily occur in outsourcing arrangements, minimizes the potential for or appearance of a loss of objectivity, which could occur when internal auditors develop close relationships with bank staff. However, there are disadvantages to this rotation, as discussed below.
Lastly, outsourcing the complete internal audit function allows management to focus on overseeing the outsourced internal audit contract and audit scope and implementing the audit function's recommendations.
Disadvantages to Outsourcing
There are, however, disadvantages to outsourcing some or all of a community bank's internal audit function. First, contracted internal auditors will not have the immediate breadth and depth of familiarity with the banking organization's operations that in-house staff has. In addition, too-frequent rotation of contracted auditors reduces institutional knowledge and creates a continual learning curve that may affect the effectiveness of the outsourced function.
Second, the contracted internal auditor's goals may differ from management's goals, unless communication is open, clear, and continual. For example, some contracted internal auditors may be motivated to suggest additional audit activities to increase their billings. Management teams should consider the advice of the contracted audit firm concerning the proposed audit scope and the banking organization's risk profile and ensure that the final scope of the internal audit remains aligned with the goal of receiving an objective assessment.
Third, both a comprehensive engagement letter and frequent oral and written communications are necessary to avoid misunderstandings. Without a sufficiently descriptive engagement letter, a contracted internal auditor may merely follow the prescribed business plan rather than proactively evaluate and contribute to the improvement of governance, risk management, and control processes.
Finally, if any of these or other internal audit weaknesses materialize as a result of the outsourcing arrangement, a key component of internal control would be weakened, potentially causing an unsafe and unsound operating environment within the banking organization.
Outsourcing to the External Auditor?
In the early days of internal audit outsourcing, some banking organizations believed that the most efficient solution was to outsource internal audit to their external audit firms, arguing that this allowed the external auditor to gain additional knowledge about the banking organization, which could assist in conducting the annual financial statement audit. However, this position was of significant concern to the Securities and Exchange Commission (SEC), the American Institute of Certified Public Accountants (AICPA), and the federal banking regulatory agencies, all of which believed that outsourcing internal audit to the external auditor had a high potential to compromise the external auditor's independence.
As noted earlier, in 2003, the federal banking agencies issued an Interagency Policy Statement on the Internal Audit Function and Its Outsourcing."6 This statement superseded the 1997 policy statement to align supervisory policy with the prohibitions on internal audit outsourcing imposed by the Sarbanes–Oxley Act of 2002 and SEC regulations. Part III of the 2003 policy statement provides a detailed discussion of the regulatory rules and guidance in this area.
Highlights of the various rules, regulations, and policies concerning the outsourcing of internal audit at financial institutions are discussed below. The decision tree in the figure on this page shows how community banks can put these requirements in context.
Federal Deposit Insurance Act
The independence of the external auditor is important for financial institutions of all sizes but is of particular importance to a financial institution with total consolidated assets of $500 million or more, regardless of whether it is a public company. Section 36 of the Federal Deposit Insurance Act and associated regulations require every insured depository institution with $500 million or more in total consolidated assets to obtain an annual audit of its financial statements by an independent public accountant.
Part 363 of the Federal Deposit Insurance Corporation's regulations (12 CFR) states that the independent public accountant must comply with the independence standards and interpretations of the AICPA, the SEC, and the Public Company Accounting Oversight Board (PCAOB). Further, to the extent that any of the rules issued by these organizations is more or less restrictive than the corresponding rule in the other independence standards, the independent public accountant must comply with the more restrictive rule.7
Thus, nonpublic banking organizations with $500 million or more in total consolidated assets are also subject to the SEC's independence requirements for external auditors, discussed below. Furthermore, the federal banking agencies have long encouraged banking organizations with less than $500 million in total consolidated assets to adopt an external auditing program that includes an annual audit of its financial statements by an independent public accountant and to follow the SEC's internal audit outsourcing prohibition (also discussed below).
The Sarbanes–Oxley Act of 2002 was intended to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to securities laws.8 Title II of the act, which addresses auditor independence, applies to companies with securities registered with the SEC or a federal banking agency or companies that are required to file reports with the SEC (that is, "public companies"). Section 201(a) of the act amended section 10A of the Securities Exchange Act of 1934, prohibiting a public company's external auditor from also performing eight specific services, one of which is internal audit outsourcing services.
In 2003, the SEC updated its rules to state that:
- An accountant is not independent if, at any point during the audit and professional engagement period, the accountant provides … any internal audit service that has been outsourced by the audit client that relates to the audit client's internal accounting controls, financial systems, or financial statements, for an audit client unless it is reasonable to conclude that the results of these services will not be subject to audit procedures during an audit of the audit client's financial statements.9
The SEC's final rule permits, with audit committee approval, outsourcing of internal audit that (1) is not related to the audit client's internal accounting controls, financial systems, or financial statements or (2) will not be subject to audit procedures during an audit of the audit client's financial statements. However, banking organizations that are public companies and their external auditors should exercise caution when entering into such arrangements and should ensure that they are permissible under any applicable rules or guidance.
The AICPA addresses the appropriateness of outsourcing internal audit to an external auditor in its Code of Professional Conduct. Interpretation No. 101-3, "Nonattest Services," under Rule 101, Independence, starts with the premise that:
- Assisting the client in performing financial and operational internal audit activities would impair independence, unless the member takes appropriate steps to be satisfied that the client accepts its responsibility for designing, implementing, and maintaining internal control and directing the internal audit function, including the management thereof.10
Interpretation No. 101-3 goes on to provide specific examples of the management responsibilities that cannot be delegated and describes activities that, if performed as part of an internal audit engagement, would impair independence. The AICPA could not, however, anticipate all possible conflicts; therefore, the guidance is not all-inclusive and, in some instances, may be subject to interpretation.
On April 26, 2006, the SEC approved the PCAOB's initial rules governing independence.11 The PCAOB's rules have been subsequently amended and clarified, with SEC approval; they remain generally consistent with the SEC's rules and will not be discussed further here.
Other Considerations for Community Banks
The federal banking agencies have issued additional guidance that many community banks may find particularly relevant.12
Nonpublic Community Banks with
Less Than $500 Million in Total Assets
As noted above, the federal banking agencies have long encouraged banking organizations with less than $500 million in total consolidated assets to adopt an external auditing program that includes an annual audit of its financial statements by an independent public accountant and to follow the SEC's internal audit outsourcing prohibition.13 However, the federal banking agencies believe that a smaller nonpublic banking organization with less complex operations and a limited staff can, in certain circumstances, use the same accounting firm to perform both an external audit and some or all of the organization's internal audit activities.14
This does not, however, give banks carte blanche permission to outsource internal audit to the external auditor. The 2003 interagency policy statement describes a nonexclusive set of circumstances in which outsourcing to the external auditor may be acceptable. In these cases, the federal banking agencies expect the audit committee and the external auditor to pay particular attention to preserving the independence of the separate audit functions. The audit committee should document that it has preapproved the internal audit outsourcing to the external auditor and that it has considered the independence issues with this arrangement. Furthermore, the banking organization's board of directors and management cannot abdicate their oversight responsibilities for the internal audit function.
Community Banks Approaching $10 Billion in Total Assets
In January 2013, the Federal Reserve issued Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing.15 This guidance was directed at financial institutions with more than $10 billion in total consolidated assets and does not apply to community banks, which the Federal Reserve generally defines as those with $10 billion or less in total consolidated assets. However, management of larger community banks approaching this threshold should be aware of this guidance and be prepared to comply with it if they grow beyond the $10 billion threshold, as it builds on the 2003 guidance and discusses enhanced internal audit expectations for larger firms.
Managing the Relationship with the Outsourced Internal Audit Company
Regardless of whether internal audit is outsourced to the external auditor or a different firm, a community banking organization's board of directors and management must actively oversee the internal audit function, just as they are expected to oversee the relationship with any third-party vendor.
As noted previously, the Federal Reserve recently issued supervisory guidance on managing the risks of any outsourced activities. This guidance discusses the risks of outsourcing activities to third parties, board of director and senior management responsibilities, and appropriate service provider risk management programs.16 In summary, the board of directors and management must ensure that the outsourced activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations. In addition, relationships with outsourced internal auditors are subject to the same risk management, security, privacy, and other laws, regulations, and policies that a financial institution would be expected to abide by if the activity were conducted in-house.
To better ensure the appropriate oversight of and accountability by the outsourced internal auditor, the banking organization should have a written contract or engagement letter that sets forth the full details of the rights and responsibilities of each party. Both SR letter 13-19/CA letter 13-21 and section 1010.1 of the Federal Reserve's Commercial Bank Examination Manual provide more detailed information on typical contractual provisions, which include assessing the outsourced internal auditor's competence, independence, and objectivity; managing the outsourced internal auditor relationship; and developing appropriate contingency plans to ensure the continuity of internal audit activities.17
Outsourcing internal audit can provide several advantages for community banks, but it is not without risk. As with all banking decisions, when deciding whether to start, modify, or continue an internal audit outsourcing arrangement, effective boards of directors and management teams consider both the regulatory expectations and the operational aspects of the arrangement to ensure that their financial institutions continue to operate in a safe and sound manner and in compliance with all laws and regulations.
Back to top
- 1 Institute of Internal Auditors (IIA), A Professional Briefing for Chief Audit Executives: The IIA's Perspective on Outsourcing Internal Auditing, Professional Issues Pamphlet 94-1, p. 2.
- 2 See Supervision and Regulation (SR) letter 97-35, "Interagency Guidance on the Internal Audit Function and Its Outsourcing." SR letter 97-35 was subsequently superseded by SR letter 03-5, "Amended Interagency Guidance on the Internal Audit Function and Its Outsourcing," available at www.federalreserve.gov/boarddocs/srletters/2003/sr0305.htm.
- 3 The complete paper is available at http://ow.ly/vl97D.
- 4 See www.federalreserve.gov/bankinforeg/srletters/sr1319.htm.
- 5 See SR letter 03-5.
- 6 See SR letter 03-5.
- 7 See "Part 363 — Annual Independent Audits and Reporting Requirements," 12 CFR section 363, available at www.gpo.gov/fdsys/pkg/CFR-2013-title12-vol5/pdf/CFR-2013-title12-vol5-part363.pdf.
- 8 See Sarbanes–Oxley Act of 2002, Public Law No. 107-204, 116 Stat. 745 (2002), available at www.gpo.gov/fdsys/pkg/PLAW-107publ204/pdf/PLAW-107publ204.pdf.
- 9 See 17 CFR section 210.2-01 (c)(4)(v), available at www.gpo.gov/fdsys/pkg/CFR-2013-title17-vol2/pdf/CFR-2013-title17-vol2-sec210-2-01.pdf.
- 10 See the AICPA's Code of Professional Conduct, available at www.aicpa.org/research/standards/codeofconduct/pages/et_101.aspx.
- 11 See Section 3 — Professional Standards of the PCAOB, including the rules related to independence and communication with the audit committee concerning independence, available at pcaobus.org/rules/pcaobrules/pages/section_3.aspx.
- 12 In addition to issuing guidance, the federal banking agencies participated in the development of a June 2012 paper by the Basel Committee on Banking Supervision titled "The Internal Audit Function in Banks." While this paper sets forth principles that banks may find to be relevant depending on their size, complexity, and risk profile, it does not establish requirements for U.S. banking organizations and is not a substitute for U.S. policies and guidance on internal audit and its outsourcing. The paper is available at www.bis.org/publ/bcbs223.pdf.
- 13 See, for example, SR letter 99-33, "Interagency Policy Statement on External Audits of Banks With Less Than $500 Million in Total Assets," available at www.federalreserve.gov/boarddocs/srletters/1999/SR9933.htm.
- 14 For more information, see page 13 of the "Interagency Policy Statement on the Internal Audit Function and Its Outsourcing" that is attached to SR letter 03-5, available at www.federalreserve.gov/boarddocs/srletters/2003/sr0305.htm.
- 15 See SR letter 13-1/CA letter 13-1, "Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing," at www.federalreserve.gov/bankinforeg/srletters/sr1301.htm.
- 16 See SR letter 13-19/CA letter 13-21, "Guidance on Managing Outsourcing Risk."
- 17 See the Federal Reserve's Commercial Bank Examination Manual, available at www.federalreserve.gov/boarddocs/supmanual/cbem/cbem.pdf.