Policy statement issued on internal auditing - Update

Internal Auditor, April, 2003 by J. Swauger

U.S. FEDERAL BANKING and thrift regulatory agencies joined together on March 17 to issue a new policy statement on internal auditing. The Interagency Policy Statement on the Internal Audit Function and its Outsourcing includes discussion of internal audit reporting relationships, audit outsourcing, responsibility for internal controls, internal audit standards, audit independence, and other issues important to internal auditors.

The new policy -- issued jointly by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision -- encourages financial institutions to evaluate their internal controls against The Committee of Sponsoring Organizations of the Treadway Commission (Coso) framework if they are not already doing so. It states that the board of directors and senior management are responsible for ensuring that the system of internal control operates effectively and indicates that this responsibility cannot be delegated to others within the institution or to outside parties.

Although the policy limits outsourcing arrangements, it recognizes that some outsourcing may be appropriate and gives specific considerations for internal audit outsourcing arrangements.

Reflecting provisions of the Sarbanes-Oxley Act of 2002, the interagency policy extends some provisions of Sarbanes-Oxley to financial organizations that are not publicly listed companies. For example, the new policy encourages financial institutions to refrain from outsourcing internal audit activities to their external auditor, even if they are not required to do so by the Sarbanes-Oxley Act.

According to the new document, directors should be confident that the internal audit function addresses the risks and meets the demands posed by current and planned activities. To accomplish this objective, the policy states that directors should "consider whether their institution's internal audit activities are conducted in accordance with professional standards such as The IIA's Standards for the Professional Practice of Internal Auditing," and they should oversee the internal audit function and evaluate its performance.

Although various types of reporting relationships are permissible for internal auditors under the new policy, the ideal organizational arrangement for the chief audit executive is said to be direct reporting solely to the audit committee regarding both audit issues and administrative matters. The policy encourages financial institutions to consider The IIA's Practice Advisory 2060-2 on relationships between internal auditors and the audit committee.