Independence of the External Auditor Providing Internal Audit Services
It is important that examiners ensure that management has designed any outsourcing arrangements in order to maintain the independence of the audit provider. An accounting firm hired to perform internal audit services for an institution risks compromising its independence when it also performs the external audit for the institution. Concerns arise because, rather than having an independent review, the responsibility of performing outsourced internal audits places the accounting firm in the position of auditing its own work. For example, in designing procedures to audit an institution's financial statements, the accounting firm considers the extent to which it may rely on the institution's internal control system, including the internal audit function.
The Sarbanes-Oxley Act of 2002 specifically prohibits a registered public accounting firm from performing certain non-audit services for a public company client for whom it performs financial statement audits. Among those prohibited non-audit services are internal audit outsourcing services and financial information system design and implementation. Under rules adopted by the Securities and Exchange Commission, this prohibition generally became effective on May 6, 2003, although a one-year transition period was provided for contractual arrangements in place as of that date. Under Section 36 of the Federal Deposit Insurance Act and its implementing regulation and guidelines, FDIC-insured depository institutions with total assets of $500 million or more are required to be audited annually. The guidelines require these institutions, whether or not they are public companies, and their external auditors to comply with the SEC's auditor independence requirements. Other non-public institutions are encouraged to have their financial statements audited and to follow the Sarbanes-Oxley Act's prohibition on outsourcing internal audit to their external auditor. However, there are circumstances in which these institutions can use the same accounting firm for both external and internal audit work.
Outsourcing Internal IT Audit
Examples of Arrangements