FRB: Supervisory Letter SR 13-1 / CA 13-1: Supplemental ...

1 B o a r d o f G o v e r n o r s o f t h e F e d e r a l R e s e r v e S y s t e m S u p p l e m e n t a l P o l i c y S t a t e m e n t o n t h e I n t e r n a l A u d i t F u n c t i o n a n d Its O u t s o u r c i n g J a n u a r y 23, 2 0 1 3. P U R P O S E. T h i s policy s t a t e m e n t is b e i n g issued b y the F e d e r a l R e s e r v e to s u p p l e m e n t the g u i d a n c e in the 2 0 0 3 I n t e r a g e n c y P o l i c y Statement on the I n t e r n a l A u d i t F u n c t i o n a n d its O u t s o u r c i n g (referred t o as the 2 0 0 3 P o l i c y S t a t e m e n t ) .1[Fotne A s a result o f the s u p e r v i s o r y e x p e r i e n c e d u r i n g a n d f o l l o w i n g the recent financial crisis, F e d e r a l R e s e r v e staff identified areas for i m p r o v i n g regulated institutions' internal audit functions. T h i s s u p p l e m e n t a l policy s t a t e m e n t a d d r e s s e s the characteristics, g o v e r n a n c e , a n d operational effectiveness o f a n institution's internal audit function.]

2 Further, this s t a t e m e n t reflects certain c h a n g e s in b a n k i n g regulations that h a v e o c c u r r e d since the i s s u a n c e o f the 2 0 0 3 P o l i c y Statement. T h e F e d e r a l R e s e r v e is p r o v i d i n g this s u p p l e m e n t a l g u i d a n c e t o e n h a n c e regulated institutions' internal audit practices a n d t o e n c o u r a g e t h e m t o a d o p t professional audit standards a n d other authoritative g u i d a n c e , i n c l u d i n g t h o s e issued b y the Institute o f Internal A u d i t o r s ( I I A ) .[Fo tno2te T h i s s t a t e m e n t applies to s u p e r v i s e d institutions w i t h greater t h a n $ 1 0 billion in total c o n s o l i d a t e d assets, i n c l u d i n g state m e m b e r b a n k s , d o m e s t i c b a n k a n d s a v i n g s a n d loan h o l d i n g c o m p a n i e s , a n d U . S . o p e r a t i o n s o f f o r e i g n b a n k i n g o r g a n i z a t i o n s.]

3 [Fo tno3e T h i s s u p p l e m e n t a l g u i d a n c e is also consistent w i t h t h e objectives o f the F e d e r a l R e s e r v e ' s c o n s o l i d a t e d supervision f r a m e w o r k for large financial institutions w i t h total c o n s o l i d a t e d assets o f $ 5 0 billion or m o r e , w h i c h p r o m o t e s a n i n d e p e n d e n t internal audit f u n c t i o n as a n essential e l e m e n t for e n h a n c i n g the 4. resiliency o f s u p e r v i s e d i n s t i t u t i o n s .[Fo tnoe O V E R V I E W. T h e d e g r e e t o w h i c h a n institution i m p l e m e n t s the internal audit practices outlined in this policy s t a t e m e n t will b e c o n s i d e r e d in the F e d e r a l R e s e r v e ' s s u p e r v i s o r y a s s e s s m e n t o f the e f f e c t i v e n e s s o f a n institution's internal audit f u n c t i o n as w e l l as its safety a n d s o u n d n e s s a n d c o m p l i a n c e w i t h c o n s u m e r l a w s a n d regulations.]]

4 M o r e o v e r , the overall e f f e c t i v e n e s s o f a n - R e f e r t o S R l e t t e r 0 3 - 5 , " A m e n d e d I n t e r a g e n c y G u i d a n c e o n t h e I n t e r n a l A u d i t F u n c t i o n a n d i t s O u t s o u r c i n g . "EndofFootnote1.]. - I n t h i s g u i d a n c e , r e f e r e n c e s h a v e b e e n p r o v i d e d t o t h e I I A ' s International Standards f o r the Professional Practice of Internal Auditing (Standards). R e f e r to the I I A website at g u i d a n c e / p a g e s / s t a n d a r d s - a n d - g u i d a n c e - i p p f . a s p x .EndofFootnote2.]. - Section 4 of this document, however, clarifies certain changes to the Federal Deposit Insurance Corporation regulation (12 C F R part 363) o n i n d e p e n d e n c e standards f o r i n d e p e n d e n t public accountants at insured depository institutions w i t h total assets of $ 5 0 0 million or more, w h i c h w e r e a d o p t e d pursuant to 2 0 0 9 a m e n d m e n t s to Section 3 6 o f t h e F e d e r a l D e p o s i t I n s u r a n c e A c t ( F D I A c t ).

5 EndofFootnote3.]. - R e f e r t o S R l e t t e r 1 2 - 1 7 / C A l e t t e r 1 2 - 1 4 , " C o n s o l i d a t e d S u p e r v i s i o n F r a m e w o r k f o r L a r g e F i n a n c i a l I n s t i t u t i o n s . "EndofFootnote4.]. Page 1 of 15. institution's internal audit function will influence the ability of the Federal Reserve to rely upon the work of an institution's internal audit function. This Supplemental policy statement builds upon the 2003 Policy Statement, which remains in effect, and follows the same organizational structure, with a new section entitled "Enhanced Internal Audit Practices" and updates to Parts I-IV of the 2003 Policy Statement, including: 1. Enhanced Internal Audit Practices: This section is added to introduce enhanced practices that will improve the overall safety and soundness of institutions based on common observations on the effectiveness of internal audit functions during the recent financial crisis.

6 2. The Internal Audit Function (Part I of the 2003 Policy Statement): This section encourages institutions to incorporate professional standards such as the IIA guidance into their overall internal audit architecture and provides additional internal audit guidance not specifically articulated in the IIA guidance. The additional guidance pertains to the characteristics, governance, and operational effectiveness of an institution's internal audit function. 3. Internal Audit Outsourcing Arrangements (Part II of the 2003 Policy Statement): This section provides further clarification on the responsibilities of an institution's board of directors and senior management to oversee internal audit outsourcing (including co- sourcing) arrangements and reemphasizes the need to utilize the same quality standards as if the institution maintained an in-house internal audit function. 4. Independence Guidance for the Independent Public Accountant (Part III of the 2003 Policy Statement): This section explains certain changes to Section 36 of the FDI.

7 Act5[Fotne promulgated since the issuance of the 2003 Policy Statement. The July 2009. amendments to Section 36 of the FDI Act provide that independent public accountants, subject to the independence standards issued by the American Institute of Certified Public Accountants (AICPA), the Securities and Exchange Commission (SEC), and the Public Company accounting Oversight Board (PCAOB), must comply with the more restrictive of the aforesaid standards. In March 2003, the SEC prohibited a registered public accounting firm that is responsible for furnishing an opinion on the consolidated or separate financial statements of an audit client from providing internal audit services to that same client. Therefore, by following the more restrictive independence rules, an institution's external auditor is precluded from performing internal audit services, either on a co-sourced or an outsourced basis, even if the institution is not a public company.]

8 5. Examination Guidance (Part IV of the 2003 Policy Statement): This section provides additional guidance on the Federal Reserve Supervisory assessment of the overall effectiveness of an institution's internal audit function and considerations relating to the potential reliance by Federal Reserve examiners on an institution's internal audit work. - Refer to 12 CFR part ]. Page 2 of 15. Supplemental GUIDANCE. 1. Enhanced Internal Audit Practices An institution's internal audit function should incorporate the following enhanced practices into their overall processes: A. Risk Analysis Internal audit should analyze the effectiveness of all critical risk management functions both with respect to individual risk dimensions (for example, credit risk), and an institution's overall risk management function. The analysis should focus on the nature and extent of monitoring compliance with established policies and processes and applicable laws and regulations within the institution as well as whether monitoring processes are appropriate for the institution's business activities and the associated risks.

9 B. Thematic Control Issues Internal audit should identify thematic macro control issues as part of its risk-assessment processes and determine the overall impact of such issues on the institution's risk profile. Additional audit coverage would be expected in business activities that present the highest risk to the institution. Internal audit coverage should reflect the identification of thematic macro control issues across the firm in all auditable areas. Internal audit should communicate thematic macro control issues to senior management and the audit committee. In addition, internal audit should identify patterns of thematic macro control issues, determine whether additional audit coverage is required, communicate such control deficiencies to senior management and the audit committee, and ensure management establishes effective remediation mechanisms. C. Challenging Management and Policy Internal audit should challenge management to adopt appropriate policies and procedures and effective controls.

10 If policies, procedures, and internal controls are ineffective or insufficient in a particular line of business or activity, internal audit should report specific deficiencies to senior management and the audit committee with recommended remediation. Such recommendations may include restricting business activity in affected lines of business until effective policies, procedures, and controls are designed and implemented. Internal audit should monitor management's corrective action and conduct a follow-up review to confirm that the recommendations of both internal audit and the audit committee have been addressed. D. Infrastructure When an institution designs and implements infrastructure enhancements, internal audit should review significant changes and notify management of potential internal control issues. In particular, internal audit should ensure that existing, effective internal controls (for example, software applications and management information system reporting) are not rendered Page 3 of 15.