To All Depository Institutions and Others Concerned in the Second Federal Reserve District:
In a joint press release, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision, have issued the revised policy statement on the independence of accountants who provide institutions with both external and internal audit services to reflect the provisions of the Sarbanes-Oxley Act of 2002.
The Sarbanes-Oxley Act and recently adopted Securities and Exchange Commission (SEC) rules prohibit an accounting firm from acting as the external auditor of a public company during the same period that the firm provides internal audit services to the company. The revised policy statement separately discusses the applicability of this prohibition to institutions that are public companies; insured depository institutions with $500 million or more in assets that are subject to the annual audit and reporting requirements of Section 36 of the Federal Deposit Insurance Act; and non-public institutions that are not subject to Section 36.
The existing guidelines for institutions subject to Section 36 provide for their external auditors to meet the SEC's independence requirements. Auditors for these institutions, whether or not they are public companies, should comply with the prohibition on internal audit outsourcing in the SEC's rules.
The policy statement encourages non-public institutions not subject to Section 36, which includes non-public depository institutions with less than $500 million in assets, to refrain from outsourcing internal audit activities to their external auditor. If such an institution decides to use the same firm for both internal and external audit work, however, the audit committee should document its consideration of the independence issues associated with this arrangement.
The interagency policy statement is attached.
Questions on this matter may be directed, at this Bank, to Loretta C. Burke, Examining Officer, Operational Risk Department.