Skip to Main Content

Supervision News Flash

November 2018

Internal Auditor Independence & Reporting Lines

people in a conference room

Examination issues have recently surfaced about the potential compromise of independence and reporting lines for both in-house and outsourced audit activities at several community banks. In this article we want to help you understand how to avoid these issues.

All banks, regardless of whether the audit function is in-house or outsourced, require a competent individual to oversee their audit activities. In our experience, both in-house and outsourced audit activities are best served by the oversight of a senior officer with knowledge of internal audit and no direct access to the existing internal control system. The most effective reporting line for internal audit is functionally to the Audit Committee and administratively to the CEO. There are certainly situations where another senior officer may be better suited because of their knowledge of internal audit. This reporting line can be acceptable when there are mitigating controls in place over auditable areas that may fall under the senior officer’s direct line of reporting responsibility.    

In smaller institutions that do not employ a dedicated in-house audit manager, regulatory guidance SR 03-5 allows for the appointment of a competent employee to oversee the outsourcing vendor’s performance under the contract and who, again, ideally has no managerial responsibilities for the areas being audited. Bank management and the Audit Committee should carefully consider the competent employee they appoint to ensure they have sufficient knowledge of internal audit practices in order to adequately oversee the outsourced work and that they are independent of the areas being audited.    

If you have any questions, please contact your portfolio analyst, central point of contact or Risk Specialist Darlene Kirkpatrick at darlene.kirkpatrick@rich.frb.org or by phone at (804) 663-6231.

phone Contact Us