Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Financial Institution Letter
TO: CHIEF EXECUTIVE OFFICER (also of interest to the Internal Audit Manager and Members of the Board) 
SUBJECT: Interagency Policy Statement on the Internal Audit Function and Its Outsourcing 
Summary: The federal banking agencies have revised their 1997 internal audit policy statement to update guidance (in light of the Sarbanes-Oxley Act) on the independence of an accountant who provides both external audit and internal audit services to an institution. Other parts of the 1997 policy statement also have been revised. 

The Federal Deposit Insurance Corporation (FDIC) and the other federal banking agencies have issued the attached Interagency Policy Statement on the Internal Audit Function and Its Outsourcing. The policy statement, which replaces a policy issued in 1997 (see FIL 133 97, dated December 22, 1997), updates the agencies' guidance on the independence of an accountant who provides both external and internal audit services to an institution as a result of the auditor independence provisions of the Sarbanes-Oxley Act of 2002. The updated policy statement also reflects the agencies' experience with the 1997 policy and incorporates recent developments in internal auditing.

The Sarbanes-Oxley Act and recently adopted Securities and Exchange Commission (SEC) rules prohibit an accounting firm from acting as the external auditor of a public company during the same period that the firm provides internal audit outsourcing and certain other non-audit services to the company. In addition, if a public company's external auditor will be performing auditing and permitted non-audit services, its audit committee must pre-approve each of these services. These SEC rules generally become effective on May 6, 2003, although a one-year transition period is provided for contractual arrangements in place as of that date. The revised policy statement separately discusses the applicability of these requirements to:

  • Institutions that are public companies;
  • Insured depository institutions with $500 million or more in assets, which are subject to the annual audit and reporting requirements of Section 36 of the Federal Deposit Insurance Act; and
  • Non-public institutions that are not subject to Section 36.

For institutions subject to Section 36, whether or not they are public companies, the FDIC's existing guidelines provide for their external auditors to comply with the SEC's auditor independence requirements that are in effect during the period covered by the audit. These requirements include the non-audit service prohibitions and audit committee pre-approval requirements.

The policy statement encourages non-public institutions not subject to Section 36, which includes non-public banks with less than $500 million in assets, to follow the Sarbanes-Oxley Act's internal audit outsourcing prohibition. However, if such an institution decides to use the same firm for both internal and external audit work, the audit committee should document both that it has pre approved the internal audit outsourcing to its external auditor and has considered the independence issues associated with this arrangement.

In addition to changes related to the Sarbanes-Oxley Act, the agencies revised the 1997 policy statement's discussion of the responsibilities of the board of directors and senior management with respect to the internal audit function and its placement within an organization, its management and staffing, and the communication of concerns and weaknesses in accounting and internal control. Expanded guidance has been provided on the use of independent reviews of significant internal controls by small institutions that do not have a formal internal audit manager or staff. The policy statement also includes guidance for examiners on addressing concerns about the adequacy of the internal audit function.

This Financial Institution Letter (FIL) replaces FIL-133-97, dated December 22, 1997.

For further information, please contact Robert F. Storch, Chief Accountant (202 898 8906), in the Division of Supervision and Consumer Protection.

For your reference, FDIC Financial Institution Letters may be accessed on the FDIC's Web site at . To learn how to automatically receive FDIC Financial Institution Letters through e-mail, please visit

Michael J. Zamorski

Distribution: FDIC-Supervised Banks (Commercial and Savings)

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342, option 5, or (703) 562-2200).

Last Updated: March 17, 2003