Letter on Internal Controls and Management Stewardship
January 26, 2001
TO THE CHIEF EXECUTIVE OFFICER OF THE INSTITUTION ADDRESSED:
The purpose of this guidance letter is to clarify the New York State Banking Departments (the Departments) position on the appropriate use of third party firms to perform the internal audit function. This letter also provides general guidance to enhance internal controls and management stewardship. The Department believes the use of outside accounting firms can be an effective management tool provided management adopts policies designed to safeguard against conflicts of interest and inappropriate delegation of responsibilities.
Management, including the board of directors, is responsible for establishing and maintaining an effective internal control system. This responsibility cannot be delegated to parties outside the institution. Competent and independent internal and external auditors are crucial to effective internal controls.
When an institution outsources one or more of its internal audit functions, the Department requires compliance with applicable standards established by the American Institute of Certified Public Accountants (AICPA). The firm performing the internal audit function must not make management decisions or perform management functions. All work products under an outsourcing arrangement must be readily available to the Department and be in the English language. In general, the Department discourages institutions from using the same firm to perform both internal and external auditing. While the Department recognizes that such an arrangement may be seen by smaller institutions as more cost-effective, an institutions reliance on a single firm increases the possibility that both internal and external audits may lack independence, thereby increasing the risk of undetected internal control breakdowns.
At least annually, management and the board of directors should obtain explicit assurances that their external auditors comply with standards established by the AICPA. When fees for consulting work performed by the same firm that performs audits represent a significant amount in comparison to the external and/or internal audit fees, the independence of the auditors may be questioned. An external auditor who also provides bookkeeping services for an institution will have difficulty asserting his or her independence. On an annual basis, management should evaluate its engagements with its external auditors, outsourcing firms, and consultants to ensure continued effectiveness of these relationships. The Department expects management to annually assess the effectiveness of firms that perform both internal and external auditing and report its conclusions to its appropriate oversight body (e.g., board of directors, audit committee, head office). The oversight body should formally review such arrangements on an annual basis.
If internal controls are determined by examiners to be inadequate, management must reassess its internal controls, including its relationships with internal auditors, external auditors, and consultants. Particular attention must be directed to relationships where a firm performs work on overlapping engagements. Furthermore, institutions with inadequate internal controls will be subject to supervisory action. Such action may include the requirement to change external auditing, internal auditing, and consulting firms, especially when the same firm performs more than one function. The Department may also require audited financial statements and other special reports from an independent firm engaged with the Departments approval.
In any case, management should promptly report instances of significant error or possible fraud to the Department. Management should avoid the temptation to defer notifying the Department until a more complete explanation becomes known or the issue is substantially resolved. The Department expects to be promptly notified of such errors and frauds, and will consider the failure to do so as grounds for potential supervisory action.
Your institutions internal controls and compliance with this letter will be reviewed by Department examiners as part of their overall supervisory examinations.
Questions concerning the topics discussed in this letter should be directed to Chief of Regulatory Accounting John McEnerney at (212) 618-6953 or by email at [email protected].
Very truly yours,
Superintendent of Banks