Has anyone been criticized by their regulator for using the same firm for external financial audit and IT audit in light of Sarbanes-Oxley? I am particularly interested in whether they view the IT audit as a non-audit function, just needing approval of the audit committee, or internal audit outsourcing. Thanks.

We have not been criticized by our regulator, but we are not using the same firm for both, either. IT audit is clearly an internal audit function. Outsourcing it to the same firm that handles the bank's external audit would appear to violate the restrictions under Sarbanes-Oxley.

Our external auditors (top 5 or 6 firm) have already told us that they can't do our external IT audit due to the independence rules. They did indicate that they may be able to increase the IT work they did in conjunction with the financial statement audit (and increase the fee I'm sure), and just not issue a separate report.

However, it appeared that this option was a little too gray and didn't meet the spirit of SOX so we're looking elsewhere.

As you can tell, our external audit firm is of the opinion that the IT audit is a non-audit function (why not, when they are trying to sell a service?). They are also telling us that they have an opinion letter that supports that. Originally, the letter was supposedly from the FDIC, but on further questioning, it's an opinion letter from a bank's attorney to its client, an FDIC-supervised bank. Not exactly the same thing. I'm glad that some of you and your auditors concur with me that it's internal audit outsourcing, and not advisable given SOx.

Luckily we aren't a bank that has to comply with SOX, however our regulator suggested we change firms for our IT audit for more independence. We were using KPMG for our external and our IT internal audit. I guess it is just best practice...