The technical citation (for OCC banks at least) that permits an auditor or consultant to review your exam reports is 12 CFR 4.37(b)(2), which says:
"When necessary or appropriate for business purposes, ...[an OCC regulated institution] may disclose non-public OCC information, including .... OCC reports of examination, to a person or organization officially connected with the bank or Federal savings association as officer, director, employee, attorney, auditor, or independent auditor. A[n OCC regulated institution] may also release non-public OCC information to a consultant [if certain conditions are met - see 12 CFR 4.37(b)(2).]
_________________________
Adam Witmer, CRCM
All statements are my opinion, not those of my employer, and should not be taken as legal advice.
www.compliancecohort.com