We recently hired new external auditors. However, a different divison of this same firm performs our comprehensive IT audit. Is there any concerns using the same firm for both?

Yes, there are, and depending on your size and corporate organization - there might be some immediate ones.

Regulators are getting more and more concerned about external and internal audits being outsourced to the same company (even if it's a different division). Companies that are publicly traded are now required to keep external and internal independent of each other.

Even though we're not publicly traded, we recently split the external and internal audits between two firms. Our regulators were very relieved that they didn't have to require us to do so. Our internal audit firm performs IT reviews as well.

As previously stated, there may be an issue not only with the regulators but in complying with the requirements of Sarbanes-Oxley if you are a publicly traded company.

That being said, make sure that the "other division" isn't in fact a separate company. For example: KPMG a couple of years ago split into 2 separate companies. The non-audit firm piece has recently changed its name to help avoid the confusion, but some of the other firms may not have. So before you give them the boot, make sure that they are not 2 separate companies.

I do know that with the audit firm universe shrinking and project growing it's going to be a constant challenge to ensure that some "unknowing" person doesn't accidently hire the external firm for "non-audit" services.

Good Luck.

Our external IT audit consists of a comprehensive review of our core processing system, internet banking product, and LAN. We also have had internal and external penetration testing done. This is far more involved than our external financial auditors look at or are qualified to look at. What are the risks?

The risks depend on whether you are public or not. If you are public and it is the same firm then you and your accounting firm are in volation of section 201 of Sarbanes Oxley. It states:

"...it shall be unlawful for a registered public accounting firm (and any associated person of the firm, to extent determined appropriate by the Commission)that performs for any issuer any audit required by this title of the rules of the Commission under this title or, beginning 180 days after the dte of commencement of the operations of the Public Company Accounting Oversight Board established under section 101 of the Sarbanes-Oxley Act of 2002 (in this section referred to as the "Board"), the rules of the Board, to provide to that issuer, contemporaneously with the audit, any non-audit service, including -
(1) bookkeeping or other services related to the accounting records or financial statement fo the audit client;
(2) financial information systems design and implemenation;
(3) appraisal or valuation services, fairness opinions, or contribution-in-kind reports;
(4) actuarial services;
(5) internal audit outsourcing services;
(6) managment functions or human resources;
(7) broker or dealer, investment adviser, or investment banking services;
(8) legal services and expert services unrelated to the audit; and
(9) any other service that the Board determines, bu regulation is impermissible.

You also open yourself up for regulatory criticism.

If you are not public, you may also get criticized, but you need to determine what position your institution has taken on S/O. For example, we are not public but have adopted many of the provisions of S/O as best practices including the one cited above. Therefore, you could end up in violation of your own audit charter or bank policies.

I'd go get another firm. Most of the big 3 have audit outsourcing that can perform IT audit. Also, there may be botique firms that may be able to accomodate your needs.

Hope this helped.

Michelle, thanks for the excerpt. We are not public yet. I could see it with the next ten years. Where would the IT audit that I have described fall under those bullet points? The only thing I see that is close is "expert services unrelated to the audit". Is that right?

Amy, it would be the internal audit outsourcing.

You should check with your management and see what if anything they are doing with s/o. If you'd like I could send you an analysis that I prepared for our management and board. they have adopted several of the recommendations.

Happy New Year!

I would very much appreciate it if you could send that to me. My email address is amy.muhleisen@steubentrust.com.

Thanks so much! Happy New Year to you and everyone!

Amy:

If the IT audit is done by a CPA firm, as an "Agreed Upon Procedures Review (AUPR)" in accordance with the AICPA's SSAE #10, I don't believe there's a problem having the same firm do both audits.

An AUPR that is done in accordance with SSAE #10 is not an "internal audit function". I've discussed this issue at length with the Regulatory Agencies, and they've agreed. (The OCC has a directive that address what banks should do when their Internal Audit Function is outsourced. I've had a couple of Field Examiners try to classify my IT audits as "Internal Audits". However, after visiting with the OCC Ombudsman, the Field Examiners reversed their position and agreed that my IT Audits were not part of the bank's "Internal Audit Function".)

I hope this helps. If you have any questions, feel free to call me at 800-680-8692.

Regards,
Wayne Barnett, CPA
800-680-8692
www.barnettcpa.com
wbarnett@barnettcpa.com

Wayne Barnett, President
Wayne Barnett Software
877-945-4344
www.barnettsoftware.com
wbarnett@barnettsoftware.com

Amy, I don't know who your regulatory is, or your size, but there is one other option if you are an OTS institution. The OTS has published an interim rule for small, non-public institutions. So if you are under 500 million this could also help you if you are OTS.

OTS Interim Rule on Annual Independent Audits for Small Institutions