Themis Consultants, Inc
Themis Banner.png

The Themis Update

Policy, Regulations, and Rulings:
The Inside Scoop

Washington DCU issues bulletin on Outsourcing Internal Audit Function

On May 14, 2018, the Washington State Department of Financial Institutions, Division of Credit Unions issued a DCU Bulletin discussing the issue of outsourcing the Internal Audit Function, noting in part that "(e)ffective internal control is a foundation for the safe and sound operation of a financial institution (institution). The board of directors and senior management of an institution are responsible for ensuring that the system of internal control operates effectively. Their responsibility cannot be delegated to others within the institution or to outside parties. An important element in assessing the effectiveness of the internal control system is an internal audit function."   To that end, examiners are to consider the following when the internal audit function is "outsourced":

  • The arrangement maintains or improves the quality of the internal audit function and the institution's internal control;
  • Key employees of the institution and the outsourcing vendor clearly understand the lines of communication and how any internal control problems or other matters noted by the outsourcing vendor are to be addressed; 
  • The scope of the outsourced work is revised appropriately when the institution's environment, structure, activities, risk exposures, or systems change significantly;
  • The directors have ensured that the outsourced internal audit activities are effectively managed by the institution;
  • The internal audit reports are the property of the institution, that the institution will be provided with any copies of the related work papers it deems necessary, and that employees authorized by the institution will have reasonable and timely access to the work papers prepared by the outsourcing vendor;
  • The outsourced internal audit services provided by the vendor are subject to regulatory review and examiners will be granted full and timely access to the internal audit reports and related work papers prepared by the outsourcing vendor;
  • The arrangement with the outsourcing vendor satisfies the independence standards described in this policy statement and thereby preserves the independence of the internal audit function, whether or not the vendor is also the institution's independent public accountant; and
  • The institution has performed sufficient due diligence to satisfy itself of the vendor's competence before entering into the outsourcing arrangement and has adequate procedures for ensuring that the vendor maintains sufficient expertise to perform effectively throughout the arrangement.