Our internal auditor is going to perform a human resources (HR) audit of our bank and has requested to see employee files. We are willing to make certain information in the files available to the auditor but do not want to grant access to the whole files. Do the regulators require internal auditors to review whole employee files?

We are not aware of any law or regulation that requires internal auditors to review whole employee files as part of an internal audit.

The OCC’s safety and soundness regulations, the “Internal and External Audits” booklet of Comptroller’s Handbook, and the “Interagency Policy Statement on the Internal Audit Function and its Outsourcing” set forth guidelines and considerations for conducting effective internal audits. However, none of these sources specifically describe audits of HR departments or indicate that such audits necessitate the review of whole employee files.

Rather, these authorities generally provide that banks “should have an internal audit system that is appropriate to the size of the institution and the nature and scope of its activities” and that “provides directors and senior management with vital information about weaknesses in the system of internal control so that management can take prompt, remedial action.”

Consequently, whether to allow an internal auditor to review whole employee files as part of an HR audit is policy decision for your bank, based on whether you believe the internal auditor can perform an effective audit without having access to the whole files.

For resources related to our guidance, please see:

OCC Safety and Soundness Regulations, 12 CFR 30, Appendix A(II)(B) (“An institution should have an internal audit system that is appropriate to the size of the institution and the nature and scope of its activities and that provides for: 1. Adequate monitoring of the system of internal controls through an internal audit function. For an institution whose size, complexity or scope of operations does not warrant a full scale internal audit function, a system of independent reviews of key internal controls may be used; 2. Independence and objectivity; 3. Qualified persons; 4. Adequate testing and review of information systems; 5. Adequate documentation of tests and findings and any corrective actions; 6. Verification and review of management actions to address material weaknesses; and 7. Review by the institution's audit committee or board of directors of the effectiveness of the internal audit systems.”)

Comptroller’s Handbook, Internal and External Audits (July 2019) (“The internal audit function is the third line of defense. The internal audit function’s primary role is to independently and objectively review and evaluate bank activities. This role helps to maintain and improve the efficiency and effectiveness of the bank’s risk management system, internal controls systems, and corporate governance. The internal audit function should monitor the bank’s internal controls systems by

evaluating the reliability, adequacy, and effectiveness of internal controls that promote the safety and soundness of the bank, whether operated by the bank or a third party.

ensuring that bank internal controls result in prompt and accurate recording of transactions and proper safeguarding of assets.

determining whether the bank complies with laws and regulations and adheres to established bank policies, procedures, and processes.

determining whether management is taking appropriate and timely steps to address control deficiencies and audit report recommendations.

ensuring that audit activities are performed by qualified persons.”)

OCC, Interagency Policy Statement on the Internal Audit Function and its Outsourcing (March 17, 2003) (“An important element in assessing the effectiveness of the internal control system is an internal audit function. When properly structured and conducted, internal audit provides directors and senior management with vital information about weaknesses in the system of internal control so that management can take prompt, remedial action.”)