Outsourced activities must remain fully in scope of the internal audit and compliance responsibilities and should follow the same risk-based approach as for activities performed by the Bank itself, while taking into account the additional risks arising from outsourcing these activities.

The internal audit function of the Bank must be able to obtain all information necessary to provide assurance to the Board, and must be able to demand an extension of the scope of audits performed by third parties where necessary.