The purpose of Internal Audit (IA) is to provide an independent and objective opinion to the Board of Directors, through the Board Audit Committee, on the adequacy and effectiveness of the system of internal control of the Society. These opinions will specifically cover whether the Society’s risk management, control and governance processes are appropriately designed and operating as intended.
IA aims to perform its activities in conformance with the Definition of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the guidance on Effective Internal Audit in the Financial Services Sector as laid down by the UK Chartered Institute of Internal Auditors.
Scope and Responsibilities
The scope of Internal Audit work covers all activities of the Society, except as may be excluded from time to time at the direction of either the Board or Board Audit Committee. The scope of work undertaken each year is determined by the IA plan which is approved annually by the Board Audit Committee. The plan is developed using a risk-based approach to prioritise work so that cost-effective effort is directed towards providing assurance that the key risks facing the Society are controlled, and identifying weaknesses where they are not. Appropriate recommendations will be agreed with business management to address identified weaknesses. Through its activities, IA will provide management with information to help facilitate improvement in the Society’s risk management and controls.
Specific areas of responsibility include:
• In accordance with the plan, undertake a programme of reviews of key functional areas, processes and systems to ensure that material risks are identified and managed. These will include, but will not be limited to, reviews of: design and operating effectiveness of the internal governance structures and processes of the organisation; the setting of, and adherence to, risk appetite; the risk and control culture of the organisation; risks of poor customer treatment giving rise to conduct or reputational risk; capital and liquidity risks; key corporate events; and outcome of processes;
• In addition to the completion of reviews as outlined in the Internal Audit Annual Plan, IA activities will also include consulting, assurance and project work, in accordance with Executive Director, Board Audit Committee or regulatory requests;
• Provide an independent assessment of the progress made by management in implementing actions agreed to manage risk issues and control weaknesses reported in external and internal audit reports. Report outstanding overdue actions to the Board Audit Committee on a quarterly basis. Issue details of all outstanding actions to Executive management on a monthly basis;
• Responsibility for risk management within the Society as the third line of defence within the ‘Three Lines of Defence Model’;
• Maintain close co-operation between IA and the Society’s Compliance and Risk Functions, including the exchange of relevant information. Regular meetings will be held to discuss risks, identify potential areas of reliance and to develop effective working relationships;
• Maintain an appropriate level of professional audit staff with sufficient knowledge, skills, qualifications and experience to meet the requirements of this Charter;
• Evaluate and assess emerging risks and their potential impact on the Society’s operations. IA may instigate additional work to address new and emerging risks during the year. The impact of carrying out these reviews on the annual plan will be assessed and reported to the next Board Audit Committee meeting;
• Report to the Board Audit Committee and relevant executive committees summarising the results of audit activities;
• Report to Board Audit Committee, by exception, a review of any post-mortem and ‘lessons learned’ analysis if a significant adverse event has occurred (for example, a regulatory breach). Any such review will assess both the role of the first and second lines of defence and Internal Audit’s own role.
• At least annually, Internal Audit will report to Board Audit Committee its assessment as to the overall effectiveness of the governance, and risk and control framework of the Society, and its conclusions on whether the organisation’s risk appetite framework is being adhered to, together with an analysis of themes and trends emerging from Internal Audit work and their impact on the organisation’s risk profile.
• Remain up to date with an understanding of Society, industry and regulatory developments in order to ensure that a high quality service can be provided by sufficiently competent staff; and
• Provide assurance over the governance, risk management, project and financial controls together with quality assurance processes operated within key business initiatives.
The following characterise IA’s rights and authority:
• The Chief Internal Auditor reports directly to the Board Audit Committee Chair with an administrative reporting line to the Chief Executive and has the right of access to the Chair and Executive Directors;
• The right to attend Executive and other governance committee meetings and Board Audit Committee meetings;
• Unrestricted and timely access (as authorised by the Board) to all the Society’s operations, records, systems and assets in whatever media and wherever stored and to staff, management and Directors; and
• Ability to call a Board Audit Committee meeting, if required, through agreement with the Board Audit Committee Chair.
In discharging his / her duties, the Chief Internal Auditor shall be accountable for:
• Providing an assessment of the adequacy and effectiveness of the Society’s processes for controlling its activities and managing risks;
• Reporting on material control issues that impact the achievement of the Society’s goals and objectives;
• Reporting on Management’s response to addressing significant control issues; and
• Reporting on the progress of the Society’s IA department in meeting its objectives and on the adequacy of its resources.
Status and Independence
Management is responsible for the establishment and maintenance of effective risk management practices and internal controls within the Society and for periodically confirming their continued operation.
IA is a review function that does not relieve management of the responsibility for maintaining effective controls. IA are not authorised to perform line activities as this would impair its objectivity and it does not have direct responsibility or authority over the activities it reviews.
Professional Standards and Disclosure
All IA activity will be undertaken in accordance with the Department’s policies in order to ensure consistent professional standards are adopted. IA will adhere to the Code of Ethics and International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors – UK and Ireland. IA effectiveness will be assessed annually with an external review commissioned at least every 5 years.
The Society’s external auditors and regulators have the right to request any information from the Society, including IA reports which may be requested by these external parties to allow them to discharge their obligations.
Relationship with External Auditors and the Regulator
There will be close co-operation between IA and the Society’s external auditors, including the exchange of relevant information, in order to avoid the duplication of work and thereby maximise the efficiency of audit resource. Regular meetings will be held with the external auditors to discuss risks, identify potential areas of reliance and to develop effective working relationships.
The Chief Internal Auditor will develop an effective working relationship with the FCA and PRA supervisory teams and provide reports and information as requested by them.
Approval and Review
This Charter will be reviewed at least annually by the Chief Internal Auditor and the conclusion and any recommendations will be proposed to the Audit Committee for approval.