Purpose

The mission of Internal Audit is to support the survival and prosperity of the Coventry Building Society (the ‘Society’) and its subsidiaries including The Co-operative Bank p.l.c. (the ‘Bank’ and together, the ‘Group’) by safeguarding the Group and its customers and members. 

The purpose of Internal Audit is to provide independent, risk-based and objective assurance, advice, insight and foresight to the Group Board of Directors, through the Group Board Audit Committee, on the adequacy and effectiveness of the system of internal control of the Group. These activities will specifically cover whether the Group’s risk management, control and governance processes are appropriately designed, operating as intended, proportional, and remain permanent and sustainable. Internal Audit will also enhance the Group’s successful achievement of its objectives, decision-making and oversight, and reputation and credibility with its stakeholders.

Scope and Responsibilities

The scope of Internal Audit’s work covers all activities of the Group, except as may be excluded from time to time at the direction of either the Group Board or Group Board Audit Committee. The scope of work undertaken each year is determined by the Internal Audit Annual Plan which is approved annually by the Group Board Audit Committee. The plan is developed using a risk-based approach to prioritise work so that cost-effective effort is directed towards providing assurance that the key risks facing the Group are controlled, and identifying weaknesses where they are not. Appropriate recommendations will be agreed with business management to address identified weaknesses. Through its activities, Internal Audit will provide management with information to help facilitate improvement in the Group’s risk management and controls.

Specific areas of responsibility include:

• In accordance with the Internal Audit Annual Plan, undertake a programme of reviews of key functional areas, processes and systems to ensure that material risks are identified and managed. These will include, but will not be limited to, reviews of: design and operating effectiveness of the internal governance structures and processes of the organisation; the setting of, and adherence to, risk appetite; the risk and control culture of the organisation; risks of poor customer treatment giving rise to conduct or reputational risk; capital and liquidity risks; key corporate events; and outcome of processes;
• In addition to the completion of reviews as outlined in the Internal Audit Annual Plan, Internal Audit’s activities will also include consulting, assurance and project work, in accordance with Executive Director, Group Board Audit Committee or regulatory requests;
• Provide assurance over the governance, risk management, project and financial controls together with quality assurance processes operated within key business initiatives;
• Provide an independent assessment of the progress made by management in implementing actions agreed to manage risk issues and control weaknesses reported in external and internal audit reports. Report outstanding overdue actions to the Group Board Audit Committee on at least a quarterly basis. Issue details of all outstanding management commitments to Executive management on a periodic basis;
• Responsibility for providing independent assurance that the risk management process is functioning as designed, as the third line of defence within the Group’s ‘Three Lines of Defence Model’;
• Maintain close co-operation between Internal Audit and the Group’s Compliance and Risk Functions, including the exchange of relevant information. Regular meetings will be held to discuss risks, identify potential areas of reliance and to develop effective working relationships;
• Maintain an appropriate level of professional audit staff with sufficient knowledge, skills, qualifications and experience to meet the requirements of this Charter;
• Evaluate and assess emerging risks and their potential impact on the Group’s operations. Internal Audit may instigate additional work to address new and emerging risks during the year. The impact of carrying out these reviews on the annual plan will be assessed and reported to the next Group Board Audit Committee meeting;
• Report to the Group Board Audit Committee and relevant executive committees summarising the results of audit activities;
• Report to Group Board Audit Committee, as appropriate, a review of any post-mortem and ‘lessons learned’ analysis if a significant adverse event has occurred (for example, a regulatory breach). Any such review will assess both the role of the first and second lines of defence and Internal Audit’s own role;
• At least annually, Internal Audit will report to Group Board Audit Committee its assessment as to the overall effectiveness of the governance, and risk and control framework of the Group, and its conclusions on whether the Group’s risk appetite framework is being adhered to, together with an analysis of themes and trends emerging from Internal Audit’s work and their impact on the Group’s risk profile; and 
• Remain up to date with an understanding of Group, industry and regulatory developments in order to ensure that a high quality service can be provided by sufficiently competent staff.

Authority

The following characterise Internal Audit’s rights and authority:

• The Group Chief Internal Auditor reports directly to the Group Board Audit Committee Chair with an administrative reporting line to the Group Chief Executive and has the right of access to the Chair of the Group Board and Executive Directors;
• The right to attend Group and Bank Executive and other governance committee meetings and Group Board Audit Committee meetings;
• Unrestricted and timely access (as authorised by the Group Board) to all the Group’s operations, records, systems and assets in whatever media and wherever stored and to staff, contractors, third parties, management and Directors; and
• Ability to call a Group Board Audit Committee meeting, if required, through agreement with the Group Board Audit Committee Chair.

Accountability

In discharging his / her duties, the Group Chief Internal Auditor shall be accountable for:

• Providing an assessment of the adequacy and effectiveness of the Group’s processes for controlling its activities and managing risks;
• Reporting on material control issues that impact the achievement of the Group’s goals and objectives;
• Reporting on Group Management’s response to addressing significant control issues; and
• Reporting on the progress of the Internal Audit department in meeting its objectives and on the adequacy of its resources.

Status and Independence

Group Management are responsible for the establishment and maintenance of effective risk management practices and internal controls within the Group and for periodically confirming their continued operation.

Internal Audit is a review function that does not relieve management of the responsibility for maintaining effective controls. Internal Audit are not authorised to perform line activities as this would impair its objectivity and it does not have direct responsibility or authority over the activities it reviews.

Professional Standards and Disclosure

All internal audit activity will be undertaken in accordance with the Department’s policies to ensure consistent professional standards are adopted. Internal Audit will adhere to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements.

Annually, the Group Chief Internal Auditor will communicate with the Group Board Audit Committee about the Internal Audit function’s quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. External assessments will be conducted at least once every five years by an external, qualified, independent assessor.

The Group’s external auditors and regulators have the right to request any information from Internal Audit, including internal audit reports which may be requested by these external parties to allow them to discharge their obligations.

Relationship with External Auditors and the Regulator

There will be close co-operation between Internal Audit and the Group’s external auditors, including the exchange of relevant information, to avoid the duplication of work and thereby maximise the efficiency of audit resource. Regular meetings will be held with the external auditors to discuss risks, identify potential areas of reliance and to develop effective working relationships.

The Group Chief Internal Auditor will develop an effective working relationship with the FCA and PRA supervisory teams and provide reports and information as requested by them.

Approval and Review

This Charter will be reviewed at least annually by the Group Chief Internal Auditor and the conclusion and any recommendations will be proposed to the Group Board Audit Committee for approval.