The primary role of Internal Audit is to help protect the assets, reputation and sustainability of an organisation.
The mission of an Internal Audit function (“Internal Audit”) is to provide independent, objective assurance and advice to assist senior management in appropriately managing the key risks to which the business is exposed.
This will be achieved through a systematic approach to assessing the effectiveness of risk management, control and governance processes in monitoring, managing and mitigating the risks to the achievement of business objectives.
2. Nature and purpose of Internal Audit
The purpose of the independent assurance function of Internal Audit is to evaluate whether the nature and extent of business risks are being managed effectively within the context of business objectives. A system of internal control is one of the primary means of managing risk and consequently the evaluation of its effectiveness is central to Internal Audit’s responsibilities. The system of internal control comprises the policies, procedures and practices, as well as organisational culture that collectively support the entity’s effective operation in the pursuit of its objectives. This system of internal control enables a business to respond to significant business risks, be they of an operational, financial, compliance or other nature, and is the direct responsibility of the Executive Directors and the Audit and Compliance Committee.
3. Objectives and Responsibilities
Assessment of risks
- To develop and implement a process, based upon Internal Audit’s own view of the structure of the organisation, to independently assess all risks faced by the business on a regular basis. The risk assessment is updated on a sufficiently regular basis to ensure that the resulting assurance activity addresses all key risks on a timely basis and may take account of areas such as new or changing systems, business propositions, operations, and control processes coincident with their development, implementation, and/or expansion of the business or individual new products or systems. The risk assessment process may take account of the risk assessment performed by management, but should not be influenced by it.
Internal Audit Plan
- Prepare an annual Internal Audit Plan, setting out the timing and scope for Internal Audit assignments. The Internal Audit Plan shall be based on the independent risk assessment process, identifying business objectives and key risks to the achievement of those objectives, including any risks or control concerns identified by management;
- The Internal Audit Plan shall be reviewed and approved by the Audit and Compliance Committee and communicated to the Board. The Audit and Compliance Committee shall satisfy itself that the Plan addresses controls covering all key business risks, on an appropriate frequency. Any changes to the Plan shall be discussed with the Chair of the Audit and Compliance Committee and will be communicated to that Committee. Internal Audit is responsible for planning, conducting, reporting and following up on audit assignments;
- Implement the annual Internal Audit Plan as approved by the Audit and Compliance Committee. Audit fieldwork will be conducted in a professional and timely manner;
- Regularly review the Internal Audit Plan to ensure that it takes account of new and emerging risks.
- Review the adequacy of the Society to manage the key risks identified and to ensure compliance with policies, plans, procedures and business objectives established by the Board;
- Review procedures and systems and propose improvements;
- Contribute to the development of significant projects by reviewing the project methodology and assessing whether appropriate controls are incorporated;
- Assess the effectiveness of business processes and operations and determine if processes are economical and efficient use of resources.
- Assess the safeguarding of assets, including intangible assets, and containment of liabilities;
- Evaluate information security and associated risk exposures;
- Evaluate the organisation’s readiness in case of business interruption.
- Evaluate and provide reasonable assurance that risk management, control, and governance systems are functioning as intended and will enable the organisation’s objectives and goals to be met;
- Evaluate regulatory compliance program;
- Compliance with policies, plans, procedures, laws and regulations, including corporate governance requirements.
- Maintain a professional audit staff with sufficient knowledge, skills, experience and professional certifications to meet the requirements of this Charter by engaging in continuous education and staff development;
- Team with other internal and external resources as appropriate;
- Prepare Internal Audit Plans and design audit procedures with the objective of identifying any control weaknesses or deficiencies that, if not corrected, may give rise to a material risk of fraud and error; and
- Assist in the investigation of significant suspected fraudulent activities within the organisation and notifying management and the Audit and Compliance Committee of the results.
Performance of the above may include periodic testing of transactions, comparisons against industry practice, special investigations, appraisals of regulatory requirements, and measures to help prevent and detect fraud. Internal Audit will support line managers in determining measures to remedy deficiencies in risk management and systems of control.
At the request of the Audit and Compliance Committee, specific studies, tasks, ad hoc appraisals, investigations, reviews or projects requested may be carried out, subject to the agreement of appropriate additional engagement terms. In these cases appropriate safeguards must ensure internal audit independence.
Internal Audit will also perform retrospective or “lessons learned” reviews following any significant adverse events within the business. Where performed, such audits will consider the role of the both the first and second lines of defence within the business, as well as Internal Audit’s own role. Such reviews will be approved by the Audit and Compliance Committee before commencement.
The Audit and Compliance Committee is responsible for assessing the effectiveness of Internal Audit on an annual basis and in assisting to ensure that Internal Audit is afforded a sufficiently high standing within the organisation, necessary to achieve that effectiveness.
Internal Audit will have no direct responsibility or authority for any of the activities or operations they review. Internal Audit shall not develop or install procedures, prepare records or engage in activities that would likely be reviewed by Internal Audit. Furthermore, an internal audit does not in any way relieve other persons in the organisation or delegated parties/service providers of the responsibilities assigned to them.
4. Code of Ethics
Internal Audit has a responsibility to conduct themselves so that their integrity, objectivity, confidentiality and competency are not open to question. Standards of professional behaviour are based upon the Code of Ethics issued by the Chartered Institute of Internal Auditors (“CIIA”) – UK and Ireland. Internal auditors will:
- Exercise honesty, objectivity and diligence in the performance of their duties and responsibilities;
- Not knowingly be a party to any illegal or improper activity;
- Promote appropriate ethics and values within the organisation;
- Refrain from entering into any activity which may be in conflict with the interest of the organisation or which would prejudice their ability to objectively carry out their duties;
- Decline to accept anything that may impair or be presumed to impair their professional judgment;
- Be prudent in the use of information acquired in the course of their duties and not use confidential information for any personal gain or in a manner that knowingly would be detrimental to the welfare of the organisation;
- Use reasonable care to obtain sufficient, factual evidence to support the conclusions drawn and, in reporting, reveal such material facts known to them which, if not revealed, could distort the report of the results of operations under review or conceal; and
- Engage only in those projects which they have the necessary knowledge, skill and experience.
5. Compliance with the CIIA Recommendations on “Effective Internal Audit in the Financial Services sector” (the “CIIA recommendations”)
Internal Audit will operate in accordance with the CIIA recommendations. The manner in which this compliance is achieved will be set out within the annual Internal Audit Plan.
6. Authority and Access to Records, Personnel and Property
Internal Audit is established by, and its responsibilities are defined by, the Audit and Compliance Committee, a sub-committee of the Board of Directors. Internal Audit is granted full, free, and unrestricted access to any and all records, information, physical properties and personnel relevant to any function or area within the business (including where such information is held by third parties). Internal Audit will ensure confidentiality is maintained in respect of all information and records obtained in the course of performing its duties.
7. Objectivity and Independence
Internal Audit is independent from the business and is directly responsible to the Chairperson of the Audit and Compliance Committee with a day-to-day administrative reporting line to the Chief Executive and the Head of Governance, Risk and Compliance. Internal Audit shall have free and unrestricted access to the Chairman of the Board, the Chairman of the Audit and Compliance Committee and the Chief Executive.
Those working within Internal Audit are not permitted to perform day-to-day control procedures or take operational responsibility for any part of business operations outside Internal Audit. Management is responsible for the establishment and ongoing operation of the internal control system. The Audit and Compliance Committee will review the scope and nature of the work performed by Internal Audit to confirm its independence.
8. Reporting and Communication
A draft audit report will be prepared at the conclusion of each audit and facts will be agreed with senior management. Management responses to findings and action plans will be agreed, including deadlines and identification of those responsible for implementation. Copies of all Audit Reports will be provided to the Chief Executive and the Head of Governance, Risk and Compliance, in addition to the lead contact for each review and those members of management to whom respective actions have been assigned, with summary reports presented to all members of the Audit and Compliance Committee. Management is responsible for the closure of Internal Audit findings and for monitoring the timely completion of actions to address these findings. Internal Audit is responsible for the formal acceptance on a periodic basis of the closure of Internal Audit findings.
Additionally, Internal Audit will:
- Report to the Audit and Compliance Committee on a periodic basis regarding progress against the Internal Audit Plan and to present the results of Internal Audit work performed. Internal Audit will issue quarterly reports to the Audit and Compliance Committee summarising results of audit activities;
- Maintain open communication and inform the Audit and Compliance Committee and Management of emerging trends and best practices in internal auditing;
- Liaise on an ongoing basis with the compliance function, external audit and other parties as appropriate to ensure proper coverage and avoid unnecessary duplication of effort;
- Track audit recommendations to resolution and report progress to the Audit and Compliance Committee; and
- Report risk management issues and internal controls deficiencies identified directly to the Audit and Compliance Committee and provide recommendations for improving the organisation’s operations, in terms of both efficient and effective performance.
Internal Audit will provide an annual conclusion to the Audit and Compliance Committee on:
- The risk management, governance and control framework in place within the organisation;
- The consistency of application of the risk governance framework within the organisation during the year; and
- The independence and objectivity of the Internal Audit function, as well as the adequacy of resourcing from a headcount and skillset perspective.
9. External Auditors
The external auditors fulfil a statutory duty. Effective collaboration between internal audit and the external auditors is imperative to ensure effective and efficient audit coverage and resolution of issues of mutual concern. Internal audit ensures that internal control issues raised by the external auditors are addressed. Internal and external audit meet annually, upon request from management or external audit to:
- Plan the respective internal and external audits;
- Discuss potential issues arising; and
- Provide effective audit coverage to the organisation at reasonable cost.
10. Service Standards
We undertake to meet the following service levels:
- Prior to commencing an audit, we will have a discussion with the member of senior management responsible for the business area to assess the audit scope and any issues that management are aware of. We will give at least two weeks’ notice before commencing our work.
- We will notify management immediately of any significant concerns arising from our work.
- We will agree the accuracy of the points raised, initially with management and then formally at the close meeting prior to the issue of a draft report.
- We will hold a close meeting at the end of our fieldwork visit.
- We will issue a draft report within fifteen working days of our fieldwork, subject to ensuring that Audit and Compliance Committee reporting deadlines are met.
- Following the issuance of a draft report, management responses will be agreed within two working weeks (subject to the timing of any internal Board or Board sub-committee meetings where necessary to agree those responses).
- We will issue the final report within a further working week of agreeing final management responses.
- All final audit reports will be issued in accordance with management’s internal timetable for the finalisation of papers before each Audit and Compliance Committee meeting.
11. Quality Assurance and Continuous Improvement
Internal Audit strives to deliver high quality assurance and insight to the Audit and Compliance Committee and management at all times. The quality of Internal Audit reporting is assured through (1) the involvement of specialists in delivery of relevant areas of the Internal Audit Plan, (2) the application of a robust review process prior to the issue of any Internal Audit reports or conclusions and (3) the performance of an independent Internal Audit Quality Assessment once every three years (with effect from 2019), the results of which and an action plan to address any issues identified are shared with the Audit and Compliance Committee.
Internal Audit aim to continuously improve methodology, procedures, technologies and quality. This is achieved through regular review of industry developments and emerging audit technologies, as well as the application of “lessons learned” from recent Internal Audit delivery, including the outcome of the independent Internal Audit Quality Assessment process outlined above.