Recognise Bank Limited
The primary role of the Internal Audit function is to help the Bank’s Board and Executive Management protect the assets, reputation and sustainability of the organisation.
The mission of Internal Audit is to provide independent, objective assurance and advice to assist senior management in appropriately managing the key risks to which the Bank is exposed. This will be achieved through a systematic approach to assessing the effectiveness of risk management, control and governance processes in monitoring, managing and mitigating the risks to the achievement of business objectives.
The purpose of the independent assurance function of Internal Audit is to evaluate whether the nature and extent of business risks are being managed effectively within the context of business objectives. A system of internal control is one of the primary means of managing risk and consequently the evaluation of its effectiveness is central to Internal Audit’s responsibilities.
The system of internal control comprises the policies, procedures and practices, as well as organisational culture that collectively support the Bank’s effective operation in the pursuit of its objectives. This system of internal control enables a business to respond to significant business risks, be they of an operational, financial, compliance or other nature, and is the direct responsibility of the Executive Directors and the Audit Committee.
Internal Audit’s objectives are to:
- Safeguard the Bank by protecting the assets, reputation and sustainability of the Bank;
- Perform assurance activities including business as usual and change;
- Focus on key risks issues and controls (alongside other assurance providers) with increasing focus on customer experience and outcomes;
- Gauge and report on the risk and control culture;
- Help assess and report agreed business actions are implemented sustainably; and
- Conduct such internal audit work as is necessary to discharge its responsibilities.
The Internal Audit function derives its authority from the Board Audit Committee, providing it unrestricted access to all businesses, functions, systems and staff of the Bank. The Board, its Committees and Executive Management are responsible for setting the appropriate tone at the top to ensure support and acceptance of Internal Audit at all levels of the company.
The Bank’s Internal Audit function is independent of its business and operational management and has no direct operational responsibility over the areas under review.
The Bank’s Internal Audit reports functionally to the Chair of the Board Audit Committee and administratively to the Chief Executive Officer (CEO).
Internal Audit is responsible for maintaining confidentiality over all information and records obtained.
In setting its scope, Internal Audit should form its own judgement on how best to segment the audit universe given the structure and risk profile of the Bank.
In line with its role and responsibilities, Internal Audit has a risk-based coverage approach to provide assurance on the adequacy of the design and operational effectiveness of internal controls, governance and risk management in place to monitor, manage and mitigate the key risks to the Bank. The scope of the work is unrestricted and includes the assessment of:
- Internal governance;
- Information presented to the board for strategic decision making;
- Setting of, and adherence to, risk appetite;
- Risk and control culture;
- Risks of poor customer treatment;
- Capital, liquidity and other prudential regulatory risks;
- Key corporate events; and
- Outcomes of processes
Internal Audit will undertake audits and may provide advisory services or agreed upon procedures that can be at the request of a third party or by the Audit Committee. This may also include carrying out control assurance work to independently validate the progress of projects on the request of business as agreed by the Audit Committee. However, the final implementation of these improvement projects remains the full responsibility of the management. In all cases, Internal Audit shall exercise professional case and judgement.
In addition, Internal Audit may review a post-mortem and lessons-learned analysis if a significant adverse event has occurred.
The Internal Audit function is independent of the activities that it audits, and it is required that members of the Internal Audit function are objective in performing their work. Independence is essential for the effective operation of Internal Audit Staff when carrying out their work. All Internal Audit activities must remain free of undue influence by management, including the scope and frequency of reviews, as well as the content of reports.
The Audit Committee will review the scope and nature of the work performed by Internal Audit to confirm its independence.
The responsibilities of Internal Audit are:
- Carry out an independent risk assessment based upon Internal Audit’s own view of the structure and risk profile of the Bank. The risk assessment is updated on a sufficiently regular basis usually annually to ensure that the resulting assurance activity addresses all key risks on a timely basis and may take account of areas such as new or changing systems, business propositions, operations, and control processes coincident with their development, implementation, and/or expansion of the business or individual new products or systems. The risk assessment process may take account of the risk assessment performed by management, but should not be influenced by it;
- Prepare an annual Internal Audit Plan, setting out the timing and scope for Internal Audit assignments. The Internal Audit Plan shall be reviewed and approved by the Audit Committee and communicated to the Board. The Audit Committee shall satisfy itself that the Plan addresses controls covering all key business risks, on an appropriate frequency. Any changes to the Plan shall be discussed with the Chair of the Audit Committee and will be communicated to that Committee.
- Internal Audit is responsible for planning, conducting, reporting and following up on audit assignments;
- Regularly review the Internal Audit Plan to ensure that it takes account of new and emerging risks;
- Review the adequacy of the design, implementation and operating effectiveness of controls established to manage the key risks identified and to ensure compliance with policies, plans, procedures and business objectives established by the Board;
- Assess whether all significant risks are identified and appropriately reported by Management and the Risk function to the Board and Executive Management;
- Identify, analyse, evaluate and record sufficient information during the execution of internal audit work to achieve the internal audit objectives;
- Maintain a quality assurance programme where all the Internal Audit documents such as Internal Audit Plan, Internal Audit Reports and the work papers will undergo an independent quality assurance review.
- Communicate the Audit results accurately and timely following the completion of audit work to the relevant stakeholders. All work performed by the function is supported and documented for future verification purposes and retained in accordance with the record retention policy;
- Accurate, transparent and timely reporting to the Audit Committee and other governing bodies depending on the remit of respective governing bodies. The report should include, amongst other matters, significant risk and control issues including fraud, IT and other risks that have been accepted by the management but are detrimental to the Bank, key findings identified during the execution of the Audit Plan, root cause analysis, lesson-learned analysis and post-mortem review performed, a status update on the Audit Plan, key changes required in the plan (if any), and adherence to the organisation’s risk appetite;
- Track internal audit recommendations to resolution and report progress to the Audit Committee on a quarterly basis; and
- Maintain professional audit staff with sufficient knowledge, skills, experience and professional certifications to meet the requirements of this Charter by engaging in continuous education and staff development.
Internal audit will be responsible to comply with the service level agreements as defined in Appendix 1 of this charter.
At the request of the Audit Committee, specific studies, tasks, ad hoc appraisals, investigations, reviews or projects requested may be carried out, subject to the agreement of appropriate additional engagement terms. In these cases, appropriate safeguards must ensure internal audit independence.
Internal Audit will have no direct responsibility or authority for any of the activities or operations they review. Internal Audit shall not develop or install procedures, prepare records or engage in activities that would likely be reviewed by Internal Audit. Furthermore, an internal audit does not in any way relieve other persons in the organisation or delegated parities / service providers of the responsibilities assigned to them.
- Review and challenge procedures performed by Internal Audit, including any significant findings and emerging risks;
- Monitor, review and conclude upon the effectiveness of the Internal Audit on an annual basis;
- Approve the appointment and removal of the Chief Internal Audit including appointment and removal of an external service provider;
- Review and approve the Internal Audit Plan and setting audit priorities; and
- Review and challenge procedures performed by Internal Audit function, including any significant findings and emerging risk trends.
Senior Management of the bank is responsible for defining and establishing a control framework and maintaining an appropriate control environment and a system of internal controls to ensure that:
- Business activities are conducted in a controlled and efficient manner;
- Legal and regulatory requirements, management instructions and implied intentions are complied with;
- Decisions are made, by those authorised, based on adequate and sound information;
- The integrity of financial and other information is maintained;
- Assets are safeguarded;
- Economy, efficiency, effectiveness and quality of all operations are promoted;
- Adequate process and controls are in place to prevent and detect fraud and in the event of an act or suspicion of fraud, Internal audit is notified; and
- Adequate process and controls are in place to reduce the likelihood of errors or irregularities and the risk of any errors going undetected.
The Senior Management is also be responsible to provide Internal Audit with full access to all records, documentation and information necessary to perform audits.
A draft Audit Report will be prepared at the conclusion of each audit and facts will be agreed with senior management. Management responses to findings and action plans will be agreed, including deadlines and identification of those responsible for implementation. Copies of all Audit Reports will be provided to the Chief Executive, the Chief Risk Officer and members of the Audit Committee, in addition to the lead contact for each review and those members of management to whom respective actions have been assigned.
Management is responsible for implementing Management action plans to address the Internal Audit findings. Internal Audit is responsible for validating the findings to track the implementation of the Management action plans.
In addition, Internal Audit will:
- Report to the Audit Committee on a periodic basis regarding progress against the Internal Audit Plan and to present the results of Internal Audit work performed. Internal Audit will issue quarterly reports to the Audit Committee summarising results of audit activities;
- Maintain open communication and inform the Audit Committee and Management of emerging trends and best practices in internal auditing
- Liaise on an ongoing basis with the Chief Risk Officer, external audit and other parties as appropriate to ensure proper coverage and avoid unnecessary duplication of effort; and
- Report risk management issues and internal controls deficiencies identified directly to the Audit Committee in order to highlight where management can improve the organisation’s operations, in terms of both efficient and effective performance.
Internal Audit will provide an annual conclusion to the Audit Committee on:
- The risk management, governance and control framework in place within the organisation; and
- The consistency of application of the risk governance framework within the organisation during the year.
Internal Audit should include wherever appropriate within its scope an assessment of the adequacy and effectiveness of other assurance functions such as Risk Management, Compliance and Finance functions.
Internal Audit should exercise through informed judgement as to how much reliance could be placed on the work of the other assurance functions following a thorough evaluation of the effectiveness of that function in relation to the area under review.
The external auditors fulfil a statutory duty. Effective collaboration between internal audit and the external auditors is imperative to ensure effective and efficient audit coverage and resolution of issues of mutual concern. Internal audit ensures that internal control issues raised by the external auditors are addressed. Internal and external audit would meet annually, upon request from management or external audit to:
- Plan the respective internal and external audits; and
- Discuss potential issues arising.
Internal Audit has a responsibility to conduct themselves so that their integrity, objectivity, confidentiality and competency are not open to question. Standards of professional behaviour are based upon the Code of Ethics issued by the Chartered Institute of Internal Auditors. Internal auditors will:
- Exercise honesty, objectivity and diligence in the performance of their duties and responsibilities;
- Not knowingly be a party to any illegal or improper activity;
- Promote appropriate ethics and values within the organisation;
- Refrain from entering into any activity which may be in conflict with the interest of the organisation or which would prejudice their ability to objectively carry out their duties;
- Decline to accept anything that may impair or be presumed to impair their professional judgment;
- Be prudent in the use of information acquired in the course of their duties and not use confidential information for any personal gain or in a manner that knowingly would be detrimental to the welfare of the organisation;
- Use reasonable care to obtain sufficient, factual evidence to support the conclusions drawn and, in reporting, reveal such material facts known to them which, if not revealed, could distort the report of the results of operations under review or conceal an unlawful practice; and
- Engage only in those projects which they have the necessary knowledge, skill and experience.
Internal audit’s performance will be measured based on the following criteria:
- Timely approval of the internal audit plan – The annual audit plan is approved by the Audit Committee before the annual plan commences.
- Timely execution of all audits
- Draft and issue terms of reference two weeks before fieldwork;
- Hard (post review) close meeting and issue of draft report within three weeks of end of fieldwork; and
- Final report issued within one week of receipt of management responses.
- Timely issue of reports to audit committee – Provide quarterly reports to Board Audit Committee and notify the Chair of Board Audit Committee on issue of an “unsatisfactory” audit report.
- Timely update of audits to audit committee – All planned internal audit reviews in any given quarter are agreed with Board Audit Committee in prior quarter via the quarterly reporting (unless in exceptional circumstances).
- Independence – Confirmation of independence is provided annually or ad hoc, as may be required.