Internal Audit Charter

The purpose of Group Internal Audit (GIA) is to enhance and protect the Group’s assets, reputation and sustainability by providing risk-based and objective assurance, advice and insight.

The team assists the Group in accomplishing its objectives by bringing a systematic and disciplined approach to evaluating and improving the effectiveness of the governance, risk management and internal controls.

GIA’s authority is received from the Group Audit Committee (GAC) and, with strict accountability for confidentiality and safeguarding records, gives the team unrestricted access to any and all of the Group’s records, personnel, property, and management information as well as to attend any committee forums pertinent to carrying out any engagement.

The Group Chief Internal Auditor reports directly to the Chair of the GAC and administratively to the Chief Executive Officer. Communication directly with the GAC is expected, including in private meetings without management present. GAC authority and responsibilities are reflected within the GAC Terms of Reference.

GIA’s work is performed free from interference, including in matters of audit selection, scope or report content to enable independence and objectivity to be maintained. If GIA determines that independence or objectivity may be impaired in fact or appearance, or there has been an attempt to unduly influence the auditors, the Group Chief Internal Auditor will disclose this to the GAC.

GIA commit that the team will exhibit professional objectivity and make balanced assessments of all available and relevant facts and circumstances about the activity or process.

They will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgement or independence.

The Group Chief Internal Auditor will confirm to the GAC, at least annually, the organisational independence of the internal audit activity.

GIA operates as the third line within the Group’s three lines of defence risk management framework.

The role of GIA is to perform independent assessments of the adequacy and effectiveness of governance, risk management and internal controls performed by the first and second lines within the Group. If areas of efficiency are identified, these will be disclosed to management.

As a minimum, the scope will include:

• internal governance;
• the information presented to the Board and Executive management for strategic and operational decision making;
• the assessment of, and adherence to, risk appetite;

• the risk and control culture of the organisation, including the adequacy and effectiveness of the risk management, compliance and finance functions;
• risks of poor customer treatment giving rise to conduct or reputational risk;
• solvency, liquidity and other prudential regulatory risks;
• key corporate events; and
• the outcomes of processes.

In addition, GIA may occasionally provide advisory or consultancy services to help management develop an effective control framework. During these services, GIA will not be involved in designing controls to be implemented by the Group and neither will GIA provide sign off on projects. This will ensure the team maintains its independence for future audits.

The Group Chief Internal Auditor has responsibility to:

• ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld;
• produce a risk based Internal Audit plan, together with any changes in resource or budget required to deliver it, that will be submitted for approval to the GAC each year;
• review and adjust the Internal Audit plan, as necessary, in response to changes in the Group’s strategic priorities, risks, operations, systems and controls. Any material deviation from the approved internal audit plan will be communicated to the GAC;
• deliver the audit plan, assessing the resources and skills required and recruiting and maintaining an in-house team with the right skills, knowledge and experience to challenge management or engage co-source subject matter experts as appropriate;

• prepare a written report following each audit that contains key findings (including root cause) and a summary of the corrective action agreed with management, together with a target date for completion. Final reports will be issued to the responsible Executive and GAC;
• monitor the follow-up action undertaken by management to remedy weaknesses identified by GIA, ensuring that action taken is sufficient timely and that controls introduced are operating as intended to mitigate the risk;
• provide periodic reports to GAC summarising the status of the audit plan, the results of audit activities and details of significant issues identified; and
• provide GAC with an annual opinion on the Group Chief Internal Auditor’s assessment of the overall effectiveness of the governance, risk and control arrangements; their conclusion on whether the risk appetite framework is being adhered to; any significant control weaknesses, thematic issues, or trends emerging from GIA activities and their impact on the Group’s overall risk profile.

The Group Chief Internal Auditor has an open, constructive and co-operative relationship with all regulators that supports sharing of information relevant to carrying out their respective responsibilities.

In addition, there is a high degree of co-operation between GIA and the Group’s Risk and Compliance functions, third party providers and the external auditors, which will include the exchange of relevant information, in order to maximise efficiency and avoid duplication where possible.

• conduct an annual survey of GIA’s effectiveness, completed by members of the GAC and the Group Executive Committee; and

• commission an independent external quality assessment, in line with the Chartered Institute of Internal Auditors’ Standards, at least once every five years.

GIA will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors’ International Professional Practices Framework, including the Definition, Core Principles, Code of Ethics and International Standards.

In addition, GIA staff must comply with the Group’s policies and procedures and possess the knowledge, skills and discipline necessary to discharge their responsibilities.