Internal Audit is an independent review function set up within the Society as a service to the Board and all levels of management. The Divisional Director, Internal Audit is responsible for the effective review of all aspects of risk
management (including risk management culture) throughout the Society’s activities.
Internal Audit is independent of the activities which it audits to ensure the unbiased judgements essential to its proper conduct and impartial advice to management.
To maintain objectivity and independence, Internal Auditors shall have no direct operational responsibilities or authority over any of the activities they review. Additionally, they shall not develop nor install systems or procedures,
prepare records, or engage in any other activity which would normally be audited or which may impair their ability to maintain their independence.
The Divisional Director, Internal Audit has a direct reporting line into the Chairman of the Audit Committee, meets at least once per year in a ‘private’ session with the Audit Committee and has regular meetings with the Chief Executive. Additionally, regular meetings are also held with the Group Secretary and Chief Financial Risk Officer. The Divisional Director, Internal Audit also has the right of access to the Chairman at all times.
The Divisional Director, Internal Audit, although a member of the Executive Committee (ExCo), does not have any voting rights or decision making authority.
The purpose of the Internal Audit Department is to:
- provide the Audit Committee with independent assurance as to whether the Society’s Risk Management Framework (RMF) is appropriate for the Society's Risk Profile, has been adequately defined, understood and implemented for each material risk, and is operating effectively to ensure that any current and foreseeable exposure remains within risk appetite;
- assess whether the financial, operational and risk Management Information (MI), plus Key Performance Indicators supplied to senior management and the Board are accurate, relevant, timely and complete; and
- provide assurance and consultancy services to the working groups of major projects and, where appropriate, carry out pre and post implementation audit reviews.
Internal Audit has unrestricted access to all activities undertaken by the Society, in order to review, appraise and report on:-
- the adequacy and effectiveness of the systems of financial, operational and management control, and their operation in practice in relation to the business risks to be addressed;
- the adequacy and effectiveness of the risk management culture in place to proactively identify and manage issues;
- the extent of compliance with, relevance of, and financial effect of, policies, standards, plans and procedures established by the Board and the extent of compliance with external laws and regulations, including reporting requirements of regulatory bodies;
- the extent to which the assets of the Society are acquired, used efficiently, accounted for and safeguarded from losses of all kinds arising from waste, extravagance, inefficient administration, poor value for money, fraud or other cause and that adequate business continuity plans exist;
- the suitability, accuracy, reliability and integrity of financial and other management information and the means used to identify measure, classify and report such information;
- the integrity of processes and systems, including those under development, to ensure that controls offer adequate protection against error, fraud and loss of all kinds; and that the process aligns with the Society’s strategic goals;
- the suitability of the areas audited for carrying out their functions, and to ensure that services are provided in a way which is economical, efficient and effective;
- the follow-up action taken to remedy weaknesses identified by Internal Audit review, ensuring that good practice is identified and communicated widely; and
- the operation of the Society’s corporate governance arrangements.
Internal Audit staff have the full authority of the Audit Committee, the Board and the Chief Executive when carrying out their duties. The Department has the right of unrestricted access to records, IT systems, documents, properties, staff and directors in all areas of the Society’s operations. This right of access shall be exercised reasonably at all times and may be restricted to the Divisional Director, Internal Audit in matters of extreme confidentiality. Access restrictions and lack of co-operation by staff or directors that affect the scope of any review will be reported to the Audit Committee.
The Divisional Director, Internal Audit is responsible for:-
- developing an annual audit plan, based on an understanding of the significant risks to which the Society is exposed;
- submitting the plan to the Audit Committee for review and agreement;
- maintaining a professional audit team with sufficient knowledge, skills and experience to carry out the plan (including the use of external resources as necessary); and
- ensuring that the Department complies with the Standards and Guidelines for the Professional Practice of Internal Auditing (including the Code of Ethics) as upheld by the Chartered Institute of Internal Auditors – UK.
The Divisional Director, Internal Audit is accountable to the Audit Committee for:-
- providing regular assessments of the adequacy and effectiveness of the Society’s systems of risk management and internal control, based on the work of Internal Audit, and separately, an assessment of the risk management culture within all areas reviewed as appropriate;
- reporting significant control issues and potential recommendations for improving risk management and control processes;
- providing periodically, information on the status and results of the annual audit plan and the sufficiency of Internal Audit resources; and
- reviewing, updating and presenting this Charter to the Audit Committee on an annual basis.
Any breaches of the Society systems of control or other issues that cannot be resolved with Management will be reported to the Chairman of the Audit Committee.