Attention: You need JavaScript enabled to use this site.

Our Cookie Policy

We use cookies to ensure that we give you the best browsing experience on our website. This includes cookies from third party analytics providers to help us understand how you use our site so we can continually improve. You can delete and block cookies, but parts of our site won't work without them.   Manage Cookies

Internal Audit Charter

Internal Audit and our purpose

We’re an independent review function established by the Board, to review the adequacy and effectiveness of governance, risk management and internal control. Our purpose is to strengthen the Society’s ability to meet its Purpose by providing the Board and management with independent, risk based, and objective assurance, insight, foresight and being a critical friend. 

Making sure we’re objective and independent

We’re separate from any of the activities we review. This is important because it means when we carry out an audit, share our findings, and give our opinions and advice, we’re able to do it without any bias. Basically, it means we’re not marking our own homework!

There’s lots of steps in place to make sure we’re objective and independent:

  • The Audit Committee are responsible for setting the objectives and reviewing the performance of our Chief Internal Auditor. Our Chief Internal Auditor’s remuneration has been set up purposefully to avoid conflicts of interest and not hinder or limit their independence and objectivity.
  • Our Chief Internal Auditor reports directly to the Chair of the Audit Committee and meets at least once a year in a ‘private’ session with the Audit Committee. Our Chief Internal Auditor has regular meetings with the Chief Executive and other Executive Committee (ExCo) members. Our Chief Internal Auditor also has direct access to the Board’s Chair at all times. 
  • Where our Chief Internal Auditor’s time in role exceeds seven years, the Chair of the Audit Committee reviews their independence and objectivity each year, and discuss their view with the Audit Committee.
  • We attend Committees and Working Groups, as well as receiving meeting papers, so we can keep up to date with what’s happening around the Society and offer a different perspective and challenge when it’s right to, but we don’t have a say in any decision making.
  • An external assessment of what we do is conducted every five years by an external third party in line with the Global Internal Audit Standards and the Internal Audit Code of Practice (‘the Standards’).  
  • If a colleague from another department joins our team they won’t lead or take part in any audits which involve the area they’ve joined from for at least 12 months. Similarly, if a member of our team moves to another area of the business they won’t audit that business area, during the period of transition.

Our authority and access

We’ve got the full authority of the Board to carry out our duties, giving us unrestricted access to records, IT systems, documents, properties, colleagues and directors in all areas of the Society’s operations. 

We treat this authority and access with respect and sensitivity, and we’ll always think about who in the team needs access to what information. Information which is extremely confidential may be restricted to our Chief Internal Auditor. 

What's our scope?

The scope of our work covers all activities of the Society, based on an assessment of risk, including:

  • Evaluating whether key risks associated with delivering the Society’s Strategy are effectively managed.
  • The design and operation of the Society’s corporate governance arrangements.
  • The setting of, and adherence to, risk appetite.
  • The suitability, accuracy, reliability and integrity of management information including information presented to the Board.
  • The adequacy and effectiveness of financial, operational and management controls relating to the risks under review.
  • Risk management culture in place to proactively identify and manage issues.
  • Conduct risk management including the risk of not delivering good customer outcomes.
  • Compliance with laws and regulations and with policies, standards, plans and procedures established by the Board.
  • Safeguarding of Society assets from losses or fraud.
  • Capital, liquidity and other prudential regulatory risks.
  • Key events, including process changes and the introduction of new products and services.
  • The follow-up action taken to remedy weaknesses identified by an Internal Audit review.
  • The management of significant change portfolios. 

The responsibilities of the Chief Internal Auditor

Our Chief Internal Auditor is responsible for:

  • The effective review of all aspects of risk management (including risk management culture) throughout the Society’s activities.
  • Creating and implementing an annual audit plan based on significant risks the Society faces, and securing approval of the plan and any budget needed from the Audit Committee.
  • Leading a professional Audit team with sufficient knowledge, skills, and experience to carry out the plan. This includes external resources as required. 
  • Ensuring our team complies with ‘the Standards’.
  • Running a ‘Quality Assurance and Improvement Programme’ to review our performance and how we meet ‘the Standards’.
  • Meeting with internal Risk teams, as well as our external auditors, to help inform understanding of areas of greater risk and to coordinate our work.
  • Reviewing, updating and presenting this Charter to the Audit Committee annually. 

Reporting Requirements

Our Chief Internal Auditor is accountable to the Audit Committee for:

  • Delivering the Internal Audit plan and reporting significant findings and potential recommendations for improving governance, risk management and control processes.
  • Providing regular information on the status and results of the annual audit plan and the capacity and capability of our Internal Audit resources.
  • Sharing their annual opinion on adequacy and effectiveness of our Society’s system of governance, risk management and internal control, as well as an assessment of our Society’s risk management culture.
  • Providing insight on themes and trends and emerging risks.
  • Reporting any issues that cannot be resolved with management.