Internal Audit Charter

Introduction

This Internal Audit Charter provides the mandate and framework for the conduct of the Internal Audit function at Hanley Economic Building Society (‘HEBS’, ‘Hanley’ or ‘the Society’) and has been presented to the Audit and Compliance Committee (ACC) for approval. It has been created with the objective of formally establishing the purpose, authority and responsibilities of the Internal Audit function.

Purpose

Internal Auditing is an independent, objective assurance and consulting activity designed to add value to and improve an organisation’s operations and to protect the assets, reputation and sustainability of the organisation. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.

Scope

All of HEBS activities (including outsourced activities) are within the scope of Internal Audit. Internal Audit determines what areas within its scope should be included within the annual audit plan by adopting an independent risk based approach. Internal Audit does not necessarily cover all potential scope areas every year. The audit program includes obtaining an understanding of the processes and systems under audit, evaluating their adequacy, and testing the operating effectiveness of key controls. Internal Audit can also, where appropriate, undertake special investigations and consulting engagements at the request of the ACC, senior management and regulators. Internal Audit will undertake financial crime related work including an Internal Audit review, which may touch upon certain aspects of fraud. Internal Audit will coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimise duplication of efforts.

Authority

The Internal Audit function of HEBS derives its authority from the Board through the ACC. The Head of Internal Audit (‘HIA’) is authorised by the ACC to have full and complete access to any of the organisation’s records, properties and personnel. The HIA is also authorised to designate members of the audit staff to have such full and complete access in the discharging of their responsibilities, and may engage experts to perform certain engagements which will be communicated to management. Internal Audit will ensure confidentiality is maintained over all information and records obtained in the course of carrying out audit activities.

Responsibility

The HIA is responsible for preparing the annual audit plan, using a risk-based methodology, in consultation with the ACC and senior management, submitting the audit plan, internal audit budget, and resource plan for review and approval by the ACC, implementing the approved audit plan, and issuing periodic audit reports on a timely basis to the ACC and senior management. If risks change during the year, Internal Audit may propose an in year adjustment to the annual audit plan to the Chair of the ACC. The HIA is responsible for ensuring that the Internal Audit function has the skills and experience commensurate with the risks of the organisation. The ACC should make appropriate inquiries of management and the HIA to determine whether there are any inappropriate scope or resource limitations. It is the responsibility of management to identify, understand and manage risks effectively, including taking appropriate and timely action in response to audit findings. It is also management’s responsibility to maintain a sound system of internal control and improvement of the same. The existence of an Internal Audit function, therefore, does not in any way relieve them of this responsibility. Management is responsible for fraud prevention and detection. As Internal Audit performs its work programs, it will be observant of manifestations of the existence of fraud and weaknesses in internal control which would permit fraud to occur or would impede its detection.

Reporting and monitoring

At the end of each audit, the HIA or designee will prepare a written report and distribute it as appropriate. Internal Audit will be responsible for appropriate follow-up of audit findings and recommendations. All significant findings will remain in an open issues file until cleared by the HIA or the ACC. The ACC will be updated regularly on the work of Internal Audit through periodic and annual reports. The HIA shall prepare reports of audit activities with significant findings along with any relevant recommendations and provide periodic information on the status of the annual audit plan. Periodically, the HIA will meet with the Chair of the ACC in private to discuss internal audit matters. The performance of Internal Audit will be monitored through the implementation of a Quality Assurance and Improvement Programme, the results of which will be reported periodically to Senior Management and the ACC

Independence and objectivity

Internal Audit staff will remain independent of the business and they shall report to the HIA who, in turn, shall report functionally to the ACC and directly to the ACC Chair, and administratively to the Head of Risk. Internal Audit staff shall have no direct operational responsibility or authority over any of the activities they review. Therefore they shall not develop nor install systems or procedures, prepare records or engage in any other activity which they would normally audit. Internal Audit activities shall remain free of influence by any element in the organisation, including matters of audit scope, procedures, frequency, timing, and report content to permit maintenance of independence necessary in rendering objective audit reports. Where Internal Audit deem this independence to be comprised the Head of IA will bring such matters to the attention of the ACC Chair. Internal auditors shall have no direct operational responsibility or authority over any of the activities within the scope of an internal audit project. Because of the importance of the ACC visibility to internal auditing to support independence and objectivity of the internal audit activity, the ACC should be involved in:

  • Approving the internal audit charter;
  • Approving the risk based internal audit plan;
  • Receiving communications from Internal Audit on its performance relative to its plan and other matters,
  • Approving decisions regarding major changes in the Internal Audit program; and
  • Making appropriate inquiries of management and Internal Audit to determine whether there are inappropriate scope or resource limitations.

Professional competence and due care

The Internal Audit function will perform its duties with professional competence and due care. Internal Audit will adhere to the Definition of Internal Auditing and Code of Ethics that are published by the Institute of Internal Auditors. Internal Audit will align to the Global Internal Audit Standards that are published by the Institute of Internal Auditors and the principles of the UK Internal Audit Code of Practice published by the Chartered Institute of Internal Auditors. Internal Audit will also adhere to the recommendations from the Chartered Institute of Internal Auditors’ Guidance (Effective Internal Audit in the Financial Services Sector) published in September 2017.