Internal Audit Charter

This Charter formally defines the Group Internal Audit’s purpose, authority and responsibility. Final approval of the Charter rests with the Group Audit Committee on behalf of the Board. This applies to OneSavings Bank plc and Charter Court Financial Services Group plc and their subsidiaries (the Group).

The Charter will be subject to annual review by the Group Audit Committee.

Purpose and mission

The purpose of the Group Internal Audit (GIA) function is to provide independent, objective assurance and consulting services designed to add value and protect the Group’s assets, reputation and sustainability. GIA’s mission is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.

It assists the Group in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the governance, risk management and control processes.

The internal audit activity is established by the Board of Directors, which has delegated authority to the Group Audit Committee to oversee the activities of the internal audit function.

Standards for the Professional Practice of Internal Auditing

GIA will govern itself by adherence to the mandatory elements of The Global Institute of Internal Auditors International Professional Practices Framework including its Standards, Definition and Core principles for the Professional Practice of Internal Auditing, the Code of Ethics as well as the UK and Ireland Chartered Institute of Internal Auditors ‘Guidance on Effective Internal Audit in the Financial Services Sector’.

Authority

The Group Chief Internal Auditor’s primary reporting line is to the Chair of the Group Audit Committee with a secondary Executive reporting line to the Chief Executive Officer.

The Group Audit Committee will approve all decisions regarding the performance evaluation, appointment, or removal of the Group Chief Internal Auditor as well as their annual compensation and salary adjustment.

The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorised full, free, timely and unrestricted access to any and all of the organisation's functions, records, physical properties, personnel and to attend any committee forums pertinent to carrying out any engagement. All employees are required to assist the internal audit activity in fulfilling its roles and responsibilities.

The internal audit activity will have free and unrestricted access to the Chair of the Group Audit Committee and the Board, including in private meetings without management present. Any disagreement over the authority of GIA will be referred to the Group Audit Committee Chairman for adjudication, with final appeal to the Board of Directors.

Independence and objectivity

The internal audit activity will remain free from interference by any element in the organisation, including in matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude. Internal auditors should exhibit professional objectivity and make balanced assessments of all available and relevant facts and circumstances about the activity or process examined. If GIA determines that independence or objectivity may be impaired in fact or appearance, or there has been an attempt to unduly influence the auditors, the Group Chief Internal Auditor will disclose this to the Group Audit Committee.

Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgement or independence.

The Group Chief Internal Auditor will confirm to the Group Audit Committee, at least annually, the organisational independence of the internal audit activity.

Scope of internal audit activities

GIA operates as the third line of defence within the Group’s three lines of defence risk management framework.

The scope of the internal audit activities encompasses but is not limited to, objective examinations of evidence for the purpose of providing independent assessments on the adequacy and effectiveness of governance, risk management and control processes.

As a minimum, the scope will include:

  • internal governance;
  • the information presented to the Board and Executive management for strategic and operational decision making;
  • the assessment of, and adherence to, risk appetite;
  • the risk and control culture of the organisation;
  • risks of poor customer treatment giving rise to conduct or reputational risk;
  • capital, liquidity and other prudential regulatory risks;
  • key corporate events; and
  • the outcomes of processes.

Responsibilities

Internal Audit Plan:

At least annually, the Group Chief Internal Auditor will submit to the Group Audit Committee a risk based internal audit plan for review and approval. The impact of resource limitations will be communicated to the Group Audit Committee.

The internal audit plan will be developed based on a prioritisation of the audit universe using a risk-based methodology to independently assess the risks faced by the organisation, including input from senior management and the Group Audit Committee. GIA’s independent view will be informed, but not determined by the views of management or the Risk function. The audit plan will be reviewed and adjusted, as necessary, in response to changes in the Group’s business, risks, operations, programs, systems and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management and the Group Audit Committee.

Delivery of the Plan:

The Group Chief Internal Auditor is responsible for delivering the audit plan, assessing the resources and skills required and recruiting and maintaining an in-house team with the right skills, knowledge and experience to challenge management or engaging co-source providers as appropriate. In doing so, the Group Chief Internal Auditor will establish, maintain and ensure adherence to the policies and procedures guiding the internal audit activity.

Coordination with other assurance providers:

The Group Chief Internal Auditor will coordinate internal audit activities, where possible, with other internal and external assurance providers to prevent duplication of effort, and will consider where reliance on their work can be placed as needed.

Reporting and monitoring:

A written report will be prepared and issued by the Group Chief Internal Auditor or delegate following the conclusion of each internal audit engagement and will be distributed to the appropriate Executive and the Group Audit Committee.

The internal audit report will include management's response and corrective action to be taken in regard to the specific findings and recommendations. It will include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.

Responsibility for ensuring appropriate corrective action is taken, or formal risk acceptance is obtained from the relevant governance body, lies with management. This does not preclude GIA recommending appropriate mitigating actions as part of their reporting responsibilities. The internal audit activity will follow-up on audit findings until management’s remedial actions are completed. All significant findings will remain on the Internal Audit Issue Tracker until cleared.

In addition, the Group Chief Internal Auditor will:

  • periodically report to the Group Audit Committee on internal audit results and performance relative to the internal audit plan; and
  • at least annually, provide an assessment of the overall effectiveness of the governance, and risk and control framework, together with an analysis of themes and trends emerging from Internal Audit work to the Group Audit Committee.

Any advisory work to help management develop an effective control framework is expected to be a small proportion of internal audit’s work, and this is provided that GIA does not assume management responsibility. Advisory work relates to consultancy services the nature and scope of which are subject to agreement with management and are generally performed at their specific request.

Relationship with Regulators:

The Group Chief Internal Auditor will have an open, constructive and co-operative relationship with regulators that supports sharing of information relevant to carrying out their respective responsibilities.

Quality assurance

The Group Chief Internal Auditor will:

  • maintain a quality assurance and improvement programme, commensurate with the size of the GIA function and will periodically report the results to the Group Audit Committee; and
  • provide a quality assurance oversight to evaluate the performance of GIA to ensure a consistent approach and output from both in-house and co-source resources.

The Group Audit Committee will:

  • conduct an annual survey of GIA’s effectiveness, completed by members of the Group Audit Committee and the Group Executive Committee; and
  • will commission an independent external assessment of Internal Audit, in line with the Chartered Institute of Internal Auditors’ Standards, at least once every five years.

This Charter was approved by the Group Audit Committee of OneSavings Bank plc and Charter Court Financial Services Group plc on 12 October 2020.