Internal Audit Charter
This Charter formally defines the Group Internal Audit’s purpose, authority and responsibility. Final approval of the Charter rests with the Group Audit Committee on behalf of the Board. This applies to OneSavings Bank plc and Charter Court Financial Services Group plc and their subsidiaries (the Group).
The Charter will be subject to annual review by the Group Audit Committee.
Purpose and mission
The purpose of the internal audit function is to provide independent, objective assurance and consulting services designed to add value and protect the Group’s assets, reputation and sustainability. Internal audit’s mission is to enhance and protect organisational value by providing riskbased and objective assurance, advice and insight.
It assists the Group in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the governance, risk management and control processes.
The internal audit activity is established by the Board of Directors, which has delegated authority to the Group Audit Committee to oversee the activities of the internal audit function.
Standards for the Professional Practice of Internal Auditing
Group Internal Audit will govern itself by adherence to the mandatory elements of The Global Institute of Internal Auditors International Professional Practices Framework including its Standards, Definition and Core principles for the Professional Practice of Internal Auditing, the Code of Ethics as well as the UK and Ireland Chartered Institute of Internal Auditors ‘Guidance on Effective Internal Audit in the Financial Services Sector’.
The Chief Internal Auditor’s primary reporting line is to the Chair of the Audit Committee with a secondary Executive reporting line to the Chief Executive Officer.
The Audit Committee will approve all decisions regarding the performance evaluation, appointment, or removal of the Chief Internal Auditor as well as their annual compensation and salary adjustment.
The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorised full, free, and unrestricted access to any and all of the organisation's functions, records, physical properties, personnel and to attend any committee forums pertinent to carrying out any engagement. All employees are required to assist the internal audit activity in fulfilling its roles and responsibilities.
The internal audit activity will have free and unrestricted access to the Chair of the Audit Committee and the Board, including in private meetings without management present. Any disagreement over the authority of internal audit will be referred to the Audit Committee Chairman for adjudication, with final appeal to the Board of Directors.
Independence and objectivity
The internal audit activity will remain free from interference by any element in the organisation, including in matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude. If internal audit determines that independence or objectivity may be impaired in fact or appearance, the Chief Internal Auditor will disclose the details of the impairment to the Audit Committee.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgement or independence.
The Chief Internal Auditor will confirm to the Audit Committee, at least annually, the organisational independence of the internal audit activity.
Scope of internal audit activities
Internal Audit operates as the third line of defence within the Group’s three lines of defence risk management framework.
The scope of the internal audit activities encompasses but is not limited to, objective examinations of evidence for the purpose of providing independent assessments on the adequacy and effectiveness of governance, risk management and control processes.
As a minimum, the scope will include:
- internal governance;
- the information presented to the Board and Executive management for strategic and operational decision making;
- the assessment of, and adherence to, risk appetite;
- the risk and control culture of the organisation;
- risks of poor customer treatment giving rise to conduct or reputational risk;
- capital, liquidity and other prudential regulatory risks;
- key corporate events; and
- the outcomes of processes.
Internal Audit Plan:
At least annually, the Chief Internal Auditor will submit to the Audit Committee a risk based internal audit plan for review and approval. The impact of resource limitations will be communicated to the Audit Committee.
The internal audit plan will be developed based on a prioritisation of the audit universe using a riskbased methodology to independently assess the risks faced by the organisation, including input from senior management and the Audit Committee. Internal audit’s independent view will be informed, but not determined by the views of management or the risk function. The audit plan will be reviewed and adjusted, as necessary, in response to changes in the Group’s business, risks, operations, programs, systems and controls. Any significant deviation from the approved internal audit plan will be communicated to senior management and the Audit Committee.
Delivery of the Plan:
The Chief Internal Auditor is responsible for delivering the audit plan, assessing the resources and skills required and recruiting and maintaining an in-house team with the right skills, knowledge and experience to challenge management or engaging co-source providers as appropriate.
Coordination with other assurance providers:
The Chief Internal Auditor will coordinate internal audit activities, where possible, with other internal and external assurance providers to prevent duplication of effort, and will consider where reliance on their work can be placed as needed.
Reporting and monitoring:
A written report will be prepared and issued by the Chief Internal Auditor or delegate following the conclusion of each internal audit engagement and will be distributed to the appropriate Executive and the Audit Committee.
The internal audit report will include management's response and corrective action to be taken in regard to the specific findings and recommendations. It will include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
Responsibility for ensuring appropriate corrective action is taken, or formal risk acceptance is obtained from the relevant governance body, lies with management. The internal audit activity will follow-up on audit findings and recommendations until remedial action is completed. All significant findings will remain on the Internal Audit Issue Tracker until cleared.
In addition, the Chief Internal Auditor will:
- periodically report to the Audit Committee on internal audit results and performance relative to the internal audit plan; and
- at least annually, provide an assessment of the overall effectiveness of the governance, and risk and control framework, together with an analysis of themes and trends emerging from Internal Audit work to the Audit Committee.
Any advisory work to help management develop an effective control framework is expected to be a small proportion of Internal Audit’s work.
Relationship with Regulators:
The Chief Internal Auditor will have an open, constructive and co-operative relationship with regulators that supports sharing of information relevant to carrying out their respective responsibilities.
The Chief Internal Auditor will maintain a quality assurance and improvement programme, commensurate with the size of the internal audit function and will periodically report the results to the Audit Committee.
The Chief Internal Auditor will provide a quality assurance oversight to evaluate the performance of Internal Audit to ensure a consistent approach and output from both in-house and co-source resources.
The Audit Committee will conduct an annual survey of Internal Audit’s effectiveness, completed by members of the Audit Committee and the Executive Committee.
The Audit Committee will commission an independent external assessment of Internal Audit, in line with the Chartered Institute of Internal Auditors’ Standards, at least once every five years.
This Charter was approved by the Group Audit Committee of OneSavings Bank plc and Charter Court Financial Services Group plc on 26 November 2019.