Internal Audit Charter

1. Introduction

This Internal Audit charter defines the mandate, role, authority, independence, scope, roles, and responsibilities of the Internal Audit function at OakNorth Bank. It is approved annually by the Board Audit Committee.

1.1 Business Context

Internal Audit is an independent function established by the Board Audit Committee of OakNorth Bank plc (the “Bank”) to assist the Board and Executive Management strengthen the organization’s ability to create, protect, and sustain value by providing independent, risk-based, and objective assurance, advice, insight, and foresight. In doing so the function helps the bank to achieve its objectives.

Internal Audit does this by assessing whether all significant risks are identified and appropriately reported; assessing whether they are adequately and effectively controlled; challenging Executive Management to improve the effectiveness of governance, risk management and internal controls; and by influencing senior management and the Executive with recommendations that will help the Bank achieve its strategic objectives.

Through delivering against this remit, Internal Audit will maintain an open, constructive, and co-operative relationship with regulators; the appointed external auditors; internal control functions (such as Risk, Compliance and Finance); and with all management and employees of the Bank.

1.2 Regulatory Context

The key regulatory authorities that prescribe requirements and guidance for Internal Audit are the Prudential Regulatory Authority (PRA), the Financial Conduct Authority (FCA), the Financial Reporting Council (FRC) via the UK Corporate Governance Code and the Chartered Institute of Internal Auditors (IIA).

In fulfilling its remit, Internal Audit will undertake its role in line with best practice principles and recognised standards as outlined by the IIA; specifically, compliance at all times with the Global Internal Audit Standards; the IIA’s policy for continuing professional development and the IIA’s guidance on effective internal audit in financial services.

2. Reporting

The Head of Internal Audit (HoIA) reports functionally to the Chair of the Board Audit Committee and administratively to the Chief Executive Officer (CEO) for the Bank. This level of seniority within the organisation ensures the appropriate standing, access, and authority to challenge the management’s judgements.

Any breaches of this Charter must be reported to the Chair of the Board Audit Committee.

Internal Audit undertake both assurance and advisory engagements, the type of engagement is identified in the audit plan. A written report and opinion will be prepared and issued by the Head of Internal Audit following the conclusion of each Internal Audit assurance engagement and will be distributed as appropriate. For advisory engagements, which may be produced under ‘agreed upon procedures’ a report will also be produced. All Internal Audit results will be communicated to the Board Audit Committee.

The Internal Audit report will include management’s response and corrective action taken or to be taken regarding the specific findings and recommendations. Management’s response, whether included within the original audit report or provided thereafter (i.e., within thirty days) by management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.

In case, management does not agree on the engagement results, HoIA will discuss and try to reach a mutual understanding. If a mutual understanding cannot be reached, Internal Auditors are not obligated to change any portion of the engagement results unless there is a valid reason to do so. Internal audit will highlight such differences and the reasons for the same in the final engagement report.

The Internal Audit function is responsible for appropriate follow-up on engagement findings and recommendations. All findings will remain in an open issues file until cleared. Internal Audit will regularly report audit issue status to management and the Board Audit Committee highlighting any overdue issues.

3. Independence

The HoIA shall have no executive or managerial powers and duties within the Bank except those relating to the management of the Internal Audit function. The Internal Audit function will remain free from interference by any element in the organisation, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit the maintenance of the necessary independence and objectivity. In addition, the Internal Audit function must have its own resource plan, which will be approved annually by the Board Audit Committee.

The HoIA will report to the Board Audit Committee, at least annually at a meeting held without management being present, on the organisational independence of the Internal Audit function, its access to adequate resources and any issue she or he wishes to raise directly with the Committee.

4. Authority

The HoIA has the right to attend and participate in those meetings of the Board of Directors and Senior Management which relate to Internal Audit‘s oversight responsibilities for credit and enterprise-wide risk management, financial reporting, organisational governance, and control, and in any strategic planning and other executive meetings. The HoIA is a standing invitee to the Asset and Liabilities Management Committee, Operations Committee, ISMS Committee, Executive Risk Committee, Reserve Adequacy Committee, Credit Risk Management Committee, monthly Executive Leadership Team, Board Audit Committee, Board Credit Committee and Board Risk and Compliance Committee. HoIA will attend the Board as required.

Internal Audit employees have unrestricted access to all Bank personnel, assets, information, and systems, during the performance of audits specified in the annual plan and investigations approved by the HoIA, the CEO or the Chair of the Board Audit Committee. This includes the right to be informed proactively by management of any material decision or change, events, and issues.

The HoIA has direct and unrestricted access to the Chief Executive Officer and the Chair of the Board Audit Committee.

5. Scope

The scope of the Internal Audit function is unrestricted and covers all activities of the Bank, all areas of current and future risks within the Bank and an assessment of risk management and mitigation controls in the context of the current and expected business environment. In addition, Internal Audit includes within its scope:

  • An assessment of the design adequacy and operating effectiveness of the Bank’s governance, risk management and controls, to provide independent assurance that they are in line with the strategic objectives, risk appetite and values of the Bank.
  • Management’s control awareness (at all levels of management) and approach to addressing known issues.
  • Whether the key risks to the organisation have been identified and how effectively these are being managed – this includes capital, liquidity, regulatory and reputational risks as well as key corporate events.
  • The information presented to the Board andqai Executive Management for strategic and operational decision making and whether this information fairly represents the benefits, risks and assumptions associated with strategy and corresponding business plans.
  • An evaluation of risks associated with poor customer treatment or outcomes, giving rise to conduct and reputational risk and determine whether the Bank is acting with integrity in its dealings with customers.
  • Whether Business and Risk Management are adequately designing and controlling products, services and supporting processes in line with customer interests and conduct regulation; and
  • Thematic coverage across consumer duty, model risk, material outsourcing, ethics, risk culture, fraud, and regulatory reporting as appropriate of the pervasive control environment within OakNorth Bank plc.
  • While always maintaining an independent plan; the Head of Internal Audit will collaborate with the risk function to ensure that combined assurance activity is efficient and allows for effective coverage of OakNorth’s risk inventory.

In addition, Internal Audit may carry our special investigations or other assignments as required by the Chief Executive Officer or the Chair of the Board Audit Committee and undertake work required by regulators or to validate regulatory reported matters as necessary. Internal auditors are expected to apply and conform with the Global Internal Audit Standards when performing engagements, whether they are providing assurance or advice, except when otherwise specified in individual standards.

Through assurance services, internal auditors provide objective assessments of the differences between the existing conditions of an activity under review and a set of evaluation criteria. Internal auditors evaluate the differences to determine whether there are significant findings and to provide an engagement conclusion about the findings when viewed collectively. Assurance services are intended to provide confidence about governance, risk management, and control processes to the organization’s stakeholders, especially the board, senior management, and the management of the activity under review.

Internal auditors may perform advisory engagements and other advisory activities at the request of the board, senior management, or the management of an activity. The nature and scope of advisory services are subject to agreement with the party requesting the services (‘agreed upon procedures’). Examples of advisory engagements include internal auditors providing advice on the design of processes or systems or the development and implementation of new policies. When performing advisory services, internal auditors maintain objectivity by not taking on management responsibility.

Lastly, Internal Audit may attend and observe all Executive and other Senior Management committee meetings to assess the identification, assessment, and mitigation of any further or future significant risks that may arise.

Internal Audit activity does not substitute controls executed by appropriate managers and controls executed by specialised divisions, responsibility for operational effectiveness rests with local management.

6. Roles and Responsibilities

6.1 The Head of Internal Audit

The HoIA in the discharge of his or her duties is responsible to the Board Audit Committee and to Executive Management and will:

  • Develop a risk-based Audit Plan using an appropriate risk-based methodology and in line with the Internal Audit methodology and the Internal Audit manual.
  • Ensure adequate and appropriately skilled resources are available to deliver the Internal Audit plan. Additional resources will be made available through an Internal Audit co-source arrangement as and when required.
  • Maintain the Internal Audit methodology and deliver the audit plan in accordance with it.
  • Report to the auditee on a timely basis on completion of each audit.
  • Follow-up on audit findings to provide assurance that any identified weaknesses and corresponding actions have been addressed.
  • Implement a quality assurance and improvement programme that covers all aspects of Internal Audit activity.
  • Maintain a close and collaborative working relationship with the Bank’s Risk and Compliance functions sharing risk and control information as necessary.
  • Liaise with the external auditors and other providers of assurance (primarily Risk and Compliance) to co-ordinate planning and share results of any audit work; and
  • Provide a periodic (at least quarterly) audit report and an annual report for presentation to the Board Audit Committee at its formal meetings throughout the year. This report is to include the status of the Audit Plan, any proposed amendments to the plan, the results of all audit activities and details of any significant issues identified.
  • Submit an annual self-assessment report to BAC on Internal Audit effectiveness and its compliance with applicable external benchmarks incl. CIIA, IPPF, ICSA and BCBS.
  • Ensure the independence and objectivity of the function, in particular to manage the potential for conflict between advisory and assurance engagements. The Head of Audit will do this by ensuring staff providing advice on an area are not responsible for also providing assurance over that area.

6.2 The Chair of the Board Audit Committee

The Chair of the Board Audit Committee will:

  • Review and provide input to the CEO on the HoIA’s performance objectives and monitor performance against these with both the CEO and the HoIA.
  • Review and approve the HoIA’s annual pay and reward package to be proposed to the Board Remuneration Committee (as per the IIA guidance).
  • Assist in the resolution of any conflicting priorities that may arise.
  • Ensure the HoIA has support in securing adequate resources to deliver the Internal Audit plan and discharge the Internal Audit function’s duties.
  • Annually review and approve the Internal Audit functions Resource Plan.
  • Monitor and review the effectiveness of the Internal Audit function.
  • Challenge and approve the annual Internal Audit plan.
  • Challenge and review all reports submitted to the Board Audit Committee and in turn challenge management on the effectiveness of delivering an adequate risk and control environment for the Bank where significant issues have been identified; and
  • Approve the appointment and termination of appointment of the HoIA.

6.3 The CEO

The CEO is responsible for the day-to-day line management of the HoIA considering input from the Chair of the Board Audit Committee. This will include:

  • Recommending the HoIA’s annual pay and reward package.
  • Setting work priorities and assisting in the resolution of any conflicting priorities that may arise; and
  • Approving the contract for the engagement of third-party suppliers of co-sourced Internal Audit services.

7. Quality Assurance and Improvement Programme

The Internal Audit function will maintain a quality assurance and improvement programme that covers all aspects of the Internal Audit function. The programme will include an evaluation of the Internal Audit function’s conformance with the Global Internal Audit Standards. The programme also assesses the efficiency and effectiveness of the Internal Audit activity and identifies opportunities for improvement.

The Head of Internal Audit will communicate to senior management and the Board Audit Committee on the Internal Audit function’s quality assurance and improvement programme, including results of ongoing internal assessments and external assessments conducted at least every five years. The very first External Quality Assurance (EQA) for the Bank was completed in May 2020 by CIIA (UK).  The overall opinion was that OakNorth Bank internal audit “generally conforms” to all applicable standards of the IPPF, with a strong level of conformance to the IIA Standards and accorded the highest rating as per the global IIA grading definitions. They also confirmed that the IA’s practices demonstrate compliance with the FS Code.

8. Publicity

This Internal Audit charter will be published on the Bank’s website and accessible to all.

Updated 09/04/2025