This Internal Audit charter defines the role, authority, independence, scope, roles and responsibilities of the Internal Audit function at OakNorth Bank plc. It is approved annually by the Board Audit Committee.
1.1 Business Context
Internal Audit is an independent function established by the Board Audit Committee of OakNorth Bank plc (the “Bank”) to assist the Board and Executive Management protect the assets, reputation and sustainability of the Bank. Internal Audit does this by assessing whether all significant risks are identified and appropriately reported; assessing whether they are adequately and effectively controlled; challenging Executive Management to improve the effectiveness of governance, risk management and internal controls; and by influencing senior management and the Executive with recommendations that will help the Bank achieve its strategic objectives.
Through delivering against this remit, Internal Audit will maintain an open, constructive and co-operative relationship with regulators; the appointed external auditors; internal control functions (such as Risk, Compliance and Finance); and with all management and employees of the Bank.
1.2 Regulatory Context
The key regulatory authorities that prescribe requirements and guidance for Internal Audit are the Prudential Regulatory Authority (PRA), the Financial Conduct Authority (FCA), the Financial Reporting Council (FRC) via the UK Corporate Governance Code and the Chartered Institute of Internal Auditors (IIA). In fulfilling its remit, Internal Audit will undertake its role in line with best practice principles and recognised standards as outlined by the IIA; specifically compliance at all times with the IIA’s code of professional conduct and code of ethics; the international standards for the professional practice of Internal Auditing; the IIA’s policy for continuing professional development and the IIA’s guidance on effective internal audit in financial services.
The Head of Internal Audit (HoIA) reports functionally to the Chairman of the Board Audit Committee and administratively to the Chief Executive Officer (CEO) for the Bank. This level of seniority within the organisation ensures the appropriate standing, access and authority to challenge the Executive.
Any breaches of this Charter must be reported to the Chairman of the Board Audit Committee and the Chief Risk Officer as appropriate.
A written report will be prepared and issued by the Head of Internal Audit following the conclusion of each Internal Audit engagement and will be distributed as appropriate. Internal Audit results will also be communicated to the Board Audit Committee.
The Internal Audit report may include management’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management’s response, whether included within the original audit report or provided thereafter (i.e. within thirty days) by management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
The Internal Audit function is responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.
The HoIA shall have no executive or managerial powers and duties within the Bank except those relating to the management of the Internal Audit function. The Internal Audit function will remain free from interference by any element in the organisation, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit the maintenance of the necessary independence and objectivity. In addition, the Internal Audit function will have its own budget, which will be approved by the Board Audit Committee.
The Head of Internal Audit will report to the Board Audit Committee, at least annually at a meeting held without management being present, on the organisational independence of the Internal Audit function, its access to adequate resources and any issue he or she wishes to raise directly with the Committee.
The HoIA has the right to attend and participate in those meetings of the Board of Directors and Senior Management which relate to Internal Audit‘s oversight responsibilities for credit and enterprise wide risk management, financial reporting, organisational governance and control, and also in strategic planning meetings and other executive meetings. The HoIA is a standing invitee to the Asset and Liabilities Management Committee, Operations Committee, Credit Risk Management Committee, Executive Committee, Board Audit Committee, Board Credit Committee, Board Risk and Compliance Committee and the Board.
Internal Audit employees have unrestricted access to all Bank personnel, assets, information and systems, during the performance of audits specified in the annual plan and investigations approved by the HoIA and the Board Audit Committee. This includes the right to be informed proactively by management of any material decision or change, events and issues.
The Head of Internal Audit has direct and unrestricted access to the Chief Executive Officer and the Chairman of the Board Audit Committee.
Audit working papers and audit reports are a property of the Bank and access to those working papers and reports requested by persons outside of the Bank is possible only with the prior approval of the Bank’s Board of Directors.
The scope of the Internal Audit function is unrestricted and covers all activities of the Bank, all areas of current and future risks within the Bank and an assessment of risk management and mitigation controls in the context of the current and expected business environment. In addition, Internal Audit includes within its scope:
In addition, Internal Audit may carry our special investigations or other assignments as required by the Chief Executive Officer or the Chairman of the Board Audit Committee and undertake work required by regulators or to validate regulatory reported matters as necessary. Lastly, Internal Audit may attend and observe all Executive and other Senior Management committee meetings in order to assess the identification, assessment and mitigation of any further or future significant risks that may arise.
Internal Audit activity does not substitute controls executed by appropriate managers and controls executed by specialised divisions – responsibility for operational effectiveness rests with local management.
Roles and Responsibilities
The Head of Internal Audit
The HoIA in the discharge of his or her duties is responsible to the Board Audit Committee and to Executive Management and will:
The Chairman of the Board Audit Committee
The Chairman of the Board Audit Committee will:
The CEO is responsible for the day to day line management of the HoIA taking into account input from the Chairman of the Board Audit Committee. This will include:
Quality assurance and improvement programme
The Internal Audit function will maintain a quality assurance and improvement programme that covers all aspects of the Internal Audit function. The programme will include an evaluation of the Internal Audit function’s conformance with the Definition of Internal Auditing and the International Standards, the IIA guidance and an evaluation of whether Internal Auditor(s) apply the Code of Ethics. The programme also assesses the efficiency and effectiveness of the Internal Audit activity and identifies opportunities for improvement.
The Head of Internal Audit will communicate to senior management and the Board Audit Committee on the Internal Audit function’s quality assurance and improvement programme, including results of ongoing internal assessments and external assessments conducted at least every five years.