The Board is responsible for ensuring that the Bank, and if applicable, Group, must have an independent, permanent and effective internal audit function commensurate with the size, nature of operations and complexity of its organization.
The internal audit function must provide independent assurance to the Board and Senior Management on the quality and effectiveness of the Bank’s internal controls, risk management, compliance, corporate governance, and the systems and processes created by the business units, support and control functions.
The internal audit function must report to the Board or the Board audit committee.
The internal audit function must be independent of the audited activities and have a sufficient standing and authority within the Bank, thereby enabling the internal auditors to carry out their assignments with objectivity.
The internal audit function must have full access to and communication with any member of staff as well as full access to records, files or data of the Bank, and if applicable Group and Affiliates, whenever relevant to the performance of its duties.
The staff within the internal audit function must be sufficient, competent and collectively have the appropriate experience to understand and evaluate all of the business activities, support and control functions of the Bank, and if applicable, Group.
The head of internal audit must ensure that the function complies with the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing.
Banks must have an internal audit charter approved by the Board audit committee, that articulates the purpose, standing and authority of the internal audit function within the Bank, and if applicable, Group.
The internal audit function must have an annual internal audit plan approved by the Board audit committee that allocates resources based on its own risk-based assessment employing a methodology that identifies the material risks run by the Bank, and if applicable Group.
Senior Management must inform the internal audit function on a timely basis of any changes to the Bank’s, or if applicable, Group’s, risk governance framework.
Senior Management must ensure that timely and appropriate actions be taken on all internal audit findings and recommendations.
Banks, for which the Central Bank is the primary regulator, having significant Group relationships including Subsidiaries, Affiliates, or international branches, must ensure a consistent approach to internal audit across the Group.