1. The internal audit function must be accountable to the Board or the Board audit committee on all matters related to the performance of its mandate as described in the internal audit charter.

2. The internal audit function must independently evaluate the:

1. a.Effectiveness and efficiency of internal control, risk management, and compliance systems;
2. b.Reliability and integrity of management information systems and processes;
3. c.Compliance with laws, regulations, standards and the instructions of the Central Bank; and
4. d.Safeguarding of assets.

3. The Board and Senior Management must respect and promote the independence of the internal audit function by ensuring that internal audit reports are provided to the Board or the Board audit committee without management filtering, and that the internal audit function staff have direct access to the Board or the Board audit committee. The Central Bank may request to receive internal audit reports.

4. The internal audit reports must contain the auditee’s response, clearly indicating the auditee’s acceptance or non-acceptance of the internal audit finding. If accepted by the auditee, a justifiable reason for non-performance and the corresponding action plan must be provided, stating the completion time frame and responsible body for implementation. If not accepted by the auditee, a justifiable reason with supporting evidence must be provided for the finding’s re-consideration during an escalation procedure.

5. The Board audit committee must ensure that the head of internal audit is a person of integrity and seniority in the Bank to credibly challenge the business units, support and other control functions of the Bank and, if applicable, Group. He/she must be a very well qualified person, academically or through a professional qualification, with a working experience of not less than 5 years in auditing of banking or financial business.

6. The head of internal audit and all internal audit function staff must avoid conflicts of interest. Internally recruited internal audit function staff must not engage in auditing activities for which they have had previous responsibility before a “cooling off” period of at least one full financial year has elapsed. Staff rotations within the internal audit function as well as to and from the internal audit function must be governed by and conducted in accordance with a written policy. The policy should be designed to avoid conflicts of interest, including the observance of an appropriate “cooling-off” period following an individual's return to the internal audit staff, before that individual audits activities in the functional area of the bank where his/her rotation had been served.

7. The head of internal audit is responsible for acquiring human resources with sufficient qualifications and skills to effectively deliver on the mandate for professional competence, and to audit to the required level. The head of internal audit must ensure that the internal audit function staff acquires appropriate ongoing training in order to meet the growing technical complexity of Banks’ activities, and the increasing diversity of tasks that need to be undertaken as a result of the introduction of new products and processes within Banks and other developments in the financial sector.

8. The internal audit function staff collectively must be competent to examine all areas in which the Bank operates. The competencies and expertise of the overall internal audit function staff (skill mix) must include accounting, compliance checking, treasury management, information technology and strategic thinking. The internal audit function staff must apply the care and skills expected of a reasonably prudent and competent professional and, in case of limited competence and experience in a particular area, must be supervised by more experienced internal audit function staff.

9. The internal audit function staff must respect the confidentiality of information acquired in the course of their duties.

10. Senior Management must inform the internal audit function of new developments, initiatives, projects, products and operational changes, and ensure that all associated risks, known and anticipated, are identified and communicated at an early stage.

11. On the basis of the audit plan, the internal audit function must be able to perform its assignments on its own initiative in all areas and functions of the Bank. The internal audit function must not be involved in designing, selecting, implementing or operating specific internal control measures. Senior Management may request advice from internal audit on matters related to risk and internal controls, nevertheless, the development and implementation of internal controls remains the responsibility of Senior Management.

12. The oversight function of the Board audit committee includes reviewing and approving the internal audit plan, its scope and the budget for the internal audit function. The plan must be based on a robust risk assessment (including input from Senior Management and the Board) and updated at least annually (or more frequently to enable an ongoing real-time assessment of where significant risks lie).

13. The Board or the Board audit committee must assess, at least annually, the performance of the internal audit function. This must include an independent external quality assurance review of the internal audit function at least once every five years.

14. The Bank’s internal audit charter must be drawn up and reviewed at least every 3 years by the head of internal audit, and approved by the Board audit committee. The charter must be available both internally and publicly on the Bank’s internet website.

15. Topics which must be addressed in the internal audit charter include, but are not limited to:

1. a.The internal audit function’s standing within the Bank, its authority, its responsibilities and its relations with other control functions;
2. b.The purpose and scope of the internal audit function;
3. c.The responsibility and accountability of the head of internal audit;
4. d.The obligation to communicate the results of the internal audit functions’ engagements and a description of its reporting line to the Board;
5. e.The terms and conditions under which the internal audit function can be called upon to provide consulting or advisory services, or carry out other special tasks;
6. f.The requirement to comply with the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing, including the IIA’s Code of Ethics; and
7. g.Procedures for the coordination of the internal audit function with the external auditor.

16. The scope of internal audit activities must include the evaluation of the effectiveness and efficiency of the internal control system, risk management and compliance functions, and governance systems and processes of the entire Bank, including the Bank’s Subsidiaries and branches. In particular, the annual audit plan must adequately cover risk measurement and management processes and methodologies, including risk appetite framework elements such as risk limit breaches and internal models.

17. Every activity, including outsourced activities, and every entity controlled by the Bank, or if applicable Group, must fall within the scope of the internal audit function.

18. The scope must also ensure adequate coverage of matters of regulatory interest. Matters of regulatory interest that must receive particular attention in the internal audit plan include, but are not limited to, the internal capital and liquidity adequacy assessment processes, quality of risk reporting to the Board and Senior Management, regulatory compliance and reporting to the Central Bank. Within a banking Group, the annual audit plan must include the assessment of the alignment between the organization of control functions at Group level and the way that control functions operate at entity level.

19. Senior Management is responsible for implementing and maintaining an adequate and effective internal control system and processes. Therefore the internal audit function must inform Senior Management promptly of all significant findings so that timely corrective actions can be taken. Subsequently, the internal audit function must follow up with Senior Management on the outcome of these corrective actions. The head of internal audit must report to the Board audit committee the status of findings that have not (yet) been rectified by Senior Management.

20. The Board audit committee must review internal audit reports, including the response and follow-up by Senior Management, to ensure that timely and effective actions are taken to address internal audit findings, particularly control weaknesses or deficiencies in risk management and compliance.

21. A consistent approach to internal audit across the Group may be achieved through the establishment of a Group internal audit function accountable to the board of the Controlling Shareholder, or through internal audit functions established in each entity (or branch) and accountable to those entities’ boards of directors, and also reporting to the Group Head of Internal Audit.

22. It is recommended that Banks perform internal audit activities using their own staff. However, outsourcing of internal audit activities, but not the function, on a limited and targeted basis can be used to provide access to specialized expertise and knowledge for an internal audit engagement where the expertise is not available in house, or to resource constraints. The Board remains ultimate responsible for the internal audit function regardless of whether internal audit activities are outsourced.

23. The head of internal audit must preserve independence by ensuring that the supplier has not been previously engaged in a consulting engagement in the same area within the Bank, unless a reasonably long “cooling-off” period has elapsed (e.g. of at least one full financial year). In addition, Banks must not outsource internal audit activities to their external audit firm.

24. The head of internal audit at the level of the Controlling Shareholder must define the Group’s internal audit strategy, determine the organization of the internal audit function both at the Controlling Shareholder and Subsidiary levels (in consultation with these entities’ respective Boards and in accordance with local laws), and formulate the internal audit principles that include the audit methodology and quality assurance measures. The Group’s internal audit function must determine the audit scope for the Bank. In doing so, it must comply with local legal and regulatory provisions, and incorporate local knowledge and experience.