Internal Audit Charter

Group Internal Audit (GIA) strengthens the Group’s ability to create, protect, and sustain value by providing the Board and management with independent, risk-based and objective assurance, advice, insight and foresight.

The team assists the Group in accomplishing its objectives by bringing a systematic and disciplined approach to evaluating and improving the effectiveness of the governance, risk management and internal controls.

GIA’s authority is received from the Group Audit Committee (GAC) and, with strict accountability for confidentiality and safeguarding records, gives the team unrestricted access to any and all of the Group’s records, personnel, property, and management information as well as to attend any committee forums pertinent to carrying out any engagement.

The Group Chief Internal Auditor reports directly to the Chair of the GAC and administratively to the Chief Executive Officer. Communication directly with the GAC is expected, including in private meetings without management present. GAC authority and responsibilities are reflected within the GAC Terms of Reference.

Senior management is engaged in discussing the Audit Charter and providing feedback on GIA activities.

GIA’s work is performed free from interference, including in matters of audit selection, scope or report content to enable independence and objectivity to be maintained. If GIA determines that independence or objectivity may be impaired in fact or appearance, or there has been an attempt to unduly influence the auditors, the Group Chief Internal Auditor will disclose this to the GAC.

GIA commits that the team will exhibit professional objectivity and make balanced assessments of all available and relevant facts and circumstances about the activity or process.

It will have no direct operational responsibility or authority over any of the activities audited. Accordingly, it will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair its judgement or independence.

The Group Chief Internal Auditor will confirm to the GAC, at least annually, the organisational independence of the internal audit activity.

GIA operates as the third line within the Group’s three lines of defence risk management framework.

The role of GIA is to perform independent assessments of the adequacy and effectiveness of governance, risk management and internal controls performed by the first and second lines within the Group. If areas of efficiency are identified, these will be disclosed to management.

As a minimum, the scope will include:

• internal governance.
• the processes, controls, and information presented to the Board and Executive management for strategic and operational decision making.
• the assessment of, and adherence to, risk appetite.
• the risk and control culture of the organisation, including the adequacy and effectiveness of the risk management, compliance, finance and other control functions.
• risks of poor customer outcomes.

• solvency, liquidity and other prudential regulatory risks.
• environmental sustainability, climate change risks and social issues.
• financial crime, economic crime and fraud.
• technology, cyber, digital and data risks.
• key corporate and external events, and
• the outcomes of processes.

GIA may occasionally provide advisory services, such as advice on programmes of activities, policies, or business processes to help management develop an effective control framework. In addition, we may support when requested with investigations arising from whistleblowing disclosures.

During these activities, GIA will not be involved in designing controls to be implemented by the Group and neither will GIA provide sign off on projects. This will ensure the team maintains its independence for future audits.

The Group Chief Internal Auditor has responsibility to:

• ensure the principles and standards in the Ethics and Professionalism domain of the Global Internal Audit Standards are applied and upheld by GIA
• produce a risk based Internal Audit plan, together with any changes in resource or budget required to deliver it, that will be submitted for approval to the GAC each year
• review and adjust the Internal Audit plan, as necessary, in response to changes in the Group’s strategic priorities, risks, operations, systems and controls. Any material deviation from the approved internal audit plan will be communicated to the GAC
• deliver the audit plan, assessing the resources, tools and technologies, and skills required, and recruiting and maintaining an in-house team with the right skills, knowledge and experience to challenge management or engage co-source subject matter experts as appropriate
• prepare a written report following each audit that contains key findings (including root cause) and a summary of the corrective action agreed with management, together with a target date for completion. Final reports will be issued to the responsible Executive and GAC

• monitor the follow-up action undertaken by management to remedy weaknesses identified by GIA, ensuring that action taken is sufficient timely and that controls introduced are operating as intended to mitigate the risk
• provide periodic reports to GAC summarising the status of the audit plan, the results of audit activities and details of significant issues identified
• provide GAC with an annual opinion on the Group Chief Internal Auditor’s assessment of the overall effectiveness of the governance, risk and control arrangements; their conclusion on whether the risk appetite framework is being adhered to; any significant control weaknesses, thematic issues, or trends emerging from GIA activities and their impact on the Group’s overall risk profile, and
• confirm to the GAC on an annual basis that GIA’s work has been performed in compliance with the IIA Standards and how the UK Code principles have been applied and disclose any material deviations as required.

The Group Chief Internal Auditor has an open, constructive and co-operative relationship with all regulators that supports sharing of information relevant to carrying out their respective responsibilities.

In addition, there is a high degree of co-operation between GIA and the Group’s Risk and Compliance functions, third party providers and the external auditors, which will include the exchange of relevant information, in order to maximise efficiency and avoid duplication where possible.

• conduct an annual survey of GIA’s effectiveness, completed by members of the GAC and the Group Executive Committee; and

• commission an independent external quality assessment, in line with the Chartered Institute of Internal Auditors’ Standards, at least once every five years.

GIA will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors’ International Professional Practices Framework, and the Chartered Institute of Internal Auditors UK Code.

In addition, GIA staff must comply with the Group’s policies and procedures and possess the knowledge, skills and discipline necessary to discharge their responsibilities.