Mission, purpose and scope

This Internal Audit Charter provides the framework for the conduct of the Internal Audit function in Julian Hodge Bank (“Hodge”) It has been created with the objective of formally establishing the purpose, authority and responsibilities of the Internal Audit function.

Mission

The primary role of Internal Audit is to provide independent assurance that Hodge’s risk management, governance and internal control processes are operating effectively and, in doing so, to help protect the assets, reputation and sustainability of an organisation.

The mission of an Internal Audit function (“Internal Audit”) is to provide independent, objective assurance and advice to assist senior management in appropriately managing the key risks to which the business is exposed. This activity aims to raise the bar in governance, risk and control standards through the provision of assurance and advice, anticipation of future trends and acceleration of organisation learning.

This will be achieved through a systematic approach to assessing the effectiveness of risk management, control and governance processes in monitoring, managing and mitigating the risks to the achievement of business objectives.

Nature and Purpose of Internal Audit

The purpose of the independent assurance function of Internal Audit is to evaluate whether the nature and extent of business risks are being managed effectively within the context of business objectives. Internal Audit provides risk focussed, proportionate and forward-looking assurance and insight. A system of internal control is one of the primary means of managing risk and consequently the evaluation of its effectiveness is central to Internal Audit’s responsibilities.

The system of internal control comprises the policies, procedures and practices, as well as organisational culture that collectively support the entity’s effective operation in the pursuit of its objectives. This system of internal control enables a business to respond to significant business risks, be they of an operational, financial, compliance or other nature, and is the direct responsibility of the Executive Directors and the Audit Committee.

Objectives and Responsibilities

Assessment of Risk

To develop and implement a process, based upon Internal Audit’s own view of the structure of the organisation, to independently assess all risks faced by the business on a regular basis. The risk assessment is updated on a sufficiently regular basis to ensure that the resulting assurance activity addresses all key risks on a timely basis and may take account of areas such as new or changing systems, business propositions, operations, and control processes coincident with their development, implementation, and/or expansion of the business or individual new products or systems. The risk assessment process may take account of the risk assessment performed by management but should not be influenced by it.

Internal Audit Plan

  • Prepare an annual Internal Audit Plan, setting out the timing and scope for Internal Audit assignments. The Internal Audit Plan shall be based on the independent risk assessment process, identifying business objectives and key risks to the achievement of those objectives, including any risks or control concerns identified by management.
  • The Internal Audit Plan shall be reviewed and approved by the Audit Committee and communicated to the Board. The Audit Committee shall satisfy itself that the Plan addresses controls covering all key business risks, on an appropriate frequency. Any changes to the Plan shall be discussed with the Chair of the Audit Committee and will be communicated to that Committee. Internal Audit is responsible for planning, conducting, reporting and following up on audit assignments.
  • Implement the annual Internal Audit Plan as approved by the Audit Committee. Audit fieldwork will be conducted in a professional and timely manner.
  • Regularly review the Internal Audit Plan to ensure that it takes account of new and emerging risks.

Review

  • Review the adequacy of the design, implementation and operating effectiveness of controls established to manage the key risks identified and to ensure compliance with policies, plans, procedures and business objectives established by the Board.
  • Review procedures and systems and propose improvements.
  • Contribute to the development of significant projects by reviewing the project methodology and assessing whether appropriate controls are incorporated.
  • Assess the effectiveness of business processes and operations and determine if processes are economical and efficient use of resources.

Security

  • Assess the safeguarding of assets, including intangible assets, and containment of liabilities
  • Evaluate information security and associated risk exposures.
  • Evaluate the organisation’s readiness in case of business interruption.

Compliance

  • Evaluate and provide reasonable assurance that risk management, control, and governance systems are functioning as intended and will enable the organisation’s objectives and goals to be met.
  • Evaluate regulatory compliance program.
  • Assess compliance with policies, plans, procedures, laws and regulations, including corporate governance requirements.

People

  • Maintain a professional audit staff with sufficient knowledge, skills, experience and professional certifications to meet the requirements of this Charter by engaging in continuous education and staff development.
  • Team with other internal and external resources as appropriate.

Fraud

  • Prepare Internal Audit Plans and design audit procedures with the objective of identifying any control weaknesses or deficiencies that, if not corrected, may give rise to a material risk of fraud and error.
  • Assist in the investigation of significant suspected fraudulent activities within the organisation and notifying management and the Audit Committee of the results.

Performance of the above may include periodic testing of transactions, comparisons against industry practice, special investigations, appraisals of regulatory requirements, and measures to help prevent and detect fraud. Internal Audit will support line managers in determining measures to remedy deficiencies in risk management and systems of control.

At the request of the Audit Committee, specific studies, tasks, ad hoc appraisals, investigations, reviews or projects requested may be carried out, subject to the agreement of appropriate additional engagement terms. In these cases appropriate safeguards must ensure internal audit independence.

Internal Audit will also perform retrospective or “lessons learned” reviews following any significant adverse events within the business. Where performed, such audits will consider the role of the both the first and second lines of defence within the business, as well as Internal Audit’s own role. Such reviews will be approved by the Audit Committee before commencement.

The Audit Committee is responsible for assessing the effectiveness of Internal Audit on an annual basis and in assisting to ensure that Internal Audit is afforded a sufficiently high standing within the organisation, necessary to achieve that effectiveness.

Internal Audit will have no direct responsibility or authority for any of the activities or operations they review. Internal Audit shall not develop or install procedures, prepare records or engage in activities that would likely be reviewed by Internal Audit. Furthermore, an internal audit does not in any way relieve other persons in the organisation or delegated parities / service providers of the responsibilities assigned to them.

Code of Ethics

Internal Audit has a responsibility to conduct themselves so that their integrity, objectivity, confidentiality and competency are not open to question. Standards of professional behaviour are based upon the Code of Ethics issued by the Chartered Institute of Internal Auditors (“CIIA”) – UK and Ireland. Internal auditors will: • exercise honesty, objectivity and diligence in the performance of their duties and responsibilities;

  • not knowingly be a party to any illegal or improper activity;
  • promote appropriate ethics and values within the organisation;
  • refrain from entering into any activity which may be in conflict with the interest of the organisation or which would prejudice their ability to objectively carry out their duties;
  • decline to accept anything that may impair or be presumed to impair their professional judgment;
  • be prudent in the use of information acquired in the course of their duties and not use confidential information for any personal gain or in a manner that knowingly would be detrimental to the welfare of the organisation;
  • use reasonable care to obtain sufficient, factual evidence to support the conclusions drawn and, in reporting, reveal such material facts known to them which, if not revealed, could distort the report of the results of operations under review or conceal an unlawful practice; and
  • engage only in those projects which they have the necessary knowledge, skill and experience.

Compliance with Professional Internal Audit Standards

Internal Audit will operate in accordance with (1) the Global Internal Audit Standards (2024 version, effective date 9 January 2025) and (2) the requirements set out within the CIIA Code of Practice (formerly “Effective Internal Audit in the Financial Services sector”), both of which were issued by the Chartered Institute of Internal Auditors. The manner in which compliance is achieved (and details of any exceptions) are set out within a gap analysis contained within the annual Internal Audit Plan and subject to review and approval by the Audit Committee on an annual basis.

Authority and Access to Records, Personnel and Property

Internal Audit is established by, and its responsibilities are defined by the Audit Committee, a sub-committee of the Board of Directors. Internal Audit is granted full, free, and unrestricted access to any and all records, information, physical properties and personnel relevant to any function or area within the business (including where such information is held by third parties). Internal Audit will ensure confidentiality is maintained in respect of all information and records obtained in the course of performing its duties.

Objectivity and Independence

Internal Audit is independent from the business and is directly responsible to the Chair of the Audit Committee with a day-to-day administrative reporting line to the Chief Executive and Chief Risk Officer. Internal Audit shall have free and unrestricted access to the Chair of the Board, the Chair of the Audit Committee and the Chief Executive.

Those working within Internal Audit are not permitted to perform day-to-day control procedures or take operational responsibility for any part of business operations outside Internal Audit. Management is responsible for the establishment and ongoing operation of the internal control system. The Audit Committee will review the scope and nature of the work performed by Internal Audit to confirm its independence.

Reporting and Communication

A draft audit report will be prepared at the conclusion of each audit and facts will be agreed with senior management. Management responses to findings and action plans will be agreed, including deadlines and identification of those responsible for implementation. Copies of all Audit Reports will be provided to the Chief Executive and the Chief Risk Officer in addition to the lead contact for each audit and those members of management to whom respective actions have been assigned, with summary reports presented to all members of the Audit Committee. Management is responsible for the closure of Internal Audit findings and for monitoring the timely completion of actions to address these findings. Internal Audit is responsible for the formal acceptance on a periodic basis of the closure of Internal Audit findings.

In addition, Internal Audit will:

  • report to the Audit Committee on a periodic basis regarding progress against the Internal Audit Plan and to present the results of Internal Audit work performed. Internal Audit will issue quarterly reports to the Audit Committee summarising results of audit activities;
  • maintain open communication and inform the Audit Committee and Management of emerging trends and best practices in internal auditing;
  • liaise on an ongoing basis with the compliance function, external audit and other parties as appropriate to ensure proper coverage and avoid unnecessary duplication of effort;
  • track audit recommendations to resolution and report progress to the Audit Committee ; and
  • report risk management issues and internal controls deficiencies identified directly to the Audit Committee and provide recommendations for improving the organisation’s operations, in terms of both efficient and effective performance.

Internal Audit will provide an annual conclusion to the Audit Committee on

  • the risk management, governance and control framework in place within the organisation;
  • the consistency of application of the risk governance framework within the organisation during the year; and
  • the independence and objectivity of the Internal Audit function, as well as the adequacy of resourcing from a headcount and skillset perspective.

Relationship with other Assurance Functions and Regulators

Internal Audit will exercise informed judgment to determine how much reliance can be placed on the work of other assurance functions and providers and will thoroughly evaluate the effectiveness of any other assurance provider before placing reliance on their assessments and conclusions.

The external auditors fulfil a statutory duty. Effective collaboration between internal audit and the external auditors is imperative to ensure effective and efficient audit coverage and resolution of issues of mutual concern. Internal audit ensures that internal control issues raised by the external auditors are addressed. Internal and external audit meet annually, upon request from management or external audit to:

  • plan the respective internal and external audits;
  • discuss potential issues arising; and
  • provide effective audit coverage to the organisation at reasonable cost.

Internal Audit will establish and maintain a close and continuous relationship with applicable regulatory authorities, as is deemed necessary and appropriate.

Service Standards

We undertake to meet the following service levels:

  • prior to commencing an audit, we will have a discussion with the member of senior management responsible for the business area to assess the audit scope and any issues that management are aware of. We will give at least two weeks’ notice before commencing our work;
  • we will notify management immediately of any significant concerns arising from our work;
  • we will agree the accuracy of the points raised, initially with management and then formally at the close meeting prior to the issue of a draft report; • we will hold a close meeting at the end of our fieldwork visit;
  • we will issue a draft report within a timetable agreed with audit stakeholders following audit fieldwork, subject to ensuring that Audit Committee reporting deadlines are met;
  • following the issuance of a draft report, management responses will be agreed within two working weeks (subject to the timing of any internal Board or Board subcommittee meetings where necessary to agree those responses);
  • we will issue the final report within a further working week of agreeing final management responses; and
  • all final audit reports will be issued in accordance with management’s internal timetable for the finalisation of papers before each Audit Committee meeting.

Quality Assurance and Continuous Improvement

Internal Audit strives to deliver high quality assurance and insight to the Audit Committee and management at all times. The quality of Internal Audit reporting is assured through (1) the involvement of specialists in delivery of relevant areas of the Internal Audit Plan, (2) the application of a robust review process prior to the issue of any Internal Audit reports or conclusions and (3) the performance of an independent Internal Audit Quality Assessment once every three years, the results of which and an action plan to address any issues identified are shared with the Audit Committee.

Internal Audit aim to continuously improve methodology, procedures, technologies and quality. This is achieved through regular review of industry developments and emerging audit technologies, as well as the application of “lessons learnt” from recent Internal Audit delivery, including the outcome of the independent Internal Audit Quality Assessment process outlined above.

Management Responsibilities

It is the responsibility of management to identify, understand and manage risks effectively, including take appropriate and timely action in response to Internal Audit findings and conclusions. It is also management’s responsibility to maintain a sound system of internal control. The existence of an Internal Audit function does not, any way, remove or reduce these responsibilities.

Management are also responsible for fraud prevention and detection. In delivering Internal Audit activities, Internal Audit will be alert to the potential existence of fraud and weaknesses in internal control which would permit fraud to occur or would impede its detection. However, Internal Audit do not assume any management responsibility in relation to fraud prevention or detection.