Mission, purpose and scope
This Internal Audit Charter provides the framework for the conduct of the Internal Audit function in Hodge Limited (“Hodge”), consisting of two subsidiaries, Julian Hodge Bank Limited (“Hodge Bank”) and Hodge Life Assurance Company Limited (“Hodge Life”), and has been approved by the Audit Committee. It has been created with the objective of formally establishing the purpose, authority and responsibilities of the Internal Audit function.
Internal Auditing is an independent, objective assurance and consulting activity designed to add value to and improve an organisation’s operations and to protect the assets, reputation and sustainability of the organisation. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.
Purpose of Internal Audit
The purpose of the independent assurance function of Internal Audit is to evaluate whether the nature and extent of business risks are being managed effectively within the context of business objectives. A system of internal control is one of the primary means of managing risk and consequently the evaluation of its effectiveness is central to Internal Audit’s responsibilities.
The system of internal control comprises the policies, procedures and practices, as well as organisational culture that collectively support the entity’s effective operation in the pursuit of its objectives. This system of internal control enables a business to respond to significant business risks, be they of an operational, financial, compliance or other nature, and is the direct responsibility of the Executive Directors and the Audit Committee.
All of Hodge’s activities (including outsourced activities) and legal entities are within the scope of Internal Audit. Internal Audit determines what areas within its scope should be included within the annual audit plan by adopting an independent risk-based approach. Internal Audit does not necessarily cover all potential scope areas every year. The audit program includes obtaining an understanding of the processes and systems under audit, evaluating their adequacy, and testing the operating effectiveness of key controls. Internal Audit can also, where appropriate, undertake special investigations and consulting engagements at the request of the Audit Committee, senior management and regulators.
Authority, responsibility and independence
The Internal Audit function of Hodge derives its authority from the Board through the Audit Committee. The Head of Internal Audit is authorised by the Audit Committee to have full and complete access to any of the organisation’s records, properties and personnel. The Head of Internal Audit is also authorised to designate members of the audit staff to have such full and complete access in the discharging of their responsibilities and may engage experts to perform certain engagements which will be communicated to management. Internal Audit will ensure confidentiality is maintained over all information and records obtained in the course of carrying out audit activities. Internal Audit has the right to attend and observe all of Hodge’s Board Committee and Executive Committee meetings in order to validate key decision-making processes as required.
The Head of Internal Audit is responsible for preparing the annual audit plan in consultation with the Audit Committee and senior management, submitting the audit plan, internal audit budget, and resource plan for review and approval by the Audit Committee, implementing the approved audit plan, and issuing periodic audit reports on a timely basis to the Audit Committee and senior management.
The Head of Internal Audit is responsible for ensuring that the Internal Audit function has the skills and experience commensurate with the risks of the organisation. The Audit Committee should make appropriate inquiries of management and the Head of Internal Audit to determine whether there are any inappropriate scope or resource limitations.
It is the responsibility of management to identify, understand and manage risks effectively, including taking appropriate and timely action in response to audit findings. It is also management’s responsibility to maintain a sound system of internal control and improvement of the same. The existence of an Internal Audit function, therefore, does not in any way relieve them of this responsibility.
Management is responsible for fraud prevention and detection. As Internal Audit performs its work programs, it will be observant of manifestations of the existence of fraud and weaknesses in internal control which would permit fraud to occur or would impede its detection.
At the request of the Audit Committee, specific studies, tasks, ad hoc appraisals, investigations, reviews or projects requested may be carried out, subject to the agreement of appropriate additional engagement terms In these cases appropriate safeguards must ensure internal audit independence.
Internal Audit may also perform retrospective or “lessons learned” reviews following any significant adverse events within the business. Where performed, such audits will consider the role of the both the first and second lines of defence within the business, as well as Internal Audit’s own role. Such reviews will be approved by the Audit Committee before commencement.
The Board Audit Committee is responsible for assessing the effectiveness of Internal Audit on an annual basis and in assisting to ensure that Internal Audit is afforded a sufficiently high standing within the organisation, necessary to achieve that effectiveness.
Deferment of internal audit reviews
Management requests to defer an audit review between quarters should be discussed with the Head of Internal Audit at the earliest opportunity. The Head of internal Audit will discuss all requests with the chair of the audit committee in order to confirm the most appropriate response to such requests.
Internal Audit staff will remain independent of the business and they shall report to the Head of Internal Audit who, in turn, shall report functionally to the Audit Committee and administratively to the Chief Executive Officer.
Internal Audit staff shall have no direct operational responsibility or authority over any of the activities they review. Therefore, they shall not develop nor install systems or procedures, prepare records or engage in any other activity which they would normally audit. Internal Audit staff with real or perceived conflicts of interest must inform the Head of Internal Audit, then the Audit Committee, as soon as these issues become apparent so that appropriate safeguards can be put in place.
Professional competence and due care
The Internal Audit function will perform its duties with professional competence and due care. Internal Audit will adhere to the Definition of Internal Auditing, Code of Ethics and the Standards for the Professional Practice of Internal Auditing that are published by the Institute of Internal Auditors.
Internal Audit will also adhere to the recommendations from the Committee on Internal Audit Guidance for Financial Services (Effective Internal Audit in the Financial Services Sector) published in September 2017.
Reporting and monitoring
At the end of each audit, the Head of Internal Audit or designee will prepare a written report and distribute it as appropriate. Management responses to findings and action plans will be agreed, including deadlines and identification of those responsible for implementation. Copies of all Audit Reports will be provided to the Chief Executive and the Chief Risk Officer in addition to the lead contact for each review and those members of management to whom respective actions have been assigned. Management is responsible for the closure of Internal Audit findings and for monitoring the timely completion of actions to address these findings Internal Audit is responsible for the formal acceptance on a periodic basis of the closure of Internal Audit findings.
The Audit Committee will be updated regularly on the work of Internal Audit through periodic and annual reports. The Head of Internal Audit shall prepare reports of audit activities with significant findings along with any relevant recommendations and provide periodic information on the status of the annual audit plan.
Periodically, the Head of Internal Audit will meet with the Chair of the Audit Committee in private to discuss internal audit matters.
Quality Assurance and Continuous Improvement
Internal Audit strives to deliver high quality assurance and insight to the Audit Committee and management at all times. The quality of Internal Audit reporting is assured through:
- The involvement of specialists in delivery of relevant areas of the Internal Audit Plan
- The application of a robust review process prior to the issue of any Internal Audit reports or conclusions
- The performance of an independent Internal Audit Quality Assessment once every three years (the results of which and an action plan to address any issues identified are shared with the Audit Committee).
Internal Audit aims to continuously improve methodology, procedures, technologies and quality This is achieved through regular review of industry developments and emerging audit technologies, as well as the application of “lessons learnt” from recent Internal Audit delivery, including the outcome of the independent Internal Audit Quality Assessment process outlined above.
The external auditors fulfil a statutory duty. Effective collaboration between Internal Audit and the external auditors is imperative to ensure effective and efficient audit coverage and resolution of issues of mutual concern. Internal Audit ensures that internal control issues raised by the external auditors are addressed. Internal and external audit meet annually, upon request from management or external audit to:
- Discuss potential issues arising at the year-end
- Discuss the results of the external audit and the management letter
- Share the results of significant issues arising from internal and external audit work.