Internal Audit Charter

1. Introduction

This Internal Audit charter defines the role, authority, independence, scope, roles and responsibilities of the Internal Audit function at OakNorth Bank. It is approved annually by the Board Audit and Compliance Committee.

1.1 Business Context

Internal Audit is an independent function established by the Board Audit and Compliance Committee of OakNorth Bank Ltd (the “Bank”) to assist the Board and Executive Management protect the assets, reputation and sustainability of the Bank. Internal Audit does this by assessing whether all significant risks are identified and appropriately reported; assessing whether they are adequately and effectively controlled; challenging Executive Management to improve the effectiveness of governance, risk management and internal controls; and by influencing senior management and the Executive with recommendations that will help the Bank achieve its strategic objectives.

Through delivering against this remit, Internal Audit will maintain an open, constructive and co-operative relationship with regulators; the appointed external auditors; internal control functions (such as Risk, Compliance and Finance); and with all management and employees of the Bank.

1.2 Regulatory Context

The key regulatory authorities that prescribe requirements and guidance for Internal Audit are the Prudential Regulatory Authority (PRA), the Financial Conduct Authority (FCA), the Financial Reporting Council (FRC) via the UK Corporate Governance Code and the Chartered Institute of Internal Auditors (IIA). In fulfilling its remit, Internal Audit will undertake its role in line with best practice principles and recognised standards as outlined by the IIA; specifically compliance at all times with the IIA’s code of professional conduct and code of ethics; the international standards for the professional practice of Internal Auditing; the IIA’s policy for continuing professional development and the IIA’s guidance on effective internal audit in financial services.

2. Reporting

The Head of Internal Audit (HoIA) reports functionally to the Chairman of the Board Audit and Compliance Committee and administratively to the Chief Executive Officer (CEO) for the Bank. This level of seniority within the organisation ensures the appropriate standing, access and authority to challenge the Executive.

Any breaches of this Charter must be reported to the Chairman of the Board Audit and Compliance Committee and the Chief Risk Officer as appropriate.

A written report will be prepared and issued by the Head of Internal Audit following the conclusion of each Internal Audit engagement and will be distributed as appropriate. Internal Audit results will also be communicated to the Board Audit and Compliance Committee.

The Internal Audit report may include management's response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management's response, whether included within the original audit report or provided thereafter (i.e. within thirty days) by management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.

The Internal Audit function is responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.

3. Independence

The HoIA shall have no executive or managerial powers and duties within the Bank except those relating to the management of the Internal Audit function. The Internal Audit function will remain free from interference by any element in the organisation, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit the maintenance of the necessary independence and objectivity. In addition, the Internal Audit function will have its own budget, which will be approved by the Board Audit and Compliance Committee.

The Head of Internal Audit will report to the Board Audit and Compliance Committee, at least annually at a meeting held without management being present, on the organisational independence of the Internal Audit function, its access to adequate resources and any issue he or she wishes to raise directly with the Committee.

4. Authority

The HoIA has the right to attend and participate in those meetings of the Board of Directors and Senior Management which relate to Internal Audit‘s oversight responsibilities for credit and enterprise wide risk management, financial reporting, organisational governance and control, and also in strategic planning meetings and other executive meetings. The HoIA is a standing invitee to the Asset and Liabilities Management Committee, Operations Committee, Credit Risk Management Committee, Executive Committee, Board Audit and Compliance Committee, Board Credit Committee, Board Risk Committee and the Board.

Internal Audit employees have unrestricted access to all Bank personnel, assets, information and systems, during the performance of audits specified in the annual plan and investigations approved by the HoIA and the Board Audit and Compliance Committee. This includes the right to be informed proactively by management of any material decision or change, events and issues.

The Head of Internal Audit has direct and unrestricted access to the Chief Executive Officer and the Chairman of the Board Audit and Compliance Committee.

Audit working papers and audit reports are a property of the Bank and access to those working papers and reports requested by persons outside of the Bank is possible only with the prior approval of the Bank’s Board of Directors.

5. Scope

The scope of the Internal Audit function is unrestricted and covers all activities of the Bank, all areas of current and future risks within the Bank and an assessment of risk management and mitigation controls in the context of the current and expected business environment. In addition, Internal Audit includes within its scope:

  • An assessment of the design adequacy and operating effectiveness of the Bank's governance, policies, processes and controls, to provide independent assurance that they are in line with the strategic objectives, risk appetite and values of the Bank;
  • Management’s control awareness (at all levels of management) and approach to addressing known issues;
  • The risk and control culture;
  • Whether the key risks to the organisation have been identified and how effectively these are being managed – this includes capital, liquidity, regulatory and reputational risks as well as key corporate events;
  • The information presented to the Board and Executive Management for strategic and operational decision making and whether this information fairly represents the benefits, risks and assumptions associated with strategy and corresponding business plans;
  • An evaluation of risks associated with poor customer treatment or outcomes, giving rise to conduct and reputational risk and determine whether the Bank is acting with integrity in its dealings with customers;
  • Whether Business and Risk Management are adequately designing and controlling products, services and supporting processes in line with customer interests and conduct regulation; and
  • To undertake thematic reviews as appropriate of the pervasive control environment within OakNorth Bank.

In addition, Internal Audit may carry our special investigations or other assignments as required by the Chief Executive Officer or the Chairman of the Board Audit and Compliance Committee and undertake work required by regulators or to validate regulatory reported matters as necessary. Lastly, Internal Audit may attend and observe all Executive and other Senior Management committee meetings in order to assess the identification, assessment and mitigation of any further or future significant risks that may arise.

Internal Audit activity does not substitute controls executed by appropriate managers and controls executed by specialised divisions – responsibility for operational effectiveness rests with local management.

6. Roles and Responsibilities

6.1 The Head of Internal Audit

The HoIA in the discharge of his or her duties is responsible to the Board Audit and Compliance Committee and to Executive Management and will:

  • Develop a risk-based Audit Plan using an appropriate risk-based methodology and in line with the Internal Audit methodology and the Internal Audit manual;
  • Ensure adequate and appropriately skilled resources are available to deliver the Internal Audit plan. Additional resources will be made available through an Internal Audit co-source arrangement as and when required;
  • Maintain the Internal Audit methodology and deliver the audit plan in accordance with it;
  • Report to the auditee on a timely basis on completion of each audit;
  • Follow-up on audit findings to provide assurance that any identified weaknesses and corresponding actions have been addressed;
  • Implement a quality assurance and improvement programme that covers all aspects of Internal Audit activity;
  • Maintain a close and collaborative working relationship with the Bank’s Risk and Compliance functions sharing risk and control information as necessary;
  • Liaise with the external auditors and other providers of assurance (primarily Risk and Compliance) to co-ordinate planning and share results of any audit work; and
  • Provide a periodic (at least quarterly) audit report and an annual report for presentation to the Board Audit and Compliance Committee at its formal meetings throughout the year. This report is to include the status of the Audit Plan, any proposed amendments to the plan, the results of all audit activities and details of any significant issues identified.

6.2 The Chairman of the Board Audit and Compliance Committee

The Chairman of the Board Audit and Compliance Committee will:

  • Review and provide input to the CEO on the HoIA’s performance objectives and monitor performance against these with both the CEO and the HoIA;
  • Review and approve the HoIA’s annual pay and reward package to be proposed to the Board Remuneration Committee (as per the IIA guidance);
  • Assist in the resolution of any conflicting priorities that may arise;
  • Ensure the HoIA has support in securing adequate resources to deliver the Internal Audit plan and discharge the Internal Audit function’s duties;
  • Monitor and review the effectiveness of the Internal Audit function;
  • Challenge and approve the annual Internal Audit plan;
  • Challenge and review all reports submitted to the Board Audit and Compliance Committee and in turn challenge management on the effectiveness of delivering an adequate risk and control environment for the Bank where significant issues have been identified; and
  • Approve the appointment and termination of appointment of the HoIA.

6.3 The CEO

The CEO is responsible for the day to day line management of the HoIA taking into account input from the Chairman of the Board Audit and Compliance Committee. This will include:

  • Recommending the HoIA’s annual pay and reward package;
  • Setting work priorities and assisting in the resolution of any conflicting priorities that may arise; and
  • Approving the contract for the engagement of third party suppliers of co-sourced Internal Audit services.

7. Quality assurance and improvement programme

The Internal Audit function will maintain a quality assurance and improvement programme that covers all aspects of the Internal Audit function. The programme will include an evaluation of the Internal Audit function's conformance with the Definition of Internal Auditing and the International Standards, the IIA guidance and an evaluation of whether Internal Auditor(s) apply the Code of Ethics. The programme also assesses the efficiency and effectiveness of the Internal Audit activity and identifies opportunities for improvement.

The Head of Internal Audit will communicate to senior management and the Board Audit and Compliance Committee on the Internal Audit function's quality assurance and improvement programme, including results of ongoing internal assessments and external assessments conducted at least every five years.