Internal Audit Charter

Transcription

1 Internal Audit Charter 1. Purpose The purpose of this Charter is to state clearly the objectives and scope of esure Group s (esure) Internal Audit function. It also serves to outline the function s position within the organisation and its powers and responsibilities. It will be reviewed on an annual basis to ensure its continued relevance. In reading this Charter, it will be assumed that the Auditee has read and understood the key actions, roles and responsibilities of them and their team. These are described in Appendix C. For clarification, the Auditee shall be the Head of the Department (HoD) under review (or any person to whom this is delegated by the HoD). This Charter will be owned by the Lead Internal Auditor. 2. Mission The mission of esure s Internal Audit is to provide independent, objective assurance and advice on good industry practice to assist management in appropriately managing key risks, to act as an effective third line of defence and to add value by improving the operations of the business. 3 Role and Scope of Activities Internal Audit provides independent, objective assurance to the Board and Executive Management on the internal control environment across esure. This involves the review of the design and operating effectiveness of esure s governance processes, risk management procedures, internal control and information systems. Internal Audit also provides a consulting service that brings a systematic and disciplined approach to evaluating the policies, procedures and operations that management put in place to ensure that the risks to the achievement of esure s objectives are effectively managed. It adds value and contributes to the achievement of business objectives through aligning its activities with esure s most important areas of work; covering a suitably broad range of risks, activities, processes and projects in order to be able to provide a robust assurance opinion; and providing structured advice in response to management requests. Its role is to: - undertake a comprehensive programme of internal audit activities which support esure; - examine and evaluate the adequacy and effectiveness of systems of risk management and control across the entire business; - provide reasonable assurance that risks are being identified and managed and that controls are managed effectively; - provide timely input assurance on controls over significant change projects. 1

2 Internal Audit may also carry out consultancy and advisory reviews from time to time, at the request of management or the Audit Committee. Internal Audit sits in the third line of defence in the three lines of defence model. However, Internal Audit is not an extension of or a substitute for management. Responsibility for operational control rests fully with managers who must ensure that appropriate, adequate and effective control arrangements exist without dependence on Internal Audit. It is for management to decide whether or not to accept and implement recommendations. The esure Chief Executive Officer is ultimately responsible for ensuring that prompt and effective action is taken where called for or that the risks of not taking action are recognised, accepted and documented. 4 Independence and Objectivity Internal Audit will be independent of the activities that it audits, and its auditors will be objective in performing their work. Internal audit, while consultative in approach, will be free from interference in determining the scope of the audits, performing work and communicating results. In summary, Internal Audit will be impartial, unbiased and will avoid conflicts of interest. To ensure independence, Internal Audit is directly accountable to the Chair of the Audit Committee. The Audit Committee approves the appointment, compensation, evaluation, retention and dismissal of the Internal Audit function. It will also approve the Audit Charter, Audit Plan and changes to it. For administrative purposes and dayto-day communication, Internal Audit will liaise with the Head of Risk Management. 5 Authority and Access Internal Audit has unrestricted access to every member of the Audit Committee, to whom all significant concerns over the adequacy and effectiveness of the internal control and risk management activities are reported. Internal Audit derives its authority from the esure Group Holdings Limited Board. In carrying out their duties, members of Internal Audit are authorised to: have full, free and unrestricted access to all functions, records, property and colleagues; have full and free access to the Audit Committee; obtain assistance of colleagues in areas of esure where they perform audits, as well as other specialised services from within the organisation. Members of Internal Audit are not authorised to: perform any operational duties for esure or its affiliates; initiate or approve accounting transactions external to the Internal Audit team; direct the activities of any employee not employed by Internal Audit, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors. 6 Standards of Audit Practice Internal Audit will meet or exceed the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors. 2

3 7 Key activities description and responsibilities Annual Planning Exercise In liaison with the Risk and Compliance functions, Internal Audit shall prepare an annual audit plan setting out the proposed timing for each audit assignment. The plan is based on a risk assessment, identifying business objectives, key risks impacting those objectives and taking into consideration input from management and other key stakeholders. The order of priority, the proposed resource requirements and the scope for each audit assignment will be decided according to risk and the direction of the Audit Committee. The Lead Internal Auditor will meet with the Executive Management to understand their concerns and obtain their thoughts. The Lead Internal Auditor will review the risk register before consulting esure s External Auditors. Additionally, all existing and forthcoming regulatory issues will be considered. The plan will be presented to the Audit Committee for their approval. If needed, adjustments can be made to the plan during the year (e.g. as a result of emerging trends) but any such changes will be discussed with the Chief Risk Officer and approved by the Audit Committee Chair. The Audit Process The core audit process is described in detail in Appendix A. The criteria for the ratings for each of the individual audit findings and the overall reports are described in Appendix D. 8 Interaction with other control and assurance activities and Management Compliance Function Internal Audit will liaise with the Head of Compliance at esure to determine any areas of duplication of work and the extent to which the both the Compliance team and Internal Audit can place reliance on the work performed by the other team. Claims Audit Team As part of the Internal Audit Plan for each year, a set number of days, agreed in advance with management, shall be set aside to assist the Claims Audit function in performing audits in accordance with the Claims Audit teams own audit plan. The Lead Internal Auditor will liaise with the Head of the Claims Audit team to discuss and agree the timing, scope and required resource for these audits. Internal Audit will provide the Claims Audit team with all relevant working papers and draft reports following the completion of the work. The Claims Audit team is responsible for finalising and issuing the reports to its key stakeholders. A summary of the findings will be included in Internal Audits updates to the Audit Committee. External Audit Internal Audit will assist esure s External Auditors by providing copies of all finalised reports issued by Internal Audit as requested. The Lead Internal Auditor will meet with the External Auditors on a quarterly basis to discuss the progress of Internal Audit against the agreed audit plan. In addition, Internal Audit will liaise with the External Auditors to determine any areas of duplication of work and the extent to which reliance can be placed by the External Auditors on the work performed by Internal Audit. 3

4 Audit Committee Internal Audit regularly reports on the results of its work to the Audit Committee. Internal Audit is accountable to the Audit Committee for ensuring that issues are escalated to appropriate levels and specifically for: periodic assessments of the adequacy and effectiveness of esure s systems of risk management and internal control based on the work of the Internal Audit team; reporting significant control issues and potential for improving risk management/control processes; reporting to the Audit Committee on the implementation of audit recommendations; providing regular information on the status and results of the annual Audit Plan and the sufficiency of Internal Audit resources providing an annual report to the Audit Committee, including the following: - the effectiveness of Internal Audit and performance against objectives; - formal confirmation that it is free to express opinions in an unfettered and independent manner; - confirmation that it has unrestricted access to esure records, data and personnel. 9 Resource The Lead Internal Auditor will maintain sufficient and appropriately skilled audit personnel to implement the audit programme, either internally within the audit team or externally through the use of specialist resources. The use of specialist auditors will be explicitly set out in the scope document. 10 Service Levels Internal Audit will work to a specific set of indicators that are agreed with the Head of Risk Management. These indicators have been established in Appendix B. Internal Audit will provide updates with regards to the progress against these indicators these will be as part of the updates to the Audit Committee. Where service levels fall below the desired requirement, these will be addressed with the Head of Risk Management and if required at the next Audit Committee meeting. 4

5 Appendix A The Audit Process The Core Audit Process Each review undertaken by Internal Audit will follow a standardised process from the initial planning stage through to the submission of the final report to the Audit Committee. Internal Audit shall be responsible for planning, conducting, reporting and following up on audit assignments included in the audit plan, and deciding on the scope and timing of audits. The process below will identify the key elements of the review, the parties responsible and their respective levels of required contribution. The process is also abbreviated within the attached flowchart (Appendix A). a) Audit Planning Pre-Audit Meeting (Scoping Meeting) Approximately four weeks prior to the beginning of a planned audit the Internal Auditor will liaise with the Auditee to arrange a scoping meeting two weeks prior to the beginning of a planned audit. Prior to the scoping meeting the Internal Auditor will produce a Draft Planning Memorandum which outlines the key elements of the review. These include the following: Audit Objective and Scope Sets out what the review will cover, potential exclusions and how in-depth the review will be; Risks associated with the area of the business under review; Methodology the approach in which the review will be undertaken; Dates of Fieldwork; Audit Team. At the Scoping Meeting the Internal Auditor and Auditee will discuss the Draft Planning Memorandum and alter it according to the specific requirements of the Auditee. This allows the Auditee to specifically direct resources to areas of concern at that point in time. The Auditee must ensure that they are available for this meeting/conference call. Planning Memorandum Final Version Following the Scoping Meeting the Internal Auditor will update the Draft Planning Memorandum and submit it to the Auditee. The Auditee will provide comments regarding any updates or necessary changes to the draft scope and submit these back to the Lead Internal Auditor. The Lead Internal Auditor will update the changes and submit a Final Planning Memorandum back to the Auditee, copying in the Head of Risk Management, one week prior to the fieldwork start date. The Auditee is responsible for distributing the Planning Memorandum or informing the relevant teams of the impending review and what it will entail. The Auditee should provide formal approval of the scope. Pre-Fieldwork At least one week prior to the review the Internal Audit Team will provide a document request list (where applicable) and interview schedule requests to the Auditee. The Auditee is then responsible for distributing this document and interview schedule requests to the relevant team members, and be responsible for providing this 5

6 information to the Audit Team within one week of the request. The Auditee should arrange the necessary meetings with appropriate members of staff. The Auditee should organise an opening meeting on day 1 of the review and inform the relevant team members and Internal Audit and the timing of this. The Lead Internal Auditor will liaise with the Auditee regarding the arranging of logistics during the fieldwork such as booking of meeting rooms etc. b) Audit Execution Audit fieldwork shall be conducted in a professional and timely manner. Following the opening meeting the Auditee should keep the Internal Auditor informed of potential availability of staff and the Internal Auditor should also keep the Auditee informed of their availability. During the opening meeting the attendees should arrange the closing meeting date, time and location (preferably the same attendees to that of the opening meeting) at the end of the fieldwork period. Interviews with staff will be required as part of any fieldwork completed. The Auditee should ensure that time of staff to hold these interviews is made available. The Auditee should also ensure that staff with system access are available at the early stage of the fieldwork to assist with any walkthrough audit exercise. The Internal Auditor should prepare and submit a list of potential findings just prior to the closing meeting to all those attending. All findings should be discussed at the final meeting. c) Reporting Internal Audit shall be responsible for reporting to management and the Audit Committee issues relating to the processes and activities identified in an audit assignment including potential improvements to those processes. Internal Audit will monitor the timely action by management in response to audit findings and will be responsible for the formal acceptance of closure of issues on a periodic basis. Progress will also be reported to the Audit Committee. The Internal Auditor is responsible for the submission of the Draft Report to the Auditee within fourteen days of the closing meeting. The Auditee will agree responses to the findings within the draft report and send the updated report back to the Lead Internal Auditor within 14 days of receiving it. Internal Audit will consider the management responses provided. Where it is felt the actions will not satisfy the observations raised, Internal Audit will notify the Auditee and request a revised response. Where there is disagreement around the suitability of responses, the Internal Auditor will notify the Chief Risk Officer. The Lead Internal Auditor will produce the Final Report and will issue it to those on the distribution list seven days after management comments are received. The Lead Internal Auditor will also make available the Final Report to the Audit Committee. Reporting of results will include an open process to agree with management the facts, validity and practicality of implementing audit recommendations. Where management agree with a valid finding raised by Internal Audit, but choose to accept the risk rather that mitigate or remove it, this will be reported to the Audit Committee for information. 6

7 Appendix B Service Levels Operational Assignments will be completed within the timeframe set out below. Exceptions to this will be notified by the Lead Internal Auditor to the Head of Risk Management. T 4 weeks Lead Internal Auditor arranges scoping meeting T 2 weeks Scoping meeting takes place T 1 weeks Scope documents if finalised and issued T 1 weeks Documentation request list is issued T 0 Audit fieldwork starts Tx 0 Audit fieldwork ends + 7 days of fieldwork ending Closing meeting takes place + 14 days of closing meeting Draft report issued + 14 days of report issue Management responses completed + 7 days of receipt of management comments Final report issued Auditee feedback It is the intention of the lead Internal Auditor to develop and agree a framework for receiving feedback from the Auditees regarding Internal Audits performance during the year.. 7

8 Appendix C Auditee s Responsibilities Outlined below are the responsibilities of the Auditee for each audit undertaken. Responsibilities Meet with the internal audit team for a scoping meeting. Review and approve draft scope document. Arrange sign off of scope document by Head of Department. Issue final scope to all staff within the key departments involved in the review. Arrange interviews with those staff listed in interview schedule (within one week of receipt of initial request). Respond to document request list (within one week of receipt of initial request). Arrange meeting room for opening meeting on day one of the fieldwork. Ensure key team members are present for opening meeting on day one of fieldwork. Arrange for room to be booked for audit team to use over the course of the audit duration. Arrange for system access to key systems if required. Agree a date with the audit team for a close down meeting. Arrange for any other appropriate staff to be present at close down meeting. Invite Head of Department to close down meeting. Review draft report once received and provide feedback to audit team. Construct management responses as required. Arrange for management responses to be signed off by the Head of Department. Provide management responses to internal audit team. Approve final report. 8

9 Appendix D Assurance Chart Overall Report Ratings Level of Assurance Adequacy of control design Effectiveness of operating control Positive (opinion) Full Assurance The controls are fully designed to mitigate the specific risks. The controls are operating effectively. Substantial Assurance Some key controls do not fully mitigate the specific risk but there is a range of compensating controls in place. Some key controls are not operating effectively and compensating controls are not adequately documented Satisfactory Assurance There is a range of key controls, but there is a weakness, such as an over-reliance in preventative or detective controls that could negatively affect the business. Partial effective operation exists over key controls to a material degree. Negative (opinion) Limited Assurance The controls are not adequately mitigating the risks in the majority of instances or in areas of key controls. The operational effectiveness of the controls is poor. No Assurance No controls in place Controls are ineffective or it is not possible to assess their effectiveness 9

10 Appendix D Assurance Chart (continued) Priority Ratings for Individual Recommendations Priority Rating Description High A weakness where there is an increased risk of loss, fraud, impropriety, poor value for money, or failure to achieve organisational objectives. Such risk could lead to an adverse impact on the business. Remedial action must be taken urgently (within 45 days). Medium A weakness in control which, although not fundamental, relates to shortcomings which expose individual business systems to a less immediate level of threatening risk or poor value for money. Such a risk could impact on operational objectives and should be of concern to senior management and requires prompt specific action (within 90 days). Low Areas that individually have no significant impact, but where management would benefit from improved controls and/or have the opportunity to achieve greater effectiveness and/or efficiency (within 150 days). 10