HC-6.4 HC-6.4 Internal Audit
HC-6.4.1
Bahraini investment firm licensees must establish an internal audit function to monitor the adequacy of their systems and controls.January 2011HC-6.4.2
The internal audit function must be independent of the
senior management , reporting either to the Board or its Audit committee (where applicable). The internal audit function must not be combined with any other function.Amended: July 2015
January 2011HC-6.4.3
The CBB would normally expect larger
investment firm licensees to maintain the internal audit function within the organisation (or at least to be provided from within thelicensee's group, where relevant, providing this doesn't impair the level of internal audit scrutiny applied to thelicensee ). The CBB will however consider allowing smallinvestment firm licensees to outsource part or all of their internal audit function to third party providers.January 2011HC-6.4.4
Where
investment firm licensees outsource part or all of their internal audit function, the outsourcing arrangements must provide for an adequate level of scrutiny of thelicensee , and must comply with the requirements contained in Chapter RM-7. Alicensee cannot outsource its internal audit function to its external auditor.January 2011HC-6.4.5
Prior approval from the CBB is required for significant outsourcing arrangements, including all outsourcing of internal audit. Note that in all such cases, the
licensee retains ultimate responsibility for the adequacy of its outsourcing function, and is required to identify the person within thelicensee responsible for internal audit: this person should be anapproved person (see Section AU-1.2 and Chapter RM-7).January 2011HC-6.4.6
Internal audit functions must have terms of reference that clearly indicate:
(a) The scope and frequency of audits;(b) Reporting lines; and(c) The review and approval process applied to audits.January 2011HC-6.4.7
Paragraph HC-6.4.6 applies irrespective of whether the internal audit function is
outsourced . Where it isoutsourced , the CBB would expect to see these matters addressed in the contract with theoutsourcing provider .January 2011HC-6.4.8
Internal audit functions must report directly to the Audit committee or, where none exists, to the Board. They must have unrestricted access to all the appropriate records of the
investment firm licensee . They must have open and regular access to the Audit Committee, the Board, theChief Executive , and thelicensee's external auditor.January 2011HC-6.4.9
Internal audit functions must have adequate staff levels with appropriate skills and knowledge, such that they can act as an effective challenge to the business. Where the function is not outsourced, the
head of function should be a senior and experienced employee. Internal audit functions must not perform other activities that compromise their independence.January 2011HC-6.4.10
The CBB would expect to see in place a formal audit plan that:
(a) Is reviewed and approved at least annually by the Audit Committee or, where none exists, the Board;(b) Is risk-based, with an appropriate scoring system; and(c) Covers all material areas of alicensee's operations over a reasonable timescale.January 2011HC-6.4.11
Internal Audit reports should also be:
(a) Clear and prioritised, with action points directed towards identified individuals;(b) Timely; and(c) Distributed to the Audit Committee or Board and appropriatesenior management .January 2011HC-6.4.12
Investment firm licensees should also have processes in place to deal with recommendations raised by internal audit to ensure that they are:(a) Dealt with in a timely fashion;(b) Monitored until they are settled; and(c) Raised withsenior management if they have not been adequately dealt with.January 2011
