Back Custom print Link Text Only Rich Text Print

  • HC-5.4 HC-5.4 Internal Audit

    • HC-5.4.1

      Unless otherwise agreed with the CBB, licensees must establish an internal audit function to monitor the adequacy of their systems and controls.

      April 2016

    • HC-5.4.2

      The CBB would normally expect larger licensees to maintain the internal audit function within the organisation. The CBB will however consider allowing small licensees to outsource part or all of their internal audit function to third party providers.

      April 2016

    • HC-5.4.3

      Licensees may outsource part or all of their internal audit function, after obtaining the prior approval of the CBB. The outsourcing arrangements must provide for an adequate level of scrutiny of the licensee, and must comply with the requirements contained in Section RM-2.4. A licensee cannot outsource its internal audit function to its external auditor.

      April 2016

    • HC-5.4.4

      Prior approval from the CBB is required for significant outsourcing arrangements, including all outsourcing of internal audit. Note that in all such cases, the licensee retains ultimate responsibility for the adequacy of its outsourcing function, and is required to identify the person within the licensee responsible for internal audit: this person should be an approved person (see Section AU-1.2 and Chapter RM-2).

      April 2016

    • HC-5.4.5

      Internal audit functions must have terms of reference that clearly indicate:

      (a) The scope and frequency of audits;
      (b) Reporting lines; and
      (c) The review and approval process applied to audits.
      April 2016

    • HC-5.4.6

      Paragraph HC-5.4.5 applies irrespective of whether the internal audit function is outsourced. Where it is outsourced, the CBB would expect to see these matters addressed in the contract with the outsourcing provider.

      April 2016

    • HC-5.4.7

      Internal audit functions must report directly to the Board. They must have unrestricted access to all the appropriate records of the licensee. They must have open and regular access to the Board, the Chief Executive or general manager, and the licensee's external auditor.

      April 2016

    • HC-5.4.8

      Internal audit functions must have adequate staff levels with appropriate skills and knowledge, such that they can act as an effective challenge to the business. Where the function is not outsourced, the head of function should be a senior and experienced employee. Internal audit functions must not perform other activities that compromise their independence.

      April 2016

    • HC-5.4.9

      The CBB would expect to see in place a formal audit plan that:

      (a) Is reviewed and approved at least annually by the Board;
      (b) Is risk-based, with an appropriate scoring system; and
      (c) Covers all material areas of a licensee's operations over a reasonable timescale.
      April 2016

    • HC-5.4.10

      Internal Audit reports should also be:

      (a) Clear and prioritised, with action points directed towards identified individuals;
      (b) Timely; and
      (c) Distributed to the Board and appropriate senior management.
      April 2016

    • HC-5.4.11

      Licensees should also have processes in place to deal with recommendations raised by internal audit to ensure that they are:

      (a) Dealt with in a timely fashion;
      (b) Monitored until they are settled; and
      (c) Raised with senior management if they have not been adequately dealt with.
      April 2016