HC-5.4 HC-5.4 Internal Audit
HC-5.4.1
Unless otherwise agreed with the CBB,
licensees must establish an internal audit function to monitor the adequacy of their systems and controls.April 2016HC-5.4.2
The CBB would normally expect larger
licensees to maintain the internal audit function within the organisation. The CBB will however consider allowing smalllicensees to outsource part or all of their internal audit function to third party providers.April 2016HC-5.4.3
Licensees may outsource part or all of their internal audit function, after obtaining the prior approval of the CBB. The outsourcing arrangements must provide for an adequate level of scrutiny of thelicensee , and must comply with the requirements contained in Section RM-2.4. Alicensee cannot outsource its internal audit function to its external auditor.April 2016HC-5.4.4
Prior approval from the CBB is required for significant outsourcing arrangements, including all outsourcing of internal audit. Note that in all such cases, the
licensee retains ultimate responsibility for the adequacy of its outsourcing function, and is required to identify the person within thelicensee responsible for internal audit: this person should be anapproved person (see Section AU-1.2 and Chapter RM-2).April 2016HC-5.4.5
Internal audit functions must have terms of reference that clearly indicate:
(a) The scope and frequency of audits;(b) Reporting lines; and(c) The review and approval process applied to audits.April 2016HC-5.4.6
Paragraph HC-5.4.5 applies irrespective of whether the internal audit function is outsourced. Where it is outsourced, the CBB would expect to see these matters addressed in the contract with the
outsourcing provider .April 2016HC-5.4.7
Internal audit functions must report directly to the Board. They must have unrestricted access to all the appropriate records of the
licensee . They must have open and regular access to the Board, theChief Executive orgeneral manager , and thelicensee's external auditor.April 2016HC-5.4.8
Internal audit functions must have adequate staff levels with appropriate skills and knowledge, such that they can act as an effective challenge to the business. Where the function is not outsourced, the
head of function should be a senior and experienced employee. Internal audit functions must not perform other activities that compromise their independence.April 2016HC-5.4.9
The CBB would expect to see in place a formal audit plan that:
(a) Is reviewed and approved at least annually by the Board;(b) Is risk-based, with an appropriate scoring system; and(c) Covers all material areas of alicensee's operations over a reasonable timescale.April 2016HC-5.4.10
Internal Audit reports should also be:
(a) Clear and prioritised, with action points directed towards identified individuals;(b) Timely; and(c) Distributed to the Board and appropriate senior management.April 2016HC-5.4.11
Licensees should also have processes in place to deal with recommendations raised by internal audit to ensure that they are:(a) Dealt with in a timely fashion;(b) Monitored until they are settled; and(c) Raised with senior management if they have not been adequately dealt with.April 2016