HC-6.4 HC-6.4 Internal Audit
HC-6.4.1
Licensees must consider establishing an internal audit function commensurate with the size, complexity and nature of its business to monitor the adequacy of their systems and controls.October 2019HC-6.4.2
The internal audit function must be independent of the
senior management , reporting either to the Board or its Audit committee. The internal audit function must not be combined with any other function.October 2019HC-6.4.3
Where
licensees outsource part or all of their internal audit function, the outsourcing arrangements must provide for an adequate level of scrutiny of thelicensees . Alicensee cannot outsource its internal audit function to its external auditor.October 2019HC-6.4.4
Prior approval from the CBB is required for material outsourcing arrangements, including all outsourcing of internal audit. Note that in all such cases, the
licensee retains ultimate responsibility for the adequacy of its outsourcing function, and is required to identify the person within thelicensee responsible for internal audit: this person should be anapproved person (see Section AU-1.2).October 2019HC-6.4.5
Internal audit functions must have terms of reference that clearly indicate:
(a) The scope and frequency of audits;(b) Reporting lines; and(c) The review and approval process applied to audits.October 2019HC-6.4.6
Internal audit function must report directly to the Board/Audit committee. They must have unrestricted access to all the appropriate records of the
licensees . They must have open and regular access to the Audit Committee, the Board, theChief Executive , and thelicensees ' external auditor.October 2019