HC-8.1.6
The IAF must:
(a) Be independent of all functions;
(b) Have sufficient standing and authority within the licensee ;
(c) Have sufficient skilled resources to be able to judge outcomes and make an impact at the highest level of the organization;
(d) Be able to perform its assignments on its own initiative in all areas and functions of the licensee based on the audit plan established by the head of the IAF and approved by the audit committee;
(e) Be free to report its findings and assessments internally;
(f) Independently review and evaluate the effectiveness and efficiency of all functions, internal controls, risk management, internal risk and finance models, governance framework, policies, procedures, systems and processes, including the licensee’s outsourced activities and its subsidiaries (including SPVs) and local and overseas branches, and must ensure adequate coverage of matters of regulatory interest within the audit plan;
(g) Develop an independent and informed view of the risks faced by the licensee based on its access to all licensee records and data, its enquiries and its professional competence;
(h) Discuss its views, findings and conclusions directly with the audit committee and, if necessary, with the board of directors at their routine quarterly meetings; and
(i) Not be involved in designing, selecting, implementing or operating specific internal control measures. However, the independence of the IAF must not prevent senior management from requesting input from the IAF on matters related to risk and internal controls. Nevertheless, the development and implementation of internal controls must remain the responsibility of management.
Added: July 2023