The internal audit function must not be involved in designing, selecting, establishing, or implementing specific internal control policies, mechanisms, procedures or risk limits. However, this should not prevent the Board and the senior management from requesting input from the internal audit function on matters relating to risk, internal controls and compliance with applicable rules.