We only use cookies for website functionality and security.

Internal Audit Charter

1.1 Introduction

The Chartered Institute of Internal Auditors (CIIA) defines the Mission of Internal Audit (IA) being ‘to enhance and protect organisational value by providing risk based and objective assurance, advice and insight.’ In order to achieve this, Internal Audit rely on a framework of principles and standards known as the International Professional Practices Framework (IPPF).

It is the joint policy of the Board of Paragon Banking Group PLC (PBG) and of Paragon Bank PLC to maintain an independent and objective internal audit function. This Audit Charter defines the objectives, scope of work, authority, and responsibilities of Internal Audit.

This Audit Charter jointly applies to Paragon Banking Group PLC and Paragon Bank PLC.

1.2 Organisation

The Internal Audit Director will report functionally to the Chairman of the PBG Audit Committee and administratively to the Chief Financial Officer.

The Internal Audit Director will communicate and interact directly with the Board, including in executive and private sessions, and between Board meetings as appropriate. The Internal Audit Director will communicate results of an audit directly to Audit Committee members as and when reports are finalised.

1.3 Authority

Internal Audit’s authority is received from PBG’s Audit Committee and gives IA unrestricted access to all information, functions, records, property, and employees anywhere within PBG, relevant to their role.

The PBG Internal Audit Director will have unrestricted access to the Chair of PBG’s Audit Committee and may obtain the assistance of employees in PBG as necessary.

1.4 Assurance framework

PBG follows the three lines of defence governance structure. Line management and oversight functions (e.g. compliance monitoring and risk management) comprise the first and second lines respectively. IA comprises the third line of defence and provides assurance to the Audit Committee on the adequacy of both the first and second lines.

1.5 Objectives and scope

The CIIA Guidance on Effective Internal Audit in Financial Services defines the primary role of Internal Audit as being ‘to help the Board and Executive Management to protect the assets, reputation and sustainability of the organisation’.

The objective of IA is to provide independent assurance to PBG’s Board and Audit Committee that the governance, risk management and control systems within PBG (including those outsourced to third parties) are adequate, effective, and functioning properly.

IA will assist senior management in the effective discharge of their responsibilities and to maintain and improve the management of business risks and internal control. To this end, it furnishes them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed, as an aid to improving performance.

IA does not in any way relieve management of the responsibilities for maintaining effective controls.

The scope of internal audit encompasses the examination and evaluation of the systems of internal control within PBG, in particular:

  • The means of accounting for the business’ assets and interests, and safeguarding against potential loss arising from fraud, inefficient administration, commercially deficient practices,and other causes;
  • The systems established to ensure compliance with those policies, plans, targets, procedures, laws and regulations which could have a significant impact upon operations, and whether PBG is in compliance;
  • The soundness, adequacy, and application of financial, IT and other management controls;
  • The reliability, integrity, security and usefulness of business information and data, and the means used to identify, measure, classify and report such information; and
  • Carrying out special investigations or ad hoc projects as directed by the PBG Board, Executive, or Audit Committee.

On occasions IA may provide a consultancy service to PBG. IA may be involved in project planning, design, and development to ensure that operational and financial risks are considered and that adequate controls are incorporated. IA may ensure that a complete and thorough systems test is undertaken at key stages of project implementation.

During consultancy services IA will not be involved in designing controls to be implemented by PBG and neither will IA provide sign off on projects. This will ensure IA maintains its independence for future audits.

1.6 Independence and objectivity

IA will have no direct operational responsibility or authority over any of the activities audited. IA will at all times be objective, constructive, and not be influenced by personal, business, or other issues, which might impair impartiality in adherence to CIIA standard 1100 Independence and Objectivity. In order to effectively carry out the responsibilities of the internal activity the Internal Audit Director shall have unrestricted access to senior management and the Board. Threats to independence will be managed at the individual auditor level. IA staff will not be involved in providing internal audit services in relation to a business activity for which they have had any operational responsibility within the previous twelve months.

To support the conflicts of interest process and to confirm that auditors have conformed with the IIA Code of Ethics, an annual declaration is made by each member of the IA team which is recorded by the Internal Audit Director.

IA are required to have appropriate experience and expertise to enable them to conduct their work with proficiency and due professional care in line with CIIA attribute standard 1200. This will be demonstrated by IA staff obtaining professional certifications and qualifications relevant to the business areas in which they perform IA activities. IA staff will engage in continuing professional development which will be monitored by the Internal Audit Director. However, if the knowledge, skills,and competencies required to perform an engagement are not available within IA, the Internal Audit Director will obtain and utilise any necessary technical or specialist professional assistance from within the Group or from external providers.

Whilst IA staff should have sufficient knowledge to identify the indicators of fraud, they are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

IA staff should have also sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

1.7 Responsibilities

The Internal Audit Director has responsibility to:

  • Produce a risk based Internal Audit plan, that will be submitted for approval at the relevant PBG Audit Committee meeting each year;
  • Review and adjust the IA plan as necessary in response to Paragon’s strategic priorities and pillars and changes to business operations or emerging risks, communicating these to senior management and PBG’s Audit Committee;
  • Ensure that IA staff remain free from all conditions that may threaten their ability to carry out their responsibilities in an unbiased manner to maintain independence and objectivity; also, to confirm to PBG’s Audit Committee at least annually the organisational independence of IA;
  • Maintain a professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of the audit charter. IA may, subject to appropriate approval, contact a third party to undertake internal audit work in specialist areas;
  • Prepare a written report following each audit review that contains key findings and, where any weaknesses were identified, a summary of the corrective action agreed with management, together with a target date for completion. Final reports will be issued to the Executive and appropriate senior management;
  • Monitor the follow-up action undertaken by management to remedy weaknesses identified by IA, ensuring that action taken is sufficient, timely and that controls introduced are operating as intended to mitigate the risk. However, when the Internal Audit Director concludes that management has accepted a level of residual risk that may be unacceptable to the PBG, this will be discussed with senior management and if not resolved, communicated to PBG’s Audit Committee for resolution;
  • Provide periodic reports to PBG’s Audit Committee summarising the status of the audit plan, the results of audit activities and details of significant issues identified, and the sufficiency of department resources of appropriate skills, experience, and expertise to discharge the audit plan. Report significant issues directly to PBG’s Executive or Chair of PBG’s Audit Committe at any time, where these cannot be resolved functionally; and
  • To provide PBG’s Audit Committee with an annual opinion on IA’s assessment of the overall effectiveness of governance, risk and control arrangements and its conclusion on whether the risk appetite framework is being adhered to, highlighting any significant control weaknesses and thematic issues or trends emerging from IA activities and their impact on PBG’s overall risk profile.

1.8 Co-operation

There should be a high degree of co-operation between PBG’s IA, Risk and Compliance functions, third party providers and the external auditors, which should include the exchange of relevant information, in order to maximise the benefit to management.

Internal Audit will have an open, constructive, and co-operative relationship with the regulators that supports the sharing of information relevant to carrying out their respective responsibilities.

1.9 Standards of practice

IA are expected to comply with the PBG code of conduct, policies and ethical standards and, in line with the IPPF, which consists of the mandatory Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing and the Definition of Internal Auditing published by the CIIA. Where full conformance with CIIA Principles, Standards and Code of Ethics is not achieved, and where this impacts the overall scope of operation of internal audit activity, this will be disclosed to PBG’s Audit Committee along with an action plan to address the issues identified.

IA plans and performs its assurance work using a risk-based audit methodology, to the standards and requirements set out in the IA audit methodology covering: annual planning; audit execution; audit reporting; and post audit issues assurance. These standards are in line with the CIIA standards and attributes for the provision of internal audit.

IA will undertake an ongoing Quality Assurance and Improvement Programme (QAIP) to ensure compliance with the IA audit methodology as approved by the PBG Audit Committee. The Internal Audit Director will report results of this programme to the PBG Audit Committee and report on any improvements that will be put in place to rectify any non-conformity identified.

IA will be subjected to an external audit assessment at least once every five years by a qualified, independent reviewer. The results of internal and external assessments will be communicated to PBG’s Audit Committee.

Approved by the PBG Audit Committee at its meeting on 23 May 2024.


Alison C M Morris