1. Purpose

The Internal Audit Charter defines the role and responsibilities, authority, independence, and scope of the Internal Audit function (also known as the third line of defence) at Starling Bank Ltd. It is approved and reviewed annually by the Board Audit Committee (BAC). Any breach must be reported without delay to the Chair of the BAC and/or the Chief Risk Officer as appropriate.

Internal Audit will perform its work in accordance with the International Professional Practices Framework of the CIIAs and the Financial Services Code. This Charter is a fundamental requirement of the Framework.

This Charter shall be reviewed and approved annually by management and by the Audit Committee on behalf of the Board of Starling Bank Ltd.

Within the three lines model of the firm’s Enterprise Risk Management Framework, the BAC has established the Internal Audit function to help protect the assets, reputation and sustainability of Starling Bank Ltd. It does so by providing agile, independent, objective assurance and consulting services designed to improve the company’s control environment. Internal Audit aims to contribute in a fair, balanced, reliable and forward-looking manner to the firm’s governance and internal control environment.

The three lines model at Starling Bank Ltd consists of:

  • The first line; who are responsible for identifying, assessing, controlling, monitoring and reporting risks in accordance with risk policies and methodologies, and the ERMF and operating within all limits applicable to their operations as cascaded from the Risk Appetite Statements.
  • The second line; who are independent from the first line are responsible for monitoring and challenging the application of the risk management framework by the first line through ongoing oversight and a programme of risk assurance and compliance monitoring, and providing oversight and challenge on all significant risks identified for the Bank, in order to ensure they are being appropriately monitored and controlled in line with risk appetite.
  • The third line (Internal Audit); accountable for providing independent assurance on governance, risk management and control effectiveness across the first and second lines, and providing independent assessment over the adequacy of first and second line activities in relation to all aspects of the business, including risk management.

This is aligned with industry accepted standards and practice.

Starling Bank’s Internal Audit mission statement is to provide timely, balanced, reliable and independent assurance to the BAC thereby helping them and senior management to protect Starling’s assets, reputation and sustainability.

2. Roles and responsibilities

2.1 The Internal Audit function

The internal audit function derives its authority and independence from the BAC.

To achieve its purpose, Internal Audit assesses whether significant risks are identified, measured, reported and mitigated. It checks whether controls are designed adequately and operating effectively, challenges executive management to improve the effectiveness of internal controls, governance and risk management. It coordinates with other assurance providers to optimise assurance coverage and outputs.

Internal Audit supports investigations arising from whistleblowing disclosures as requested and provides periodic assurance over the whistleblowing framework.

Internal Audit influences senior management with recommendations that will help Starling achieve its strategic objectives over the long term.

Internal Audit will maintain a forward-looking, open, constructive and co-operative approach to its interactions with regulators, external auditors, internal control functions across the first and second lines of defence, and with management and employees of Starling Bank Ltd.

Internal Audit will comply with requirements and guidance that apply, including those published by the Prudential Regulation Authority, the Financial Conduct Authority, and the Chartered Institute of Internal Auditors (IIA). Specifically, Internal Audit will adopt best practice and comply with standards published by the IIA including its code of professional conduct and code of ethics, the international standards for the professional practice of internal audit, the IIA’s policy on continuous professional development and the IIA’s “code” on effective internal audit in financial services.

Internal Audit may use external providers to help it deliver its mandate, in line with the firm’s Procurement and other applicable policies, and subject to the pre-approval of the CEO and Chair of the BAC.

Internal Audit will report in writing following the conclusion of each engagement, in the form agreed in the engagement’s terms of reference and in line with the internal audit methodology. Reports will be distributed as appropriate, and the BAC will receive a summary of findings and agreed management actions.

The GHIA is responsible for following-up and reporting on the delivery of agreed management actions and for confirming their risk-acceptance by the first or second line(s) of defence, or closure.

Internal Audit will maintain a quality assurance and improvement programme that covers all aspects of the function. The programme will assess compliance with all applicable standards, requirements and expectations. The outcome will be reported at least annually to the BAC as part of the annual self-assessment of the effectiveness of the internal audit function. An external quality assurance review performed by an independent third party will report to the BAC at least every five years, at the discretion of the Chair of the BAC.

2.2 The Chair of the BAC

The Chair of the BAC will:

  • Set the objectives and, with input from the Chief Executive Officer, review the performance of the Group Head of Internal Audit, including making recommendations on remuneration to the Remuneration Committee as appropriate;
  • Lead in the resolution of any conflicting priorities;
  • Ensure that Internal Audit has access to sufficient resources to discharge its duties;
  • Challenge the reports submitted to the BAC and in turn challenge senior management on the control environment and its ongoing improvement; and
  • Approve the appointment and removal of the GHIA.

2.3 The Chief Executive Officer

The CEO will:

  • Recommend the GHIA’s annual pay and reward package to the Chair of the BAC and then RemCo;
  • Contribute to the setting of the GHIA’s performance objectives and appraisal process;
  • Set work priorities for the Internal Audit function;
  • Encourage the executive team to close all open management actions on time; and
  • Approve the contract for the engagement of any third-party supplier of internal audit activities.

2.4 The Group Head of Internal Audit

The GHIA will:

  • Coordinate the BAC meetings with the Finance function and Secretariat team;
  • Develop and maintain an audit strategy and methodology to be presented to the BAC;
  • Develop a risk-based annual audit plan (and resource budget) to be approved by the BAC and deliver it;
  • Report in writing without undue delay on the outcome of all internal audit engagements;
  • Follow-up on agreed management actions, validate their closure or risk-acceptance, and report on and escalate overdue actions as required;
  • Implement a quality assurance and improvement programme for internal audit activities and report annually to the BAC;
  • Maintain a close working relationship with control functions across the firm and provide an integrated assurance plan to the BAC at least annually;
  • Liaise with the external auditors and all other assurance providers to enhance their assessment of the control environment;
  • Provide a quarterly report to the BAC on the progress of the audit plan delivery and any proposed changes, report on the outcome of internal audit activities and key issues findings (good outcomes as well as material findings), and report on management actions; and
  • Provide an annual opinion on the state of the control environment and management’s awareness and approach to controls ahead of the BAC’s review of the draft Annual Report and Accounts. The format of this annual opinion framework will evolve in line with expectations from the upcoming UK Corporate Governance Reform.

3. Authority

The GHIA is appointed and removed by the Chair of the BAC. The GHIA reports functionally to the Chair of the BAC and administratively to the Chief Executive Officer. This ensures the independence and right level of standing, access and authority of the Internal Audit function.

The GHIA has a right to attend and observe in meetings of the Board of Directors and Senior Management relating to the remit of internal audit, specifically the enterprise-wide risk management framework, financial reporting, governance and controls, strategic meetings and relevant executive meetings. The GHIA may attend and observe the Executive Committee, the Board, the Board Risk Committee, the BAC, the Executive Risk Committee, and other sub-committees such as the Asset & Liability Committee, the Wholesale Credit Risk Committee, the Credit Risk Committee, the Impairment Committee, the Third Party Credit & Forward Flow Committee, the Operational Risk Committee, the Financial Crime Steering Committee, the Product and Conduct Committee, the Finance Committee and the Pricing Committee.

The GHIA has prompt, unrestricted access to all Starling Bank Ltd’s personnel, assets, information and systems during the performance of audits approved by the BAC in the annual internal audit plan and investigations approved by the GHIA or the Chair of the BAC. This includes the expectation to be informed proactively by senior management of any material decision, change, event or issue that could affect the control environment.

The GHIA has direct and unrestricted access to the Chair of the BAC and the CEO.

4. Independence

The GHIA does not have any executive, managerial or operational powers or duties outside the management of the Internal Audit function.

Internal Audit is independent of the day-to-day business of the Bank. Internal Audit staff assume no operational responsibilities and will not review a business area or function in which they have had recent management or operational responsibility or are otherwise conflicted.

IA staff must always remain objective and not be influenced by personal, business or other matters that could impair impartiality. IA staff must have no line responsibility or authority over any of the activities or operations they review and (except in circumstances approved by the BAC) are not authorised to:

  • Perform any operational duties of the organisation except within IA;
  • Provide audit services in relation to a business area or activity for which they have held responsibility within the previous twelve months;
  • Develop or implement procedures or systems external to IA;
  • Initiate or approve any transactions external to IA;
  • Direct the activities of any employee not employed by IA; and
  • Engage in any other activity which could compromise their objectivity.

The Executive will input into matters related to audit selection, scope, procedures, frequency or report content but will not act in a way that could be perceived to affect on the independence and objectivity of the Internal Audit function.

Resources for the Internal Audit function are approved by the BAC. The GHIA will report at least annually to the BAC, without management being present, on the independence of the Internal Audit function, its access to adequate resources and any issue they may wish to raise directly with the BAC.

5. Scope

The scope of internal audit is unrestricted. It covers all activities of Starling Bank Ltd, all areas of current and future risks as well as their mitigating controls in the current and foreseeable business environment.

The scope of IA specifically includes:

  • Governance arrangements, policies, processes and controls across the first two lines of defence;
  • The setting and adherence to risk appetite including the effectiveness of the enterprise-wide risk management framework;
  • Management’s control awareness and approach to addressing known issues;
  • Culture;
  • Capital, liquidity, regulatory and reputational risks and mitigating controls as well as material corporate events;
  • Information provided to senior management and the Board as part of the decision-making process, including risks identified and assumptions made;
  • Customer outcomes and the treatment of customers;
  • Products and services design and control, including customer interests and conduct risk;
  • The adequacy of the Compliance function;
  • Data management and security;
  • Business continuity;
  • Thematic reviews, as could be relevant to assess the overall control environment;
  • Special investigations or engagements as relevant or requested by the Chair of the BAC, the Chief Executive Officer, or a regulator.