Skip to Content

Internal Audit Charter

Version 3.3 - 10th June 2024

Introduction

This charter defines the purpose, reporting, authority, independence, scope, roles and responsibilities, and quality assurance of Internal Audit at Monzo. It is approved annually by the Group Audit Committee of the Monzo Bank Holding Group Limited ('MBHG') Board (the 'Audit Committee'), and is applicable to the Monzo Group (the 'Group' or 'Monzo'), which consists of MBHG and any of its subsidiaries (as defined in the UK Companies Act 2006).

Purpose

Internal audit is Monzo’s “Third Line of Defence” (3LoD). Internal Audit provides Monzo’s Board and Executive Management with independent and objective assurance on the adequacy and functioning of the system of internal control. Specifically, this covers whether Monzo’s framework for risk management, control, and governance processes are adequate and functioning as intended and in a manner that ensures:

  • Monzo’s assets, reputation and sustainability are adequately protected by its system of internal control.

  • All significant risks are appropriately identified, reported to the Board and the Group’s Senior Leadership Team and effectively controlled.

  • Significant financial, management, and operating information is accurate, reliable and delivered in a timely manner.

  • Monzo’s actions are in compliance with policies, standards, procedures, and applicable laws and regulations.

  • Products, services and processes result in good outcomes for Monzo’s customers.

Standards for the Professional Practice of Internal Auditing

Internal Audit will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The Head of Internal Audit will report periodically to the audit committee regarding Internal Audit’s conformance to the Code of Ethics and the Standards.

Reporting

Internal audit at Monzo is directed by the Chief Internal Audit Officer (CIA). The CIA will report functionally to the Chair of the Audit Committee, and administratively to the Chief Executive Officer (CEO). This level of seniority within the organisation ensures the appropriate standing, access and authority to challenge the executive.

A written report will be prepared and issued by the CIA following the conclusion of each Internal Audit review and will be distributed as appropriate. Internal audit results will also be communicated to the Audit Committee.

Internal audit reports may include management’s response and corrective action taken or to be taken. Management’s response should include a timetable for completing the corrective actions, and an explanation for any corrective actions that will not be taken.

Internal audit is responsible for appropriate follow-up after issuing a report. All significant findings will remain open until Internal Audit agrees that they may be closed.

Authority

The Chief Internal Audit Officer and Internal Audit colleagues are authorised to:

  • Have full, unrestricted and timely access to all functions, systems, records, property, and colleagues, at all times adhering to Monzo’s relevant policies and procedures. (A holder of highly confidential or sensitive information is entitled to restrict access to the CIA alone).

  • The right to be informed proactively by management of any material decision, change, events and issues.

  • Have an enterprise-wide remit and mandate, which includes assessing the adequacy and effectiveness of the Risk Management, Compliance, and Finance functions.

  • Have the right to attend and observe any executive committee meetings or other management decision-making fora.

  • Have full and free access to the Audit Committee and its Chair.

  • Have full and free access to information presented to the Board for strategic and operational decision making where applicable to audit engagements.

  • Allocate resources, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.

  • Obtain the necessary assistance of Monzo colleagues in the execution of Internal Audit activities.

If Internal Audit experiences challenges in relation to any of the points above, the CIA will escalate to the Chair of the Audit Committee.

Independence & Objectivity

The CIA shall have no executive or managerial powers and duties within Monzo except those relating to the management of the Internal Audit function.

Monzo’s Internal Auditors will remain free from interference from any element of the company, including matters of audit selection, scope, procedures, frequency, timing, or report content to maintain the necessary independence and objectivity to fulfil their role.

Internal Auditors will need to have sound judgement. This will require them to have appropriate skills, experience and expertise and to conduct their work with proficiency and due professional care. Internal Auditors will engage in continuing professional development. If the knowledge, skills and competencies required to perform an engagement are not available within Internal Audit, the CIA will obtain alternative advice, assistance or resources.

The CIA will confirm to the Audit Committee, at least annually, the organisational independence of Internal Audit at Monzo, its access to adequate resources and any issue they wish to raise directly with the committee.

Whilst Internal Auditors should have sufficient knowledge to identify the indicators of fraud, they are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

Scope

The scope of Internal Audit covers all activities at Monzo. This includes all areas of current and future risks within Monzo, and an assessment of risk management and mitigation controls in Monzo’s current and expected business environment.

The scope of Internal audit at Monzo specifically includes, but is not limited to:

  • Providing an assessment on the adequacy and effectiveness of Monzo’s processes for controlling its activities and managing its risks.

  • Forming an independent view of whether the key risks to the organisation have been identified, including emerging and systemic risks, and assess how effectively these risks are being managed.

  • Reporting on significant control issues that could have an adverse impact on the achievement of Group goals and objectives.

  • Reporting on management’s progress in addressing significant control issues.

  • Reporting on control effectiveness in terms of design, implementation, sustainability, and management information.

  • Assessing the risk and control culture of Monzo including whether processes, actions and ‘tone from the top’ are in line with espoused values, ethics, risk appetite and policies.

  • Reporting on management's control awareness (attitude and approach taken by all levels of management).

  • Providing an overall annual opinion on the effectiveness of internal controls.

  • Reporting on the progress of the Internal Audit function in meeting its functional objectives and on the adequacy of its resources using appropriate KPIs.

  • Liaising with the Group’s regulators, sharing information with them that is relevant to their responsibilities.

In addition, Internal Audit may carry out special reviews or other assignments as required by the Executive or the Chair of the Audit Committee and undertake work required by regulators or to validate regulatory reported matters as necessary.

Internal Audit may also undertake specific controls assurance work to independently validate progress or completion of large scale management remediation programmes.

Internal auditing does not provide a substitute for controls executed by senior management – responsibility for operational effectiveness rests with them.

Roles and responsibilities

Chief Internal Audit Officer (CIA)

The CIA will:

  • Develop a Internal Audit Plan (“the Plan”) using a risk-based methodology;

  • Review and adjust the Internal Audit plan, as necessary, in response to changes in Monzo’s business, risks, operations, programs, systems, and controls.

  • Ensure each audit is executed, including the establishment of clear objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.

  • Follow-up on audit findings to provide assurance that any identified weaknesses and corresponding actions have been addressed;

  • Evaluate and assess emerging risks, including those related to projects that are intended to help Monzo achieve its strategic priorities and/or deliver new or changed services and processes. (IA should determine whether corporate events are sufficiently high risk to warrant involvement on a real time basis).

  • Implement a quality assurance and improvement programme that covers all aspects of Internal Audit;

  • Maintain a close and collaborative working relationship with Monzo’s Risk and Compliance functions, sharing risk and control information as necessary, coordinating planning and sharing results of any audit work; and

  • Provide a periodic audit report and an annual report for presentation to the Audit Committee at its formal meetings throughout the year. This report is to include the status of the Plan, any proposed amendments to the plan, the results of all audit activities and details of any significant issues identified.

  • Communicate to senior management and the audit committee the impact of resource limitations on the Internal Audit plan.

  • Perform audit activity to review any post-mortem and ‘lessons learned’ analysis following Monzo suffering a significant adverse event. This review activity will assess the roles of both the “first and second lines of defence” and Internal Audit’s own role.

  • Liaise with external auditors in the achievement of suitable coverage across the activities of the Group.

  • Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld.

Chair of the Audit Committee

The Chair of the Audit Committee will:

  • Review and approve with input from the CEO on the CIA’s performance objectives and monitor performance against these with both the CEO and the CIA. Performance appraisals will consider the independence, objectivity and tenure of the CIA. If the CIA’s tenure is more than 7 years, the Audit Committee will explicitly discuss annually the Chair’s assessment of the CIA’s independence and objectivity;

  • Review and approve the CIA’s annual pay and reward package to be proposed to the Remuneration Committee (as per the IIA guidance);

  • Assist in the resolution of any conflicting priorities that may arise;

  • Ensure the CIA has support in securing people to deliver the Plan and discharge Internal Audit’s duties;

  • Monitor and review the effectiveness of the Internal Audit function;

  • Lead the audit committee in the challenge and approve the audit Plan;

  • Challenge and review all reports submitted to the Audit Committee and in turn challenge management on the effectiveness of delivering an adequate risk and control environment at Monzo where significant issues have been identified; and

  • Approve the appointment and termination of appointment of the CIA.

CEO

The CEO is responsible for the day to day line management of the CIA taking into account input from the Chair of the Audit Committee.

The CEO will:

  • Recommend the CIA’s annual pay and reward package;

  • Set work priorities and assist in the resolution of any conflicting priorities that may arise.

Quality assurance

Internal audit will maintain a quality assurance and improvement program that covers all aspects of Internal Audit activity. The program will include an evaluation of whether Internal Audit at Monzo has conformed with the Definition of Internal Auditing, the International Standards, and an evaluation of whether Internal Auditors at Monzo adhere to the IIA’s Code of Ethics.

The program will also assess the efficiency and effectiveness of Internal Audit at Monzo and identify opportunities for improvement.

The CIA will communicate to senior management and the Board the progress of the quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.