This charter defines the purpose, reporting, authority, independence, scope, roles and responsibilities, and quality assurance of internal audit at Monzo. It is approved annually by the Audit Committee of the Board.
Internal audit is Monzo’s “Third Line of Defence” (3LoD). Internal Audit provides Monzo’s Board and Executive Management with independent and objective assurance on the adequacy and functioning of the system of internal control. Specifically, this should cover whether Monzo’s framework for risk management, control, and governance processes are adequate and functioning as intended and in a manner that ensures:
- Monzo’s assets, reputation and sustainability are adequately protected by its system of internal control.
- All significant risks are appropriately identified, reported to the Board and the Group’s Senior Leadership Team and effectively controlled.
- Significant financial, management, and operating information is accurate, reliable and delivered in a timely manner.
- Monzo’s actions are in compliance with policies, standards, procedures, and applicable laws and regulations.
- Products, services and processes result in fair outcomes for Monzo’s customers.
Internal Audit will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The Head of Internal Audit will report periodically to the audit committee regarding Internal Audit’s conformance to the Code of Ethics and the Standards
Internal audit at Monzo is directed by the Head of Internal Audit (HoIA). The HoIA will report functionally to the Chair of the Audit Committee, and administratively to the Chief Executive Officer (CEO). This level of seniority within the organisation ensures the appropriate standing, access and authority to challenge the executive.
A written report will be prepared and issued by the HoIA following the conclusion of each internal audit review and will be distributed as appropriate. Internal audit results will also be communicated to the Audit Committee.
Internal audit reports may include management’s response and corrective action taken or to be taken. Management’s response should include a timetable for completing the corrective actions, and an explanation for any corrective actions that will not be taken.
Internal audit is responsible for appropriate follow-up after issuing a report. All significant findings will remain open until Internal Audit agrees that they may be closed.
The Head of Internal Audit and IA colleagues are authorised to:
- Have full, unrestricted and timely access to all functions, systems, records, property, and colleagues, at all times adhering to Monzo’s relevant policies and procedures. (A holder of highly confidential or sensitive information is entitled to restrict access to the Head of Internal Audit alone).
- The right to be informed proactively by management of any material decision, change, events and issues.
- Have an enterprise-wide remit and mandate, which includes assessing the adequacy and effectiveness of the Risk Management, Compliance, and Finance functions.
- Have the right to attend and observe any executive committee meetings or other management decision-making fora.
- Have full and free access to the Audit Committee and its Chair.
- Although it is not the role of IA to second guess the decisions made by the Board, its scope should include information presented to the Board for strategic and operational decision making where applicable to audit engagements.
- Allocate resources, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives.
- Obtain the necessary assistance of Monzo colleagues in the execution of IA activities.
If Internal Audit experiences challenges in relation to any of the points above, the Head of Internal Audit will escalate to the Chair of the Audit Committee.
The HoIA shall have no executive or managerial powers and duties within Monzo except those relating to the management of the Internal Audit function.
Monzo’s internal auditors will remain free from interference from any element of the company, including matters of audit selection, scope, procedures, frequency, timing, or report content to maintain the necessary independence and objectivity to fulfil their role.
Internal Audit staff will need to have sound judgement. This will require them to have appropriate skills, experience and expertise and to conduct their work with proficiency and due professional care. Internal audit staff will engage in continuing professional development. If the knowledge, skills and competencies required to perform an engagement are not available within Internal Audit, the Head of Internal Audit will obtain alternative advice, assistance or resources.
The HoIA will confirm to the Audit Committee, at least annually, the organisational independence of internal audit at Monzo, its access to adequate resources and any issue they wish to raise directly with the committee.
Whilst Internal Audit staff should have sufficient knowledge to identify the indicators of fraud, they are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
The scope of internal audit covers all activities at Monzo, all areas of current and future risks within Monzo, and an assessment of risk management and mitigation controls in Monzo’s current and expected business environment.
The scope of internal audit at Monzo specifically includes, but is not limited to:
- Providing an assessment on the adequacy and effectiveness of Monzo’s processes for controlling its activities and managing its risks.
- Forming an independent view of whether the key risks to the organisation have been identified, including emerging and systemic risks, and assess how effectively these risks are being managed.
- Reporting on significant control issues that could have an adverse impact on the achievement of Group goals and objectives.
- Reporting on management’s progress in addressing significant control issues.
- Reporting on control effectiveness in terms of design, implementation, sustainability, and management information.
- Assessing the risk and control culture of Monzo including whether processes, actions and ‘tone from the top’ are in line with espoused values, ethics, risk appetite and policies.
- Reporting on management's control awareness (attitude and approach taken by all levels of management).
- Providing an overall annual opinion on the effectiveness of internal controls.
- Reporting on the progress of the IA function in meeting its functional objectives and on the adequacy of its resources using appropriate KPIs.
- Liaising with the Group’s regulators, sharing information with them that is relevant to their responsibilities.
In addition, internal audit may carry out special reviews or other assignments as required by the Executive or the Chair of the Audit Committee and undertake work required by regulators or to validate regulatory reported matters as necessary.
Internal Audit may also undertake specific controls assurance work to independently validate progress or completion of large scale management remediation programmes.
Internal auditing does not provide a substitute for controls executed by senior management – responsibility for operational effectiveness rests with them.
The HoIA will:
- develop a flexible Internal Audit Plan (“the Plan”) using a risk-based methodology;
- Review and adjust the internal audit plan, as necessary, in response to changes in Monzo’s business, risks, operations, programs, systems, and controls.
- ensure each audit is executed, including the establishment of clear objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.
- follow-up on audit findings to provide assurance that any identified weaknesses and corresponding actions have been addressed;
- evaluate and assess emerging risks, including those related to projects that are intended to help Monzo achieve its strategic priorities and/or deliver new or changed services and processes. (IA should determine whether corporate events are sufficiently high risk to warrant involvement on a real time basis).
- implement a quality assurance and improvement programme that covers all aspects of internal audit;
- maintain a close and collaborative working relationship with Monzo’s Risk and Compliance functions, sharing risk and control information as necessary, coordinating planning and sharing results of any audit work; and
- provide a periodic audit report and an annual report for presentation to the Audit Committee at its formal meetings throughout the year. This report is to include the status of the Plan, any proposed amendments to the plan, the results of all audit activities and details of any significant issues identified.
- Communicate to senior management and the audit committee the impact of resource limitations on the internal audit plan.
- Perform audit activity to review any post-mortem and ‘lessons learned’ analysis following Monzo suffering a significant adverse event. This review activity will assess the roles of both the “first and second lines of defence” and IA’s own role.
- Liaise with external auditors in the achievement of suitable coverage across the activities of the Group.
- Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld.
The Chair of the Audit Committee will:
- review and approve with input from the CEO on the HoIA’s performance objectives and monitor performance against these with both the CEO and the HoIA. Performance appraisals will consider the independence, objectivity and tenure of the HoIA. If the HoIA’s tenure is more than 7 years, the Audit Committee will explicitly discuss annually the Chair’s assessment of the HoIA’s independence and objectivity;
- review and approve the HoIA’s annual pay and reward package to be proposed to the Remuneration Committee (as per the IIA guidance);
- assist in the resolution of any conflicting priorities that may arise;
- ensure the HoIA has support in securing people to deliver the Plan and discharge internal audit’s duties;
- monitor and review the effectiveness of the internal audit function;
- Lead the audit committee in the challenge and approve the audit Plan;
- challenge and review all reports submitted to the Audit Committee and in turn challenge management on the effectiveness of delivering an adequate risk and control environment at Monzo where significant issues have been identified; and
- approve the appointment and termination of appointment of the HoIA.
The CEO is responsible for the day to day line management of the HoIA taking into account input from the Chair of the Audit Committee. He will:
- recommend the HoIA’s annual pay and reward package;
- set work priorities and assist in the resolution of any conflicting priorities that may arise; and
- approve the contract for the engagement of third party providers of outsourced or co-sourced internal audit services.
Internal audit will maintain a quality assurance and improvement program that covers all aspects of internal audit activity. The program will include an evaluation of whether internal audit at Monzo has conformed with the Definition of Internal Auditing, the International Standards, and an evaluation of whether internal auditors at Monzo adhere to the IIA’s Code of Ethics.
The program will also assess the efficiency and effectiveness of internal audit at Monzo and identify opportunities for improvement.
The HoIA will communicate to senior management and the Board the progress of the quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.