Internal Audit Function

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 1 ONLY THE HEBREW VERSION IS BINDING Internal Audit Function Contents Topic Paragraphs Pages in Directive General Remarks 1–4 2–5 Key Features of the Function 5–20 5–9 Duties of the Function 21–24 9–12 Charter 25–28 11–13 Scope of Activity 29–31 13–14 Working Methods 32–48 14–20 Internal Auditor 49–54 20–21 Reporting by the Function 55 22 Outsourcing of Internal Auditing 56–64 23–24 Foreign Bank 65 24-25

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 2 ONLY THE HEBREW VERSION IS BINDING Internal Audit Function A. General Remarks Introduction

1. This Directive concerns the internal audit function, which is crucial for the maintenance of sound corporate governance at a banking corporation. The Directive is based on a Basel document published in August 2001 concerning Internal Audit in Banks. The purpose of this Directive is to apply the general principles set forth in the Basel document in regard to internal auditing. The Directive also includes local legislative and regulatory provisions.
2. To allow the internal audit function to perform its duties appropriately, a banking corporation must uphold the following principles: (a) The board of directors has the ultimate responsibility of ensuring that senior management establishes and maintains an adequate and effective system of internal controls, a measurement system for assessing the various risks of banking corporations’ activities, a system for relating risks to the banking corporations’s capital level, and appropriate methods for monitoring compliance with laws, regulations, and supervisory and internal policies. At least once a year, the board of directors should review the internal control system and the capital assessment procedure. (b) The banking corporation’s senior management is responsible for developing processes that identify, measure, monitor, and control risks incurred by the banking corporation. At least once a year, senior management should report to the board of directors about the scope and performance of the internal control system and the capital assessment procedure. (c) Internal auditing is part of the ongoing monitoring of the banking corporation’s system of internal controls and its internal capital assessment procedure; this is because the internal audit function provides an independent assessment of the

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 3 ONLY THE HEBREW VERSION IS BINDING adequacy of, and compliance with, the banking corporation’s policies and procedures. As such, the internal audit function assists management and the board of directors in the efficient and effective discharge of their aforementioned responsibilities. (d) Each banking corporation must have a permanent internal audit function. In fulfilling its duties and responsibilities, senior management should take all necessary measures so that the banking corporation can continuously rely on an adequate internal audit function appropriate to the its size and the nature of its operations. These measures include providing the internal audit function with appropriate resources and staffing to attain its objectives. (e) The banking corporation’s internal audit function shall be independent of audited activities and of everyday internal control processes. This means that the internal audit function shall be given an appropriate standing within the banking corporation and shall carry out its assignments objectivily and impartially. (f) Each banking corporation shall have an internal audit charter that defines the standing and powers of the internal audit function within the banking corporation. (g) The internal audit function shall be objective and impartial, which means it shall be in a position to carry out its tasks free of bias and interference. (h) The proper functioning of the banking corporation’s internal audit function depends on the professional competence of the internal auditor and of each staff member of the interal audit function. (i) Every activity and every entity of the banking corporation shall fall within the scope of the internal audit function. (j) Within the framework of the banking corporation’s internal capital assessment process, internal audit function or some other independent function shall carry out regularly an independent review of the risk management system applied by the banking corporation in relating risk to its capital level and the methodology

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 4 ONLY THE HEBREW VERSION IS BINDING that has been established for monitoring compliance with internal capital policies. (k) The work of the internal audit function includes drawing up an audit plan, examining and assessing available information, communicating the results, and following up recommendations and issues. (l) The internal auditor shall be responsible for ensuring that the function complies with sound internal auditing principles. (m) The board of directors and senior management shall remain ultimately responsible for ensuring that the system of internal control and the internal audit are adequate and operate effectively, even if internal auditing activities are outsourced. Incidence 3. These provisions shall apply to all banks as defined in this Directive. Definitions 4. “Banking corporation” As defined in the Banking (Licensing) Law, 5741-1981, including a banking corporation that is a joint services company and an auxiliary corporation that is a credit card company; “The Ordinance” The Banking Ordinance, 1941; “The Companies Law” The Companies Law, 5759-1999; “The Internal Audit Law” The Internal Audit Law, 5752-1992; “The internal auditor” The head of the internal audit function of a banking corporation; “Staff of the internal audit function” Employees of the banking corporation who carry out internal audit assignments “Relative” As defined in Section 1 of the Companies Law

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 5 ONLY THE HEBREW VERSION IS BINDING “Internal audit function” An independent assessment function that carries out objective assurance activity that is meant to add value and improve banking corporation operations; The internal audit function helps the banking corporation to attain its objectives by bringing in a systematic and disciplined approach in order to evaluate and improve the effectiveness of risk management processes and internal control systems, including controls of financial reporting, corporate governance, and, within this generality, compliance with the law, directives of the Supervisor of Banks, ethical probity, economy, and efficiency. “Outsourcing of internal audit arrangement” An agreement between the banking corporation and an outsourcing supplier for the provision of internal audit services; “External auditor” As defined in Proper Conduct of Banking Business Directive 302, “External Auditor of a Banking Corporation” (hereinafter, “Directive 302”). B. Key Features of the Function Permanent function—continuity 5. (a) A banking corporation must have a permanent internal audit function.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 6 ONLY THE HEBREW VERSION IS BINDING (b) Senior management shall take all necessary measures so that the banking corporation can continuously rely on an adequate internal audit function appropriate to its size and to the nature of its operations. (c) These measures include providing the internal audit function with resources and staffing that are appropriate to the attainment of its objectives. 6. Senior management shall ensure that the internal audit function is kept fully informed of new developments, initiatives, products, and operational changes to ensure that all associated risks are identified at an early stage. Independent function 7. The internal audit function shall be independent of the activities audited and of everyday internal control processes. Standing of the function 8. Internal audit shall be given an appropriate standing within the bank: (a) The internal audit function must be able to exercise its assignments at its own initiative in all departments, establishments, and functions of the banking corporation. (b) The internal audit function must be free to report its findings and appraisals and to disclose them internally. 9. The internal audit function shall be directly subordinate to the chair of the board of directors in accordance with the corporate governance framework, as set forth in Section 36(b)(1) of Proper Conduct of Banking Business Directive 301, “Board of Directors” (hereinafter: “Directive 301”). (a) The internal auditor shall have the power to communicate directly, and on his/her own initiative, with the members of the audit committee, the chair of the board of directors, or the members of the board of directors, or the external auditor, where appropriate, according to rules that each banking corpration shall define in its internal audit function charter.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 7 ONLY THE HEBREW VERSION IS BINDING (b) The reporting noted in Section (a) above may cover, for example, information about management decisions that contravene legal or supervisory provisions. Conflict of interest 10. The internal auditor and the internal audit staff shall not have a conflict of interest with the bank: (a) A person who is a principal or an officer of the banking corporation, or is related to either of them, as well as the external auditor or any person acting on his/her behalf, shall not serve as an internal auditor or as a member of the internal audit staff. In this matter, "Officer"—as defined in Section 1 of the Companies Law. (b) Neither an internal auditor nor staff of the internal audit function may hold a post outside the banking corporation in which they operate that creates or may create a conflict of interest with their duties in the internal audit function. Staff of the internal audit function 11. (a) No person shall be appointed to the internal audit function except with the consent of the internal auditor. (b) The staff of the internal audit function and those acting on behalf of the internal auditor for internal audit purposes shall take instructions in auditing affairs solely from the internal auditor or from a person acting on his/her behalf. (c) The service of a staff member of the internal audit function shall not be terminated except with the consent of the internal auditor. 12. Staff of the internal audit function shall hold no other position within the banking corporation, with the exception of public ombudsman or staff complaint officer, and even this only if said position does not impair the discharge of their principal duty as required. 13. The compensation scheme for internal auditors shall be consistent with the objectives of the internal audit function.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 8 ONLY THE HEBREW VERSION IS BINDING Review of the internal audit function 14. At least every five years, the internal audit function shall be subject to independent review by an independent party that the audit committee shall determine. Objective and impartial function 15. The internal audit function shall be objective and impartial. 16. The internal audit function shall avoid situations of conflict of interest. To this end: (a) Assignments of staff within the internal audit function shall be rotated periodically whenever practicable; (b) Internally recruited auditors shall not audit activities or functions that they performed within the last twelve months. 17. The internal audit function shall not be involved in regular activities or controls of the banking corporation or in selecting or implementing internal control measures. However, the need for impartiality does not exclude the possibility that senior management may request from the internal audit function an opinion on specific matters related to the internal control principles to be complied with, as set forth in Section 24 below. Professional competence 18. (a) The professional competence of the staff of the internal audit functionand of the internal audit function as a whole is essential for the proper functioning of the function. (b) Knowledge, experience, and adequate competence for the examination of all areas in which the banking corporation operates within the internal audit function deserve special attention. 19. (a) The professional competence, motivation, and continuing training of staff of the internal audit function are prerequisites for the effectiveness of the internal audit function. (b) All staff members of the internal audit function shall have sufficient up-to-date knowledge of auditing techniques and banking activities.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 9 ONLY THE HEBREW VERSION IS BINDING (c) Professional competence shall be maintained through systematic continuing training of each member of the internal audit function staff. 20. The professional competence of internal audit function staff shall be appraised in consideration of the following: (a) the nature of the role and ability of members of staff of the internal audit function:

1. to collect information;
2. to communicate orally and in writing with various players at the banking corporation for the performance of auditing tasks;
3. to identify and evaluate deviation from accepted standards;
4. to identify existing or potential problems and expand audit procedures accordingly. (b) the growing technical complexity of the banking corporation’s activities; and (c) the growing diversity of tasks that need to be undertaken by the internal audit function as a result of developments in the financial sector. C. Duties of the Function Duties of the function

21. The internal audit function assists management and the board of directors in the efficient and effective discharge of their responsibilities. The duties of the internal audit function shall include the following, inter alia: (a) examination and evaluation of the adequacy and effectiveness of the internal control system and the way its responsibilities are discharged; (b) review of the application and effectiveness of risk management procedures and risk assessment methodologies; (c) review of the banking corporation’s compliance with policies and risk controls (both quantifable and non-quantifable), including implementation of board of directors policies, decisions, and guidelines on risk management and control;

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 10 ONLY THE HEBREW VERSION IS BINDING (d) review of systems established to ensure compliance with legal and regulatory requirements, codes of conduct, and the implementation of policies and procedures; (e) review and assessment of the reliability and continuity of the electronic￾information system and electronic banking services; (f) review of the reliability (including integrity, accuracy, and completeness) and availability of management, accounting, and financial information, including reporting on the management of risk control and the information used to prepare the financial statements; (g) review of the measures taken to safeguard the banking corporation’s assets; (h) review of the system of capital assessment relative to estimation of risk, as stated in Sections 22 and 23; (i) appraisal of the economy and efficiency of the banking corporation’s operations; (j) testing of both transactions and the functioning of specific internal control procedures; (k) review of the banking corporation’s actions to ensure compliance with legal and regulatory requirements, with reference to the way the banking corporation is organized and managed as set forth in Section 14e(b) of the Banking Ordinance; (l) review of branches outside Israel and control to assure that the internal audit of the banking corporation’s domestic or foreign subsidiaries is professionally adequate, unless the audit is performed by the internal auditor of the banking corporation itself; (m) assessment of the functioning of staff units; (n) carrying out of special investigations; (o) testing the reliability and timeliness of reportaging to the Suervisor of Banks and other regulation authorities.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 11 ONLY THE HEBREW VERSION IS BINDING (p) additional provisions concerning internal audit duties as specified in other Proper Conduct of Banking Business Directives (e.g., 204, 208, 211, 301, 316, 342, 354, 357, 411). Internal audit duties in the internal capital adequacy assessment process 22. In the internal capital assessment adequacy process (ICAAP), the banking corporation shall determine who is responsible for reviewing the capital adequacy assessment procedure. The review may be performed by the internal audit function or by another player that is sufficiently independent of the operations of the banking corporation. 23. The internal audit function, or another independent player, shall regularly perform an independent review of the risk management system that the banking corporation applies to its risk-capital ratio and of the developed methodology for monitoring compliance with its internal capital policies. Consultation relating to internal controls 24. Senior management may request from the internal audit function an opinion on specific matters relating to the internal control principles to be complied with. (a) For example, senior management may, for reasons of efficiency, request an opinion when considering:

1. a material reorganization of the bank;
2. the start of an important or risky new activity;
3. the establishment of new entities for the performance of risky activities;
4. the establishment or reorganization of risk control systems, management information systems, or information technology systems. (b) The performance of consultative tasks shall be ancillary to the performance of audits and in no way shall they impair the performance of basic tasks or the responsibilities and independence of the internal audit function. Accordingly, internal audit reports may contain recommendations concerning failures and deficiencies as well as proposals for the improvement of internal controls.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 12 ONLY THE HEBREW VERSION IS BINDING (c) In any event, ultimate responsibility for development and implementation remains with the management. (d) To eliminate doubt, the internal audit function shall not approve, design, or implement operational policies or procedures related to consultancy that it has given. D. Charter 25. Each banking corporation shall have an internal audit charter that enhances the standing and authority of the internal audit function within the banking corporation. The charter shall be distributed throughout the organization. 26. The charter shall include at least the following matters: (a) the objectives and scope of the internal audit function; (b) the standing of the internal audit function within the organization, its powers, responsibilities, and relations with other control functions; (c) the accountability of the internal auditor; and (d) the conditions and situations in which the internal audit function may be asked to provide consultative services or carry out special assignments. 27. The charter shall anchor the internal audit function’s right of initiative, to have direct access to and tocommunicate with any employee of the banking corporation, and to initiate the examination of any activity or entity of the banking corporation, including access to all records, files, or data in the banking corporation’s possession, and, within this generality, management information and minutes of all consultative and decision-making bodies, to any extent needed for the performance of its tasks. 28. The charter should be drawn up—and reviewed periodically—by the internal audit function; the audit committee shall discuss and recommend to the board of directors the approval of the function’s charter.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 13 ONLY THE HEBREW VERSION IS BINDING E. Scope of Activity 29. Every activity and entity at the banking corporation shall fall within the scope of the internal audit function, including activity of branches and subsidiaries as well as outsourced activities, as specified below: (a) The internal audit function of subsidiaries may be carried out by the internal audit function of the parent company. When subsidiaries have their own internal audit functions, they shall also report to the parent company’s internal audit function. (b) In the occurrence of the first part of Section (a) above, the parent company shall take all necessary measures without prejudice to local legal or regulatory provisions and instructions, to ensure that its own internal audit function has unlimited access to all activities and entities of the subsidiaries and that it carries out on-site audits at sufficient intervals. (c) If a banking corporation has a branch abroad, the internal audit function shall establish a local office to assure the efficiency and continuity of its work unless the Supervisor of Banks absolves the banking corporation of this requirement. A local office of this kind shall be part of the banking corporation’s internal audit function and shall be organized so as to operate under the principles set forth in this Directive. (d) For branches abroad as well as for subsidiaries, the internal auditing principles shall be established centrally by the parent company without prejudice to local, legal, and regulatory provisions and instructions. The parent company shall draw up the auditing instructions for the whole group. (e) The parent company’s internal audit function shall participate in recruiting and evaluating the local internal auditors. (f) In the case of more complex group structures than those described above, the internal audit function should be organized in such a way as to comply with the principles set forth in this document.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 14 ONLY THE HEBREW VERSION IS BINDING 30. The internal audit function shall be given access to all records, files, or data of the banking corporation, including management information and the minutes of all consultative and decision-making bodies, whenever relevant to the performance of its assignments, all of which as set forth in Sections 9 and 10 of the Internal Audit Law and Section 10 of Directive 301. 31. The internal audit function may avail itself of information reported by the various control departments for the performance of its tasks. Notwithstanding this, the internal audit function shall remain responsible for examining and evaluating the appropriate performance of internal control in connection with activities of the banking corporation or other relevant entity. F. Working Methods 32. There are different types of internal audit: (a) the financial audit, the aim of which is to assess the reliability of the accounting system and information and thus the financial reports produced on their basis; (b) the compliance audit, the aim of which is to assess the quality and appropriateness of the systems established to ensure compliance with laws, regulations, policies and procedures; (c) the operational audit, the aim of which is to assess the quality and appropriateness of other systems and procedures, to analyze the organizational structures with a critical mind, and to evaluate the adequacy of the methods and resources in relation to the assignment; and (d) the management audit, the aim of which is to assess the quality of management’s approach to risk and control in the framework of the banking corporation’s objectives. 33. (a) The internal audit function examines and evaluates the whole of the banking corporation’s activities in all its entities. Therefore, it shall not focus on one single type of audit but shall use the most appropriate type depending on the audit objective to be achieved.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 15 ONLY THE HEBREW VERSION IS BINDING (b) The internal audit function shall not limit itself in this respect to auditing the banking corporation’s various departments; rather, it shall also pay special attention to auditing a banking activity through all engaged entities within the banking corporation. Internal audit working procedure 34. The internal audit function shall organize its work on the basis of a written procedure that deals with the following matters, inter alia: (a) how the annual and multiannual audit plans are prepared; (b) the measures to be taken to assure the quality of the auditing work, including:

1. examination by the official in charge of the specific audit to assure that the audit was performed in accordance with the audit program and the audit plan;
2. gathering the findings in appropriate working papers;
3. verifying the findings before the audit report is sent on. (c) the types of documents that must be submitted to the internal auditor, including reports from supervisory authorities and from the external auditor; (d) how the audit report is drawn up; (e) distribution of audit reports to players other than those specified in the law; (f) procedures for follow-up on auditees’ responses; (g) determining who is authorized to confirm that the treatment of an audit report has been completed; (h) setting deadlines for the presentation of various reports to the audit committee; (i) cooperation with the external auditor, including prevention of unnecessary redundancies vis-à-vis the external auditor’s work. Cooperation in the auditing efforts includes periodic meetings for discussion of matters of mutual interest, exchange of audit reports and management letters, and joint understanding of auditing techniques, methods, and terminology.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 16 ONLY THE HEBREW VERSION IS BINDING Risk focus and audit plan 35. The internal audit function shall draw up a audit plan for every assignment. The audit plan shall include the timing and frequency of planned internal auditing work. This plan is based on a methodical control risk assessment. A control risk assessment documents the internal audit function’s understanding of the institution’s significant activities and their associated risks. The internal audit function shall establish the principles of the risk assessment methodology in writing and update them regularly to reflect changes to the internal control system or work process and to incorporate new lines of business. 36. The risk analysis shall examine all the banking corporation’s activities and entities and the complete internal control system. On the basis of the results of the risk analysis, an audit plan to several years ahead shall be established, taking into account the degree of risk inherent in the activities. The plan shall also take into account expected developments and innovations, the generally higher degree of risk of new activities, and the intention to audit all significant activities and entities within a reasonable time period (an audit cycle principle—e.g., three years). All these concerns will determine the extent, nature, and frequency of the assignments to be performed. 37. The annual audit plan shall be divided into two half-year periods and shall include details on the following matters: (a) audit topics; (b) details of the personnel to be employed in the audits, their requisite professional competence, and other necessary resources; (c) audit schedules/time tables; (d) follow-up audits, to be performed within a reasonable time after the correction of deficiencies; (e) budgeting of time for other tasks and activities, e.g., specific checks, presentation of opinions, and training; (f) The audit plan shall be based on the following, inter alia:

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 17 ONLY THE HEBREW VERSION IS BINDING

1. a written program of duties in every department or unit as the plan sets forth on the basis of an up-to-date organization chart;
2. mapping of focal points of risk in the banking corporation’s activities;
3. mapping of focal points of risk relating to embezzlement and fraud;
4. the external auditor’s detailed report;
5. the minimum auditing frequency determined by the internal auditor, with separate reference to the frequency of audits at branches, central units, and subsidiaries. The minimum frequency shall be related to the period in which the internal auditor audits each auditee’s main areas of activity.

38. The audit plan shall be reviewed and updated in an orderly manner whenever such is required.
39. The audit plan shall be determined by the internal audit function and shall be presented for discussion to the audit committee, which shall present the board of directors with a recommendation concerning its approval. Said approval is meant, inter alia, to ensure that the banking corporation will provide the internal audit function with an appropriate allocation of resources. Audit program
40. An audit program shall be prepared for each audit assignment. The audit program describes the objectives and outlines of the audit work that are considered necessary to attain them. It is a relatively flexible tool that should be adapted, completed and updated according to the risks identified.
41. The audit program shall include, inter alia: (a) mention of laws and supervisory directives pertaining to the matters being audited at the entity in question; (b) a detailed list of instructions to the auditor concerning the actual performance of the audit. The audit shall concern itself, among other things, with the auditee’s working procedures in the following respects:

1. verification of the existence of up-to-date working procedures in the area of activity being audited;

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 18 ONLY THE HEBREW VERSION IS BINDING 2) evaluation of procedures, with reference to the following matters inter alia: a. completeness of the procedures; b. consistency of the procedures with the laws and directives that apply to the audited activity; c. whether the procedures establish means of internal control for the matter being audited. 3) detection of deviations from working procedures. Documentation of auditing work 42. Audit procedures are part of the audit assignments and shall be documented in working papers. These shall reflect the examinations that have been made and emphasize the evaluations formulated in the report. The working papers shall be drawn up according to a well-determined method. Such a method shall provide enough information to verify whether the assignment was duly performed and enable others to check the manner in which it was performed. 43. The internal audit function shall maintain documentation of assignments performed and of the reports issued. The audit report and its distribution 44. Shortly after the performance of an audit, a written audit report shall be produced. The report shall present the findings, irrespective of whether a consensus existed about them upon the completion of the assignment, and the conclusions and recommendations of the internal audit function. The audit report shall make note of the purpose and scope of the audit, assess the auditee’s internal control framework where possible, describe the relative importance of the deficiencies found and the recommendations made, and include the auditee’s response. 45. (a) The internal auditor shall present a report on his/her findings to the chair of the board of directors, the chair of the audit committee, the Chief Executive Officer, the auditee and its management, and any other relevant player as the auditor

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 19 ONLY THE HEBREW VERSION IS BINDING sees fit, and shall also, in principle, distribute the audit report to senior management in the form of an executive summary. (b) A report on matters that the internal auditor examined at the behest of the chair of the board of directors or the chair of the audit committee shall be presented to the party that instructed the function to perform the audit. Unusual findings 46. The internal auditor shall immediately report unusual findings to the chair of the board of directors, the chair of the audit committee, and the Chief Executive Officer. (a) If in the course of an audit at the banking corporation the internal auditor discovers unusual findings pertaining to the activity of the board of directors, he/she shall report them to the chair of the board of directors and the chair of the audit committee. (b) If the internal auditor believes that measures to correct faults that he/she reported under Section (a) were not taken, he/she shall bring this to the attention of the board of directors in full forum. Monitoring the correction of deficiencies 47. The internal audit function shall follow up on the implementation of its recommendations. The status of the recommendations shall be reported to the audit committee at least every half-year. 48. Senior management shall ensure that the findings reported by the internal audit function are being properly addressed. Therefore, it shall approve a procedure, to be established by the internal audit function, to make sure that the function’s recommendations are addressed and, to the extent possible, timely implemented. G. The Internal Auditor 49. The internal auditor shall have the status of a member of management of the banking corporation.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 20 ONLY THE HEBREW VERSION IS BINDING Duties of the internal auditor 50. The internal auditor shall be responsible for the performance of the following, inter alia: (a) acting in accordance with accepted professional standards. For this purpose, the internal auditor shall make sure to comply with accepted internal auditing standards such as the professional standards of the Institute of Internal Auditors or stricter; (b) ensuring that the charter specified in Sections 25 and 28 is in place. (c) submitting to the audit committee, for its review, a draft annual or periodic audit plan; (d) assuring that written policies and working procedures for function staff are in place, including reference to the topics appearing in Section 34; (e) continuously assuring the professional fitness and training of internal audit function staff, as set forth in Section 19, and the availability of the necessary resources; (f) placing special emphasis on the motivation of internal audit function staff and their awareness of quality; (g) presenting the audit committee, for its approval, with a quality assurance program that relates to all activities of the internal audit function and will continually monitor the function’s effectiveness. The plan shall include ongoing internal evaluation, to be performed by the internal audit function, and periodic external review, to be performed by an independent external entity; (h) advising the chair of the audit committee about material internal audit reports that should be presented in their entirety to the audit committee for discussion, as set forth in Section 36(a)(1)(i) of Directive 301. 51. The internal auditorshall not hold any additional position at the banking corporation except public ombudsman or staff complaint officer, and even this only if said position does not impair the discharge of his/her principal duty as required.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 21 ONLY THE HEBREW VERSION IS BINDING Appointment of internal auditor and termination of service 52. The internal auditor shall meet all legal requirements and his/her appointment shall be approved subject to the provisions of Section 11a of the Banking Ordinance. 53. (a) The appointment of the internal auditor and the termination or suspension of his/her service shall be carried out by the board of directors per proposal of the audit committee. (b) In the event of termination or suspension of service, the internal auditor shall be given an appropriate opportunity to address the board of directors at a meeting for which the directors shall be given prior notice concerning said termination or suspension of service. The decision of the board of directors shall be made by a majority of its members. (c) Notwithstanding the provisions of Subsections (a) and (b), an internal auditor who was convicted of a crime that involves disgrace, in a final ruling by a court—his or her service shall be terminated. 54. If the internal auditor decides to resign his/her post, he/she shall serve the board of directors and the Supervisor of Banks with written notice and shall specify his/her motives for said resignation. H. Reporting by the Function 55. The internal auditor shall submit regular reports directly to the board of directors, via the audit committee, and to the Chief Executive Officer: (a) about the performance of the internal control system and the attainment of the internal audit function’s goals. (b) Biannual reporting:

1. a list of all audit reports issued in the half-year reporting period, along with material findings at the auditor’s discretion;
2. a list of the demands arising from external audit reports for which treatment has not been completed, and reportage on the state of treatment;

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 22 ONLY THE HEBREW VERSION IS BINDING 3) a list documenting the status of implementation of the internal audit function’s recommendations as specified in Section 47. (c) Annual reporting:

1. a report on the performance of the audit plan, drawn up so as to permit comparison of performance against plan;
2. a summarizing report on internal audit function activity, including a concise list of material faults presented in the audit reports, the internal auditor’s recommendations on the way they should be corrected, and the auditor’s conclusions about the results of his/her follow-up of the correction of the faults;
3. recommendations in the internal auditor’s audit reports that management did not accept;
4. recommendations in the internal auditor’s audit reports that are being implemented beyond a reasonable period of time. I. Outsourcing of Internal Auditing

56. A banking corporation that wishes to outsource significant internal auditing activity shall advise the Supervisor of Banks of its intentions in advance, including explanations. Rules
57. The requirements in this Directive shall also apply respectively to internal auditing activities that are outsourced.
58. If activity is outsourced, the internal auditor shall, where possible, make sure that the knowledge acquired from the expert is assimilated at his/her department. One possible way of accomplishing this is by co-opting auditors from the auditing function into the external expert’s work.

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 23 ONLY THE HEBREW VERSION IS BINDING 59. The outsourcing supplier must exhibit financial stability, fitness, appropriate knowledge, and expertise. 60. Banking corporations shall analyze the effect of the outsourcing of internal auditing activities on their total risk profile and their internal control systems. 61. Banks shall prepare a contingency plan in the event of sudden termination of the contract with the outsourcing supplier. Given that there are several alternative providers in the internal auditing field, the contingency plan shall usually make reference to contracting with an alternative outsourcing supplier. Given the period of time that the new outsourcing supplier will need, the banking corporation shall weigh the need to step up its in-house internal auditing efforts temporarily. 62. In cases where a banking corporation considers contracting with an external auditor for the outsourcing of internal auditing activities, it shall present the Supervisor of Banks with a prior written request for approval. Outsourcing contract 63. Senior management shall ensure that its outsourcing contracts will remain in effect long enough and will have been concluded with an outsourcing supplier who has necessary professional competence in consideration of the characteristics of the banking corporation at issue. 64. An outsourcing of internal audit arrangement shall be in writing and shall include the following matters at least: (a) definition of the outsourcing supplier’s tasks and responsibilities; (b) an explicit stipulation to the effect that the audit committee of the banking corporation must give prior approval to the outsourcing supplier’s risk analysis and plan; (c) an explicit stipulation to the effect that the audit committee or its representatives, and the external auditor or his/her representatives, shall have access at any time to records pertaining to the outsourcing supplier’s tasks, including his/her audit plans and working papers;

Supervisor of Banks: Proper Conduct of Banking Business [3] (09/21) Internal Audit Function Page 307- 24 ONLY THE HEBREW VERSION IS BINDING (d) reference to the internal auditor’s responsibility for the outsourcing supplier’s work and for the provision of resources for this purpose, e.g., the possibility of examining the outsourcing supplier’s work during or at the end of the work; (e) a stipulation obliging the outsourcing supplier to pledge the necessary resources to the effective performance of his/her tasks in accordance with the audit plan; (f) conditions in the event of the introduction of changes in the contract, especially in regard to the expansion of auditing work in view of the discovery of significant findings. J. Foreign Bank 65. This Directive shall apply to a foreign bank, mutatis mutandis. Inter alia: (a) In the discharge of its duties as specified in Section 21, the internal audit function may avail itself of the internal audit function of the parent bank; (b) In determining the audit plan cited in Section 35, the internal audit function may base itself on risk evaluation methodologies determined by the parent bank, but it must make sure that said methodologies are suitable and up-to-date for the activity of the branch in Israel; (c) In exceptional cases where a foreign bank believes that certain sections of this Directive are not applicable to it, it may approach the Supervisor of Banks to adjust the incidence of said sections and/or the method of implementation in regard to it.

---

Updates Circular 06 no. Version Details Date 2320 1 Original directive Dec. 25, 2011 2476 2 Update June 29, 2015 2669 3 Update September 30, 2021