Prudential Standard for Internal Auditing of Institutions Licensed Under the Banking Act

EASTERN CARIBBEAN CENTRAL BANK PRUDENTIAL STANDARD FOR INTERNAL AUDITING OF INSTITUTIONS LICENSED UNDER THE BANKING ACT

November 2019 EASTERN CARIBBEAN CENTRAL BANK ST KITTS

Table of Contents PRUDENTIAL STANDARD FOR INTERNAL AUDITING OF INSTITUTIONS LICENSED UNDER THE BANKING ACT1

1. COMMENCEMENT ........................................................................... 1
2. DEFINITIONS................................................................................... 1
3. OBJECTIVES.................................................................................... 6
4. APPLICATION.................................................................................. 6
5. REPEAL .......................................................................................... 6
6. OVERVIEW...................................................................................... 6
7. PRUDENTIAL STANDARD REQUIREMENTS .......................................... 7 7.1 FRAMEWORK FOR INTERNAL AUDITING .................................................... 7 7.4 THE AUDIT COMMITTEE ......................................................................10 7.7 INTERNAL AUDIT INDEPENDENCE AND OBJECTIVITY ...................................15 7.8 PROFESSIONAL COMPETENCE................................................................18 7.9 RESPONSIBILITIES OF THE INTERNAL AUDITOR ..........................................20 7.10 INTERNAL AUDIT WITHIN A GROUP OR HOLDING COMPANY STRUCTURE .........20 7.11 AUDIT PLAN......................................................................................22 8 OUTSOURCING ..................................................................................24 9 RELATIONSHIP WITH THE SUPERVISORY AUTHORITY ........................25

1 BSD 854786 PRUDENTIAL STANDARD FOR INTERNAL AUDITING OF INSTITUTIONS LICENSED UNDER THE BANKING ACT This Prudential Standard is issued by the Eastern Caribbean Central Bank (the Central Bank), in exercise of the powers conferred by section 1841 of the Banking Act (hereinafter referred to as the Act).

1. COMMENCEMENT This Prudential Standard shall come into effect on the 1 st day of January 2020.
2. DEFINITIONS The following terms are defined for the purpose of this standard: “Add Value” means that the internal audit function provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes. “Administrative Reporting” is the reporting relationship within the organisation’s management structure that facilitates the day-to-day operations of the internal audit function. Administrative reporting typically includes: a. Budgeting and management accounting. b. Human resource administration, including personnel evaluations and compensation. c. Internal communications and information flows. “Assurance Services” means an objective assessment of evidence for the purpose of providing an independent opinion or conclusions on governance, accounting processes, risk management, and control processes for the organisation. Examples may include financial performance, compliance, system security, and due diligence engagements.

1 Section 183 of the Banking Act of Anguilla

2 BSD 854786 “Audit Committee” is a committee established by the board of a financial institution with oversight responsibilities for both internal and external audit functions. It is responsible for oversight of the financial reporting process. The majority of members of this committee should be independent of the officers and have a working knowledge of accounting processes and procedures. “Chief Executive Officer” is the highest-ranking officer within the financial institution, who is responsible for carrying out the board’s directives and has responsibility for the over-all management of its day-to-day affairs under the supervision of the Board of Directors. “Compliance” is the adherence to policies, plans, procedures, codes of conduct, laws, regulations, contracts, regulatory directives, or other requirements. “Conflict of Interest” refers to a real or apparent incompatibility between an entity’s or individual’s private interests and its or his/her public or fiduciary duties. “Consulting Services” means advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organisation’s governance, risk management, and control processes without the internal auditor assuming officer responsibility. Examples include counsel, advice, facilitation, and training. The activities of consulting services are distinct from operational activities. “Financial Expert” is a person who has the following attributes, which must have been acquired through education and a minimum of seven (7) years experience: a. An understanding of International Financial Reporting Standards (IFRS) and financial statements; b. The ability to assess the general application of such principles in connection with the accounting for estimates, accruals and reserves; c. Experience preparing, auditing, analysing or evaluating financial statements that present a breadth and level of complexity of accounting issues that are generally comparable to the breadth and complexity of issues that can reasonably be expected to

3 BSD 854786 be raised by the registrant's financial statements, or experience actively supervising one or more persons engaged in such activities; d. An understanding of internal controls and procedures for financial reporting; e. An understanding of Audit Committee functions; and f. An understanding of financial risk management. “Functional Reporting” is the reporting relationship between the Head of Internal Audit and the Audit Committee. Functional reporting is distinct from administrative reporting. Functional reporting means that the Audit Committee would: a. Approve the overall charter of the internal audit function. b. Approve the internal audit risk assessment and related audit plan. c. Receive communications from the Head of Internal Audit on the results of the internal audit activities or other matters that the Head of Internal Audit determines are necessary, including private meetings with the Head of Internal Audit without officers present. d. Approve all decisions regarding the appointment or removal of the Head of Internal Audit. e. Approve the annual compensation and salary adjustment of the Head of Internal Audit. f. Make appropriate inquiries of officers and the Head of Internal Audit to determine whether there is scope or budgetary limitations that impede the ability of the internal audit function to execute its responsibilities. “Head of Internal Audit” is a person in a senior position responsible for effectively managing the internal audit activity in accordance with the internal audit charter, the Definition of Internal Auditing, and the Code of Ethics and International Standards for the Professional Practice of Internal Auditing. The Head of Internal Audit and others reporting to the Head of Internal Audit should have relevant2 professional certifications/qualifications, and is expected to participate in continuing professional development from time to time.

2 In fields such as accounting, auditing, risk management, computer science, information security, project management.

4 BSD 854786 “Independence” means the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. “Independent Director” is a non-executive director who is free of any business or other relationships that would materially interfere with, or could reasonably be perceived to materially interfere with, the exercise of his unfettered decision making or independent business judgment pertaining to the interests of the institution. “Internal auditing” is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps the organisation accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. “Internal Auditor” is an employee of a financial institution or independent third party who examines internal control procedures to ensure compliance with policies, procedures, contracts, laws and regulations and to ascertain that board directives and management policies are adhered to. “Objectivity” is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors’ judgement is not influenced by employers, other individuals or circumstances. “Officer” as defined by the Banking Act, means: a. A chief executive officer, chief operating officer, president, vice-president, branch manager, country manager, corporate secretary, treasurer, chief financial officer, chief accountant, chief auditor, chief investment officer, chief compliance officer or chief risk officer; b. Any other individual designated as an officer by its articles of incorporation or continuance, bye-laws or other constituent document, or resolution of the directors or members; or

5 BSD 854786 c. Any other individual who performs functions similar to those performed by a person referred to in paragraph (a), whether or not the individual is formally designated as an officer. “Outsource” means to enter into a contractual arrangement with a third-party service provider, where the service provider manages functions, business activities, processes or products that are, or could be undertaken by the licensed financial institution. “Risk” refers to the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Risk as it relates to banking business is subdivided into six categories: credit, operational, market, liquidity, reputational and strategic risk. These risk categories each require their own risk management strategy. “Risk Management” refers to processes to identify, assess, manage, and control potential events or situations to provide a reasonable assurance regarding the achievement of the organisation’s objectives. While it is impossible for financial institutions to remove all risks from the organisation, it is important that they understand and manage the risks that they are willing to accept in the context of the bank’s overall corporate strategy. Officers of the financial institution are primarily responsible for risk management, and the internal audit function plays a critical role in the review of internal controls designed to manage these risks. “Significance” means the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives. “Vested interest” means the right of beneficial interest in real or personal property (real property and personal property are not mutually exclusive), which may be deferred for enjoyment in future years.

6 BSD 854786 3. OBJECTIVES This Prudential Standard aims to:

1. Provide a framework for performance and promotion of a broad range of internal audit activities;
2. Outline best practices for a financial institution’s internal audit function;
3. Establish the basis for measuring performance of the internal audit function; and
4. Indicate how the internal audit function can improve the processes and operations of financial institutions.

4. APPLICATION This Prudential Standard applies to all institutions licensed under the Banking Act. This Standard must be read in conjunction with the suite of Prudential Standards issued by the ECCB. All submission timeframes would be measured in calendar days.
5. REPEAL The Guidelines for Internal Auditing of Institutions Licensed under the Banking Act which came into effect in May 2006 are hereby repealed.
6. OVERVIEW The Institute of Internal Auditors defines internal audit as an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Although the necessity for objectivity and impartiality is of particular importance to internal auditors in a banking institution, this does not exclude the possibility that internal auditors, may contribute to advisory and consultancy activity, if the independence of analysis and evaluations is ensured.

7 BSD 854786 The Board of Directors of the institution bears final responsibility for the application of an appropriate and effective system of internal control, a system for evaluating banking activity risk and risks concerning bank capital, appropriate methods of monitoring compliance with laws, measures and internal procedures. The board is also responsible for risk management, proposing suitable internal control mechanisms and monitoring their adequacy and effectiveness. Likewise, the licensed financial institution's officers are responsible for drawing up procedures which identify, measure, monitor and control the risks facing the institution. Officers must ensure an organisational structure that clearly defines authority and responsibility. Internal audit provides the board with independent assurance on the effectiveness of the internal controls systems. As such, it assists the Board of Directors in the effective performance of their responsibilities. The Board of Directors, officers and the internal auditor must ensure the independence and objectivity of the internal audit function and ensure that communication flows are unhindered (see Appendix). 7. PRUDENTIAL STANDARD REQUIREMENTS 7.1 FRAMEWORK FOR INTERNAL AUDITING To promote effective and efficient internal auditing, a financial institution must ensure that the structure and staffing of the internal audit function is commensurate with the size, complexity and risk profile of the financial institution. It is imperative that measures be implemented to maintain an internal audit function of high quality.

7.2 OBJECTIVES OF INTERNAL AUDITING a) The principal objective of the internal audit function is to assist officers and the Board of Directors through the Audit Committee, in the effective discharge of their responsibilities as follows: i) To ensure that internal control, governance and risk management systems are reviewed, improved and optimised in response to the environment within which the financial institution operates.

8 BSD 854786 ii) To provide reasonable assurance to officers, staff and the Audit Committee that significant risks in the financial institution are appropriately managed, with an emphasis on the effectiveness of internal controls. iii) To critically evaluate the process through which the values and goals are established and communicated. iv) To monitor the accomplishment of goals and objectives and to ensure that there is accountability. 7.3 SCOPE The scope of the internal audit function should be articulated in the internal audit charter, which should clearly highlight the function’s authority. Internal audit should entail the review of all areas of the financial institution including systems, records, personnel and physical properties in order to satisfy the agreed upon engagement objectives, to appraise and report on the adequacy and effectiveness of internal control systems (that is managerial, financial, operational and budgetary controls) and their reliability. The scope of the internal audit function shall encompass all divisions, branches and subsidiaries of the licensee inclusive of activities outsourced to third parties. The actual areas to be reviewed by the internal auditors should be determined by a risk assessment of the internal control systems. The results of this assessment will guide the internal audit planning process. Officers must ensure that the internal auditors are updated on new developments, initiatives, products and operational changes to ensure they are kept fully informed. a) The scope of the internal audit function should also include reviews of the financial institution’s system for assessing the adequacy of its capital in relation to the estimate of risk to capital. This validation should be undertaken annually, at a minimum, to ensure that appropriate capital charges are commensurate with identified risk factors.

9 BSD 854786 b) The Internal Audit Department should also complete the review of the application and effectiveness of risk assessment methodologies and risk management procedures. This would involve the testing of internal controls implemented to mitigate specific risks and recommending adequate solutions where weaknesses are cited. c) The Internal Audit Department may review the performance and control mechanisms for outsourced functions. This would include competency and quality assurance assessments of the contracted party prior to the signing and implementation of any outsourced function. Assessments should also be conducted at various stages of the engagement. d) The scope should include a periodic analysis of all internal policies and procedures to ensure that they align with the minimum standards established by the Eastern Caribbean Central Bank (ECCB) as noted in the Banking Act, standards, and directives. This assessment should also review the institution’s response to areas for development cited by the ECCB and the progress made to remedy weaknesses. e) Without limiting the generality of the foregoing, the scope should also include: i) The examination and evaluation of the adequacy and effectiveness of internal control systems, including information technology controls, and the impact on annual and interim financial reporting. This should include: a. The reliability and integrity of financial and operational information systems; b. The effectiveness and efficiency of operations; c. Safeguarding of assets; and d. Compliance with policies, procedures, applicable laws, regulations, anti￾money laundering and counter terrorist financing regulations and controls. ii) Appraising the efficiency and effectiveness of operations in the context of the operating environment;

10 BSD 854786 iii) Testing transactions and internal control procedures; iv) Analysing systems established to ensure compliance with legal, regulatory and supervisory requirements, codes of conduct, codes of best practices, international standards and the institution’s policies and procedures; v) Testing the reliability and timeliness of regulatory reporting; vi) Testing the record keeping mechanism to ensure that records are kept in storage for the statutorily prescribed timeframes; vii) Assessing the institution’s contingency plans in the event of business disruption; and viii) Conducting special investigations. 7.4 THE AUDIT COMMITTEE a) The Audit Committee is a specialised committee of the Board of Directors. It reports to the Board of Directors in specific areas for which it has designated responsibility. The Board of Directors assumes ultimate responsibility for the work of the Internal Audit Department. b) The Audit Committee may invite the Head of Internal Audit, the Head of Compliance, officers, in particular the Chief Executive Officer and other officials deemed relevant for the purpose of fulfilling its responsibilities to attend meetings of the committee. It is a sound practice that the Head of Internal Audit and members of the Audit Committee convene meetings in the absence of officers to discuss critical matters. 7.5 Responsibilities of the Audit Committee The Audit Committee should, inter alia, be charged with: a) Financial Reporting including disclosures: i) Monitoring the financial reporting process and its output; ii) Overseeing the establishment of accounting policies and practices by the institution and reviewing the significant qualitative aspects of the institution’s

11 BSD 854786 accounting practices, including accounting estimates and financial statement disclosures; iii) Monitoring the integrity of the institution’s financial statements and any formal announcements relating to the institution’s performance; iv) Reviewing significant financial reporting judgements contained in the financial statements; v) Reviewing arrangements by which staff may confidentially raise concerns about any possible improprieties including matters of financial reporting; vi) Review half-yearly, annual and, if applicable, quarterly financial statements; and vii) Reviewing the external auditor’s opinion rendered with respect to such financial statements, including reviewing the nature and extent of any significant changes in accounting principles or the application thereof. b) Internal Control: i) Ensuring that officers establish and maintain an adequate and effective internal control system and processes. The system and processes should be designed to provide assurance in areas including reporting (financial, operational, risk), monitoring compliance with laws, regulations and internal policies and procedures, efficiency and effectiveness of operations and safeguarding of assets. c) Internal Audit: i) Monitoring and reviewing the effectiveness of the institution’s internal audit function, including its strategic focus; ii) Approving the internal audit plan, scope and budget; iii) Reviewing and discussing internal audit reports; iv) Ensuring that the internal audit function maintains open communication with officers, external auditors, the ECCB, other relevant supervisory authorities and the Audit Committee;

12 BSD 854786 v) Reviewing discoveries of fraud and violations of laws and regulations as reported by the Head of Internal Audit; vi) Approving the audit charter and code of ethics of the internal audit function; vii) Recommending to the board for its approval, the annual remuneration of the Head of Internal Audit and internal audit staff, including performance awards; viii) Assessing the performance of the Head of Internal Audit; ix) Recommending to the board for its approval, the appointment, re-appointment or removal of the Head of Internal Audit and key internal auditors. The licensed financial institution should communicate the reasons for removals to the ECCB; x) Respect and promote the independence of the internal audit function by ensuring that internal audit reports are without officers’ filtering and the Head of Internal Audit has direct access to the board or the board’s Audit Committee; and xi) Arrange for assessments of the internal audit function, which must be conducted once every five (5) years at a minimum, by a qualified, independent reviewer or review team from outside the organisation. d) Engagement of the External Auditor: i) Recommending a set of objective criteria for approving the external audit firm of the institution; ii) Recommending to the board or shareholders for their approval, the appointment, reappointment and removal of the external audit firm in accordance with section 603 of the Banking Act; iii) Recommending the remuneration and terms of engagement of the external audit firm; iv) Reviewing and monitoring the independence and objectivity of the external audit firm, and in particular the provision of additional services to the

3 Section 59 in Anguilla Banking Act.

13 BSD 854786 institution, including the related safeguards that have been applied to eliminate identified threats to independence or reduce them to an acceptable level; v) Implementing a policy on the engagement of an external audit firm for the supply of non-audit services, taking into account relevant ethical guidelines on the provision of non-audit services by the external firm; vi) Recommending to the board for approval, the total fees charged for the audit of the financial statements and for non-audit services provided by the external audit firm and external audit network firms to the institution and the components in its control; vii) Discussing with the external audit firm key matters arising from the external audit, and in particular any identified material weaknesses in internal control in relation to the financial reporting process; viii) Discussing the written representations the external audit firm is requesting from officers and, where appropriate, those charged with governance; and ix) Ensuring that the external auditor attends the annual general meeting or is available to answer questions from the shareholders regarding the audit. e) Remedial Actions: i) Ensuring that officers take the necessary corrective actions to address the findings and recommendations of internal and external auditors in a timely manner; ii) Addressing control weaknesses, non-compliance with policies, laws and regulations and other problems identified by the internal and external auditors; and iii) Ensuring that deficiencies identified by the ECCB and relevant supervisory authorities are remedied within an appropriate time frame and that progress of necessary corrective actions are reported to the Board of Directors.

14 BSD 854786 7.6 COMPOSITION AND POWERS OF THE AUDIT COMMITTEE a) To ensure independence, members of the Audit Committee should be unaffiliated with management or ownership of the institution. The Audit Committee can more effectively fulfil its oversight responsibilities when a majority of the members are independent. The size of the committee should vary according to the size, complexity and risk profile of the financial institution, but should comprise a minimum of three directors, two of which should be non-executive. The board shall review the composition of the Audit Committee annually. b) The Audit Committee must be chaired by an independent director with administrative experience. The Chairperson, with the assistance of the Corporate Secretary, is responsible for developing the committee’s agenda, directing the flow of business at committee meetings, and maintaining open lines of communication between members of the committee, officers and internal and external auditors. c) The committee must maintain and approve the minutes of all meetings. d) Each member should have the competency to interpret and analyse financial statements and reports thus they shall have experience in Banking, Finance, Accounting or other related fields, at a management level. At least one member must have a background in finance, auditing, accounting or related financial management expertise. e) There should be the requirement for continuous professional development for members of the Audit Committee to keep abreast with developments in the industry, in particular control and reporting requirements. f) The committee, through the internal auditor, must have access to all data, personnel, systems and records and may order an investigation into irregularities disclosed in accounts, audits or other data generated by the activity.

15 BSD 854786 g) To ensure efficiency and transparency of the Audit Committee, the Head of Internal Audit, officers and the external auditor should not attend regular meetings of the committee. Attendance of those persons should only be by invitation from the Audit Committee, as required. h) The Audit Committee should meet at least once each quarter. 7.7 INTERNAL AUDIT INDEPENDENCE AND OBJECTIVITY a) Independence The internal audit activity must be independent in substance and appearance. When assessing the independence of internal auditing, the financial institution should consider, among other things, the following: i) The financial institution’s internal audit activities should be independent of its daily operations and internal control processes; ii) In the performance of his/her duties, the internal auditor should be free from managerial or other interference in determining the scope of any internal audit, performance of related audit tasks, and direction of communication; iii) The internal auditor should not have a vested interest4 in any area of the financial institution; iv) The Head of Internal Audit must report functionally via the Audit Committee to the board who has responsibility for:  Approving the internal audit charter;  Approving the risk based internal audit plan;  Receiving communications from the Head of Internal Audit on the internal audit activity’s performance relative to its plan and other matters; and  Making appropriate inquiries of officers and the Head of Internal Audit to determine whether there are inappropriate scope or resource limitations. v) The Audit Committee should recommend to the board the appointment and termination of the Head of Internal Audit; and

4 The individual should not hold five (5) percent or more shares, or at least should declare their shareholdings.

16 BSD 854786 vi) The Head of Internal Audit must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities. The Head of Internal Audit must report to the board of directors, at least annually, on the organisational independence of the internal audit activity. b) Objectivity Internal auditors should be impartial and unbiased in performing their duties. i) The Head of Internal Audit must disclose to the Audit Committee or the Board of Directors any situation that is likely to affect or might be perceived as affecting their impartiality; ii) The Head of Internal Audit should be removed or re-assigned in response to any perceived, actual, threatened or future bias; iii) Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest; iv) Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous audit year. Internal auditors may however provide advisory services relating to operations for which they had previous responsibilities; and v) Any assurance engagements for functions over which the Head of Internal Audit has responsibility must be overseen by a party outside the internal audit activity. c) Organisational Status of the Internal Audit Function i) The organisational status of the internal audit unit should be sufficient to permit the accomplishment of its audit responsibilities; ii) The Head of Internal Audit should have the authority to communicate directly, and on his/her own initiative, to the Board of Directors, the chairman of the Board of Directors, the members of the Audit Committee or the external

17 BSD 854786 auditors, in accordance with policies and procedures established by the financial institution; and iii) The Head of Internal Audit reports functionally to the Audit Committee and administratively to Chief Executive Officer. d) The Audit Charter i) Each institution must establish an internal audit charter that articulates the purpose, authority and responsibility of the internal audit function within the institution in a manner that promotes an effective internal audit function. ii) The charter should be reviewed at least bi-annually by the Head of Internal Audit and approved by the Board of Directors through the audit committee. It should be available to all internal audit stakeholders of the organisation; iii) At a minimum, the internal audit charter should establish: a. The internal audit function’s standing within the institution, its authority, responsibilities and relations with other control functions in a manner that promotes the effectiveness of the stated functions of the internal audit unit; b. The purpose and scope of the internal audit function; c. The obligation of the internal auditors to communicate the results of their engagements and a description of how and to whom this should be done (reporting line); the reporting lines should maintain the internal auditor’s organisational status and promote independence and objectivity; d. The criteria for when and how the internal audit function may outsource some of its engagements to external experts; e. The terms and conditions according to which the internal audit function can be called upon to provide consulting or advisory services or carry out other special tasks; f. The responsibility of the Head of Internal Audit; g. A requirement to comply with international standards for the professional practice of internal auditing; and

18 BSD 854786 h. Procedures for the coordination of the internal audit function with the external auditor. iv) The charter should empower the internal auditor, whenever relevant to the performance of his/her assignments, to initiate direct communication with any member of staff, to examine any activity or entity of the institution, and to have full and unfettered access to any records, files, data, personnel and physical property of the institution. This includes access to management information systems and records, human resources records and the minutes of all consultative and decision-making bodies. 7.8 PROFESSIONAL COMPETENCE a) Professional Competence of Internal Auditors i) Internal audits should be performed with proficiency and due professional care. The financial institution should ensure that the technical proficiency and educational background of internal audit staff are appropriate. ii) The Head of the Internal Audit unit should possess at least a college/university degree in accounting, finance, management or any other financial management related course, in addition to some formal training in the practice of auditing. The Head of Internal Audit should be encouraged, where necessary, to pursue certification in auditing or accounting. iii) The Head of Internal Audit should communicate to the Audit Committee the human resource skills needed to complement the unit. The Audit Committee via the Board of Directors is responsible for the staffing of the unit with adequately qualified and competent persons to effectively execute the audit function. iv) The Head of the Internal Audit unit should ensure that internal auditors acquire appropriate on-going training in order to meet the growing technical

19 BSD 854786 complexity of institution’s activities and the increasing diversity of tasks that need to be undertaken as a result of the introduction of new products and processes within banks and other developments in the financial sector. v) Internal auditors collectively should be competent to examine all areas in which the institution operates. Alternatively, when outsourcing arrangements are in place, it is the responsibility of the Head of Internal Audit to maintain adequate oversight and to ensure adequate transfer of knowledge from the external experts to the institution’s internal audit staff. The Head of Internal Audit should ensure that use of those experts does not compromise the independence and objectivity of the internal audit function. b) Professional Ethics i) Integrity establishes trust as it requires the internal auditor to be straightforward, honest and truthful. This provides the basis for reliance on the internal auditor’s professional judgement. ii) Internal auditors must respect the confidentiality of information acquired in the course of their duties. They must not use that information for personal gain or malicious actions and should be diligent in the protection of information acquired. iii) The Head of the Internal Audit unit and all internal auditors should avoid conflicts of interest. Internally recruited internal auditors should not engage in auditing activities for which they have had previous responsibility before a sufficiently long “cooling off” period of one (1) year at a minimum. iv) Moreover, compensation arrangements should not provide incentives for internal auditors to act contrary to the attribute and objectives of the internal audit function. v) Internal auditors should apply the institution’s code of ethics or should adhere to the established international code of ethics for internal auditors such as The Institute of Internal Auditors (IIA).

20 BSD 854786 7.9 RESPONSIBILITIES OF THE INTERNAL AUDITOR a) The internal auditor should comply with professional standards established by internationally recognised professional bodies such as the IIA. It is the responsibility of the Head of the Internal Audit function to: i) Establish plans to carry out the duties of the internal audit unit; ii) Develop written policies and procedures to guide the audit staff; iii) Establish a programme for recruiting, developing and retaining the human resources of the internal audit function to provide a credible challenge to the institution and to meet the requirements of the charter; iv) Collaborate with the institution’s external auditors to ensure that they complement each other; v) Establish and maintain a quality assurance and improvement programme in collaboration with the Audit Committee to continuously evaluate the effectiveness of the internal audit function and its conformity with recognised standards on auditing; vi) Maintain all working papers for seven years. These should adequately document all the work performed by the internal audit function, and support the findings, decisions and recommendations reached; vii) Supervise the work of the audit support staff to ensure that they possess a level of technical competence appropriate to their assigned duties and adhere to established procedures; and viii) Assist the board and senior management in protecting the assets, reputation and sustainability of the institution. 7.10 INTERNAL AUDIT WITHIN A GROUP OR HOLDING COMPANY STRUCTURE a) To facilitate a consistent approach to internal audit across all licensed institutions within a banking organisation, the Board of Directors of each institution within a banking group or holding company structure should ensure that either:

21 BSD 854786 i. The institution has its own internal audit function, which should be accountable to the institution’s board and should report to the banking group or holding company’s Head of Internal Audit; or ii. The banking group or holding company’s internal audit unit performs activities of sufficient scope to enable the board to satisfy its fiduciary and legal responsibilities. b) The Board of Directors of each licensed institution in a group or holding company structure remains responsible for ensuring that the institution’s officers establish and maintain an adequate, effective and efficient internal control system and processes. The board should also ensure that internal audit activities are conducted effectively according to the principles of this standard. The internal auditors who perform the internal audit work should report functionally to the institution’s Audit Committee, or its equivalent, and to the group or holding company’s Head of Internal Audit. c) The Board of Directors and officers of the parent company have the overall responsibility for ensuring that an adequate and effective internal audit function is established across the banking organisation and for ensuring that internal audit policies and mechanisms are appropriate to the structure, business activities and risk of all of the components of the group or holding company. d) The Head of Internal Audit at the level of the parent company should define the group or holding company’s internal audit strategy, determine the organisation of the internal audit function both at the parent and subsidiary institution levels (in consultation with these entities’ respective Board of Directors and in accordance with local laws) and formulate the internal audit principles, which include the audit methodology and quality assurance measures. e) The group or holding company’s internal audit function should determine the audit scope for the banking organisation.

22 BSD 854786 7.11 AUDIT PLAN a) The Creation of the Audit Plan i) The Head of Internal Audit must prepare an annual audit plan which outlines the areas to be audited in the financial institution. The plan should establish priorities, set objectives and ensure the efficient and effective use of audit resources. The audit plan should be based on the terms of reference of the internal audit unit, be risk-based and address all the relevant activities over a measurable cycle. ii) The audit plan should be documented and approved by the Board Audit Committee and be amended as necessary to take account of changing circumstances. All amendments should be approved by the Audit Committee. iii) In developing the audit plan, the following steps should be included: a. Identify all auditable activities within the agreed scope of the internal audit; b. Conduct a risk assessment of these activities in conjunction with officers, identifying categories such as high, medium, low risk; c. Prepare an audit needs assessment based on the risk assessment performed; d. Develop an overall audit plan from the audit needs assessment to cover risks identified; e. Identify and advise the Audit Committee of any mismatch between internal audit needs and actual resources; f. Complete all significant activities and systems in the period for which the plan is formulated. Ideally this should be annually; g. Communicate the overall and individual audit plans with appropriate officers for their information and to the Audit Committee for approval and amend as necessary; and h. Present the audit plans to the Audit Committee for approval.

23 BSD 854786 b) Procedures i) The engagement procedures should be covered in the audit plan. It should describe the objectives and outline the audit work necessary to achieve these objectives. The procedures should be flexible and risk-based. Matters of critical importance should be immediately communicated to the functional officers and the board. ii) The audit report of each system/activity audited should be issued as quickly as possible to the head of the area audited, the Chief Executive Officer, the Audit Committee and relevant officers. The audit report presents the purpose and scope of the audit and includes the internal audit findings and recommendations, as well as officer’s responses. iii) The Head of Internal Audit should ascertain that the agreed-upon action is taken on reported audit findings within the set timeframes. The Head of Internal Audit should also ascertain whether the action taken has the expected results. The status of implementation or validation of recommendations should be reported to the Chief Executive Officer and the Audit Committee at regular intervals, quarterly at a minimum. The report should also capture the status of the implementation of recommendations from the external auditor. Officers should ensure that internal audit’s concerns are appropriately addressed, in a timely manner. iv) The Head of Internal Audit should also provide an annual report to the Chief Executive Officer or person holding this position and Audit Committee based on a self-administered quality review of the internal audit function. An independent external assessment of the internal audit function is also recommended at least every five (5) years.

24 BSD 854786 8 OUTSOURCING a) If a financial institution decides to outsource select internal audit activities, the Board of Directors and officers of the institution are responsible for ensuring that both the system of internal control and the internal audit function operate effectively, and that the outsourcing is in accordance with section 53(7)5 of the Banking Act. Regardless of whether internal audit activities are outsourced, the Board of Directors remains ultimately responsible for the internal audit function. b) Before a decision is made to outsource internal audit activities, the financial institution should consider the following: i) The competence and reputation of the vendor; ii) Management of the vendor’s business; iii) The system for maintaining communication between the internal audit activity, the Audit Committee and officers; iv) Officers who would be responsible for liaising with auditors and follow up with departments on the implementation of recommendations made by the auditors. Enhanced measures should also be instituted to deploy a comprehensive understanding of the operations of the financial institution to auditors. v) Contingency Plans to address any unanticipated events; vi) Explore scenarios with the outsourced service provider which can impair independence and objectivity in the performance of the internal audit activity; and vii) The cost effects of outsourcing the internal audit activity versus the performance of the activity internally, and assess the risks associated with the outsourcing of the activity, in part or in whole. c) The institution should have a written contract (an engagement letter), which should cover at a minimum:

5 Section 52(7) of the Anguilla Banking Act

25 BSD 854786 i) Expectations and responsibilities under the contract for both parties; ii) Scope and frequency of engagements; iii) Fees; iv) Scope of work; v) Reporting requirements (type, frequency, to whom); vi) Establish the process for changing the terms of the service contract, especially for expansion of audit work if significant issues are found, and stipulations for default and termination of the contract; vii) Ownership, access, location and archiving of internal audit reports and working papers; viii) Terms for dispute resolution; ix) Liability for the cost of damages arising from errors, omissions, and negligence; and x) Agreement that the outsourcing vendor will not perform officers functions, make officer decisions, act or appear to act in a capacity equivalent to that of any officer of the institution. The external auditor shall not perform internal audit activities as an outsourced vendor. d) Licensees must ensure that outsourcing arrangements are in keeping with prudential standards issued by the ECCB. e) It is recommended that officers of the financial institution should, in all cases, seek to have an in-house internal auditor and where activities have been outsourced; it should be limited and for a contractual period. Licensees must be able to explain the reasons for outsourcing specific internal audit activities. 9 RELATIONSHIP WITH THE SUPERVISORY AUTHORITY a) Regulatory Reporting Requirements Each institution shall submit to the ECCB:

26 BSD 854786 i) Signed copies of the minutes of the Audit Committee within thirty (30) days after the end of the month in which the minutes were recorded; ii) Internal audit reports/letters within fourteen (14) days after the end of the month in which the document was presented to the board; iii) Any change to the Internal Audit Policies and Procedures Manual within fourteen (14) days after the end of the month in which the revised document was approved by the board; and iv) Any changes to the Head of Internal Audit and/or senior internal auditors at least sixty (60) days prior to the appointment of the officer. b) Liaising with the Supervisory Authority i) The Head of Internal Audit will liaise with the ECCB to discuss internal control weaknesses identified during the conduct of his/her audits. Where major weaknesses are cited, they should be immediately brought to the attention of the ECCB. ii) Each licensee is required to submit to the ECCB, independent reviews done of the internal audit function to determine the effectiveness of the function. Each institution shall make available for inspection, upon reasonable request and notice from the ECCB, approved minutes of the Audit Committee. iii) Regardless of the ECCB’s assessment of the internal audit function, the ECCB may challenge the work of the internal auditors through the continuous supervision process, including on-site supervision. iv) Each licensee shall make available all audit reports, working papers and supporting documentation to the ECCB during the conduct of onsite examinations.

27 BSD 854786 APPENDIX INTERNAL AUDIT FUNCTION’S COMMUNICATION CHANNELS6 References to support these communication channels for the internal audit function are provided in the Basel Committee on Banking Supervision’s Core Principles and other relevant guidance issued by the Committee, International Standards on Auditing (ISAs) issued by the Internal Auditing and Assurance Standards Board, and the standards of The Institute of Internal Auditors (The IIA) as indicated. The diagram does not reflect all of the communication channels for parties other than the internal audit function.

6 Excerpt from The Internal Audit Function in Banks, Basel Committee on Banking Supervision, June 2012

28 BSD 854786  Basel Committee on Banking Supervision: o Core Principles for Effective Banking Supervision o Principles for Enhancing Corporate Governance o The Internal Audit Function in Banks  IIA: International Standards for the Professional Practice of Internal Auditing. o IIA 1000 – Purpose, Authority, and Responsibility o IIA 1100 – Independence and Objectivity o IIA 1110 – Organisational Independence o IIA 1111 – Direct Interaction with the Board o IIAA 2440 – Disseminating Results  ISA o ISA 260 – Communication with Those Charges with Governance o ISA 315 – Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment o ISA 610 – Using the Work of Internal Auditors