Internal Audit Charter

Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve the Group operations. It helps the Group accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The purpose, authority, and responsibility of the Internal Audit Function should be defined in a formal written document (charter). The Group Head of the Internal Audit should seek approval of this document from the GBAC.
Internal auditing is a vital part of the Group and functions in accordance with the policies established by the Board of the Group. Each Unit of the Group is expected to have an Internal Audit Function, even if local authorities do not require it. Internal auditing is an independent appraisal function established within the Group to examine and evaluate its activities as a service to the Board of each Unit, and ultimately to the Board of the Group. The findings arising from the performance of this function, are highly relevant to the management of each Unit and the Group. The internal auditors must have a high degree of independence and must not be assigned duties or engage in any activities that they would normally be expected to review or appraise.
Group Internal Audit adheres to the standards of best professional practice, such as those published by the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA) and relevant requirements of the Central Bank of Bahrain related to the Internal Audit Function.
The appointment, removal and evaluation of the Group Head of Internal Audit is the sole responsibility and discretion of the Group Board Audit Committee. They should collaborate with Senior Management to determine which competencies, qualifications, and experience the Group expects in the Group Head of Internal Audit position. Also, they should study the details of the candidates, make a shortlist of a number of the candidates based on interview results, and decide on a candidate it deems fit for the job. A written approval from the CBB must be obtained prior to their appointment.
The Group Board Audit Committee must ensure that the Group Head of Internal Audit is a person of integrity. This means that he/she will be able to perform his/her work with honesty, diligence and responsibility. It also implies that this person observes the law and has not been a party to any illegal activity.
The Group Head of Internal Audit will be the secretary to the GBAC. As per the agreed annual schedule, or at the request of the Chairman of GBAC, he/she will make invitations to all members of the Committee. After acceptance of the invitation by the majority of the members, he/she will propose an agenda for the meeting. Once the agenda agreed, he/she will prepare a file containing details of each agenda at least 10 calendar days prior to the meeting. He/she is responsible to draft the minutes of the meeting and submit it to all members for their initial approval not later than 7 calendar days after the meeting. Once the initial approval is obtained from majority of the members, he/she should sign it and submit it to the Secretary of the Board for submission to the Board in its next meeting.
Purpose
The purpose of the Internal Audit Function is to strengthen the Group’s ability to create, protect, and sustain value by providing the Group Board Audit Committee and Senior Management with independent, risk-based, and objective assurance, advice, insight, and foresight.
The Internal Audit Function enhances the Group’s:

Successful achievement of its objectives.

Governance, risk management, and control processes.

Decision-making and oversight.

Reputation and credibility with its stakeholders.

The Group’s Internal Audit Function is most effective when:

Internal auditing is performed by competent professionals in conformance with The IIA’s Global Internal Audit Standards.

The Internal Audit Function is independently positioned with direct accountability to the Audit Committee.

Internal auditors are free from undue influence and committed to making objective assessments.

Mission & Objectives
The mission of the Internal Audit Function is to assist the Group Board Audit Committee and the Senior Management of the Group in the effective discharge of their responsibilities. It will aim to furnish them with analyses, appraisals and recommendations concerning the activities reviewed by the Function. A further global objective is to promote effective controls at reasonable costs. The overriding objectives of the Group Internal Audit Function includes the following:

To provide an independent and objective assurance to the Board of Directors and Senior Management on the quality and effectiveness of the Bank’s internal control, risk management and governance systems and processes and to protect the Bank and its reputation.

To provide the Group Board Audit Committee and Senior Management a view on the function of the internal audit departments in each Unit to ensure it exists and it is functioning effectively.

To provide the internal audit departments of each Unit assistance so that they can provide the Management and the Board of the Unit and of the Group with independent, objective evaluations of operations, policies, procedures and controls.
The Group Head of Internal Audit will be positioned at a level in the Group that enables internal audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the Internal Audit Function. (See “Mandate” section.) The Group Head of Internal Audit will report functionally to the Group Board Audit Committee and administratively (for example, day-to-day operations) to the GCEO. This positioning provides the organizational authority and status to bring matters directly to Senior Management and escalate matters to the Group Board Audit Committee, when necessary, without interference and supports the internal auditors’ ability to maintain objectivity.

Internal auditors should be independent of the activities they audit and they must therefore be permitted to carry out their work freely and objectively. This means that the internal audit is independent of all functions including compliance, risk management and financial control functions. The Internal Audit Function must also have sufficient standing and authority within the Group and must operate according to sound principles. Independence permits internal auditors to render an impartial and unbiased judgment essential to the proper conduct of audits.

Internal audit reports must be provided to the Group Board Audit Committee without Senior Management filtering.

The Group Board Audit Committee must ensure that the Internal Audit Function is able to discharge its responsibilities in an independent manner, consistent with CBB rules relating to Internal Audit Function independence. It must review and approve the audit plan, its scope, and the budget of the Internal Audit Function. It must also review audit reports and ensure that Senior Management is taking necessary and timely corrective actions to address control weaknesses, compliance issues with policies, laws and regulations, and other concerns identified and reported by the Internal Audit Function.

The status of the Group and Local Unit Internal Audit Function should be sufficient to permit the accomplishment of their audit responsibilities. The Group Head of the Internal Audit should have sufficient authority to promote and maintain independence and to ensure Group Board Audit Committee coverage, adequate proper appreciation of audit reports, and appropriate action on audit recommendations.

The Group Head of Internal Audit will confirm to the Group Board Audit Committee, at least annually, the organizational independence of the Internal Audit Function, If the governance structure does not support organizational independence, the Group Head of Internal Audit will document the characteristics of the governance structure limiting independence and any safeguards employed to achieve the principle of independence. The Group Head of Internal Audit will disclose to the Group Board Audit Committee any interference internal auditors encounter related to the scope, performance, or communication of internal audit work and results. The disclosure will include communicating the implications of such interference on the Internal Audit Function’s effectiveness and ability to fulfill its mandate.
Internal Audit shall not be involved in designing, selecting, implementing or operating specific internal control measures. However, the independence of the Group Internal Audit Function must not prevent Senior Management from requesting input from the Group Internal Audit Function on matters related to risk and internal controls. Nevertheless, the development and implementation of internal controls must remain the responsibility of management.

Objectivity is an independent mental attitude, which internal auditors should maintain in performing audits.

The staff of the internal audit department of the Group shall every year sign a testimony of their independence and declare any conflict of interests, financial or otherwise.
Difference in opinions between the Group internal audit department and local management of the units shall be finally resolved and referred to the GBAC.
The Internal Audit Function’s authority is created by its direct reporting relationship to the Group Board Audit Committee. Such authority allows for unrestricted access to the Group Board Audit Committee including in private meetings without Senior Management present.

The Group Board Audit Committee empowers the Internal Audit Function to:

Have full and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out internal audit responsibilities at Group and Unit level. Internal auditors are accountable for confidentiality and safeguarding records and information.

Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function’s objectives, according to the approved audit plan.

Obtain assistance (Before, during, and after the audit engagement) from the necessary personnel of the Group and other specialized services from within or outside the Group to complete internal audit services including access to resources within Internal Audit Functions of each Unit.

Group Structure
The Group Internal Audit Function structure will follow the Group structure where all departments are decentralized and Subsidiaries works on a standalone basis with their own legal entities/set up and boards. The structure of each department is approved and set by the local function which reports directly to their local audit committee. In addition, the appointment, removal and evaluation of head of Internal Audit of each Al Baraka Subsidiary banks (Unit) is at the discretion of the Audit Committee of the respective Unit. However, such appointment should be subject to consultation with the Group Head of Internal Audit.

Due to legal restrictions, no direct reporting between the Local and Group Internal Audit is permitted. Alternatively, the Group Internal Audit will observe the Local Internal Audit units performance through monitoring achievement of Local Internal Audit KPIs set by the Group, review of local internal audit policies and procedures, consultations and etc.
Additionally, the Group representatives on the Unit Board of Directors, specifically on the Audit Committee, are required to inform the Group Head of Internal Audit of the following:

Any Fraud cases that come to their attention (within 1 month);
Any major and substantial audit or regulatory/external third-party findings that require the Group Head of Internal Audit to be aware of;
Audit Committee meeting minutes, if requested; and
Major deficiency in the performance of the Local Internal Audit department.

Major irregularities or fraud should also be reported to the Group Head of Internal Audit by the local head.

The role of both Group Internal Audit and local subsidiaries internal audit functions are different as follows:

Local Internal Audit Function	Group Internal Audit Function
Scope of work is comprehensive.	Scope of work is limited to key risk areas on a high-level basis.
Comfort obtained is to serve both local stakeholders and Group shareholders	Comfort obtained to serve the Group shareholders and to add value to the Units.
Coverage is wider in terms of sampling, time taken to perform the audit, number of staff and level of details required to be covered.	Coverage is narrower in terms of sampling, time taken to perform the audit, number of staff and level of details required to be covered.
The sampling selection can be judgmental or statistical depending on the assurance required and audit objective to meet. The local internal audit function is required to follow the IIA for this matter where it can choose between judgmental or statistical sampling. However, the selection of the samples should reduce the sampling risk and ensure reasonable assurance is provided on the audit objective.	The sampling selection criteria is more judgmental and limited to the operating model of the Group Internal Audit Function (decentralized) and the assurance the Function can provide with this type of operating model. The Group Internal Audit Function may use Sarbanes Oxley Act 2002 sampling method or any other judgmental sampling. However, the coverage and samples selected are only to provide overall comfort on the audit objective and not reasonable assurance that the objective is met. Therefore, the sampling risk will always exist.
The local internal audit function will report directly to the local audit committee.	The Group Internal Audit Function will report directly to the Group Board Audit Committee.

Group Internal Audit Strategy
The Group Head of Internal Audit must establish a group internal audit strategy through developing annual key performance indicators (KPIs) for the internal audit departments in the Group Units. Such KPIs are set after being aligned with the Group strategic objectives approved by ABG board. Hence the Group internal audit strategy will ensure that the KPIs as explained in section 4.8 will satisfy the needs of the ABG strategic objectives.

In order to align the local internal audit functions with the Group internal audit direction, the Group Internal Audit Function will establish on a yearly basis Group Key Performance Indicators. Such indicators should be circulated to the heads of the local internal audit functions and the performance is reviewed on a yearly basis against those Indicators. The evaluations report of the performance will be shared with the Group Board Audit Committee, the chairman of the local internal audit function and also the local internal audit head of the function.
At least annually, the Group Head of Internal Audit will submit to Group Board Audit Committee an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal/ calendar year.
The internal audit plan will be developed based on prioritization of the audit universe using a risk-based methodology, including input of Senior Management and the Group Board Audit Committee if any. The Group Head of Internal Audit will review and adjust the scheduled audits and the number of staff allocated for each audit as per the audit plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, controls and other administrative changes.
The Group Head of Internal Audit Function can include an additional audit of Unit, cancel a scheduled audit as per the approved audit plan, or change the scope in response to new information and changes, such changes must be communicated to the audit committee either through circulation or in the next Group Board Audit Committee meeting.
To accomplish the objectives stated above, the Group Internal Audit Function, will perform the followings;

Develop a risk-based internal audit plan. The plan will cover audit of each Unit and departments within ABG taking into consideration the goals and objectives of the Group. This plan addresses two key areas: risk assessment results and internal audit resources. This plan should be submitted annually to the Group Board Audit Committee for its prior approval.

Review of policies and procedures.

Review the systems established to ensure compliance with these policies, plans, procedures, guidelines, which could have a significant impact on operations.

Review the adherence to these group policies and procedures, and to codes of conduct.

Review the means of safeguarding assets and, as appropriate, verify the existence of such assets.

Appraise the economy and efficiency with which resources are employed.

Review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.

Assess and evaluate the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.

Providing independent appraisals and recommendations regarding the ability of the reviewed Unit to comply with applicable policies, plans, procedures, laws, and regulations with the aim of adequately safeguarding assets; using resources economically and efficiently; and accomplishing established objectives and goals through:

Conducting or participating in audits of profit and support centers within Head Office and at each Unit. The audit scope based on the risk assessment may include the following:

Risk Assets reviews. This covers mainly credit review of financing portfolio on sampling basis, which includes credit transactions / financings to Corporate, financings to Small & Medium entities, Retail financings, exposures to Financial Institutions, Sovereign exposures, Sukuks, Investment & Trading portfolios if any. This also includes the review of Trade Finance activities, Letter of Guarantees and other Commitments and other banking services. This also covers the operational control aspects relating to processing and monitoring of these facilities / transactions. It also covers review of credit process. Horizontally, the review covers the whole cycle from initiation (the approval process) till expiry (repayments) of these transactions.

Internal Controls within the Unit as a whole and other Support department. It may include review of the internal audit function, internal control function, financial control, risk management function, and others. But it does not cover the work of HR and Admin department, unless a need arises.

IT Audit. This audit is carried out by an IT auditor, who is part of the internal audit team of ABG. The review is based on best practice controls and the basic standards of ISO/17799/2700x. It covers the review of controls in the core-banking system, and any other separate ancillary system used, such as HR system, Trade Finance, E-Banking services, Windows, PCs, Internet, and the website of the unit. A separate audit report for this is issued.

Corporate Governance & Compliance Audit. As part of the audit, a review of corporate governance practices and compliance to regulations is carried out. This will cover; Corporate Governance best practices, and a review of the compliance to Local regulations, CBB regulations, UN regulations, and international practices for the prevention of money laundering and financial crimes. This will cover regulations issued by OFAC of USA and the EU, the purpose of which is to distance the group from any possible accusation of non-respect to these regulations, which could lead to prevent the group from dealing in the currencies of these countries. The work will cover in particular regulations relating to AML/CFT, Sanctions, FATCA, and any similar new regulations such as the new CRTs.

Risk Management. This will cover a review to evaluate the governance of the Board Risk Committee and the Risk management function of each unit.

Site audit visits of branches. Branches can be visited based on risk assessment on site for audit purpose.

Conducting special audits or special consultations/reviews requested by the Board of the Unit, by the Board of the Group, or by the GCEO. Such types of assignments will be conducted if they do not interrupt the already scheduled audits as per the internal audit plan leading to cancelation of any already scheduled audit already approved by the audit committee. If such request will lead to cancelation of any audit assignment, the approval of the audit committee must be obtained.

Investigating reported or suspected occurrences of fraud, embezzlement, theft, waste, and otherwise, and recommending controls to prevent and/or detect such occurrences.

Providing independent appraisals with recommendations regarding resource sharing, with an emphasis on program results and the economic and efficient use of resources.
The Internal Audit Function should be available to carry out consulting services needed by the Group Board, Group Board Audit Committee, or by Senior Management. Prior approval for significant consulting services requested by Management should be obtained from the Chairman of the Board Audit Committee.
Consulting services are advisory in nature and are generally performed at the specific request of the Board/Management.
The nature and scope of advisory services may be agreed with the party requesting the service, provided the Internal Audit Function does not assume management responsibility.
The Group Head of Internal Audit/coordinator must maintain adequate oversight and ensure that any outsourcing providers comply with the principles of the Group’s internal audit charter.
To preserve independence, the Group Head of Internal Audit/coordinator must ensure that the outsourcing provider has not been previously engaged in a consulting engagement in the same area within the Group unless a one-year “cooling-off” period has elapsed.
Subsequently, those experts who participated in an internal audit engagement must not provide consulting services to a function of the Group/Unit they have audited within the previous 12 months. Additionally, the Group must not outsource internal audit activities to its own external audit firm.
The Group Board Audit Committee remains ultimately responsible for the Internal Audit Function regardless of whether internal audit activities are outsourced.
The Group Head of Internal Audit will develop, implement, and maintain a quality assurance and improvement program that covers all aspects of the Group Internal Audit Function. The program will include external and internal assessments of the Internal Audit Function’s conformance with the Global Internal Audit Standards, as well as performance measurement. The program also will assess, if applicable, compliance with laws and/or regulations relevant to internal auditing. Also, if applicable, the assessment will include plans to address the Internal Audit Function’s deficiencies and opportunities for improvement.

1.01.13.1 Evaluating the Internal Audit Function Performance

The Group Head of Internal Audit should establish a Key Performance Indicators (KPIs) to be approved by the Group Board Audit Committee. These indicators are the key component for performance measure on the Group and Local Units Internal Audit Functions. KPIs helps the Head of Internal Audit to assess the Internal Audit Function’s progress toward the achievement of its KPIs objectives and promotion of continuous improvement of the Group and Units Internal Audit Function.

The Group Head of Internal Audit should communicate/report the results of KPIs performance measurements/evaluation to the Group Board Audit Committee on annual basis.

1.01.13.2 Internal Quality Assessment

The Group Head of Internal Audit will develop and conduct internal assessments of the Internal Audit Function’s conformance with the Global Internal Audit Standards and progress toward performance objectives.
Internal assessment must include:

Ongoing monitoring of the performance of the internal audit activity.

Periodic self-assessments to evaluate conformance with the Standards.

The results of internal assessment will be communicated with the Group Board Audit Committee and the Senior Management including action plans to address instances of nonconformance with the Standards and opportunities for improvement, as well as a proposed timeline for actions.

Disclosure will be made to the Group Board Audit Committee and Senior Management in case the nonconformance with the standards affects the overall scope or operation of the Internal Audit Function.

1.01.13.3 External Reviews

The Group Internal Audit Function should be reviewed by an external consultant, who is not the external auditor of the Group, once every five years. Before the start of such assignment, the Group Board Audit Committee should approve the appointment.

It is also highly recommended that each Unit’s management make the same arrangement from an external advisor who is not their auditor, to have a plan for review of the effectiveness of the Local Internal Audit Function.
To enhance the oversight role of the Group Internal Audit and to be up to date with the latest developments in the Units with regards to auditing matters, it is important that the Group Internal Audit Function participate in the meetings of the audit committee of the Units. The Group Head of the Internal Audit or his/her representative may participate in such meetings as observers only either in-person or remotely. The Group Internal Audit is not responsible for any decision taken during such meetings as the committees have their own chairman and voting members who are the ultimate approval authority. The frequency of the participation in such meetings may also consider the risk of over familiarity with the Unit leading to possible impairment of independence. The balance of this factor and other important factors that may outweigh this risk may also be considered. The professional judgement and experience with the subsidiary are a key component to the decision taken.
The Internal Audit Function and the external auditors should coordinate their activities to increase efficiency and minimize duplication of efforts where it is possible and applicable. Procedures for the coordination between the Internal Audit Function and external auditor as follows:

Internal Audit can work with external auditors only if such joint effort can lead to increasing the time available to the Internal Audit Function or increase the audit coverage to lower the risks of fraud or misstatement. Joint audit is allowed for such purpose only with the approval of the Group Board Audit Committee. Joint audit only allowed if the time saving from such approach lead to reduction in audit fees charged by the external auditor and does not materially impact the risk assessment performed by the internal audit for the year.

Internal Audit Function may rely on work performed by external auditors if such reliance can lead to time saving enabling the internal audit additional time to focus on other areas. Such approach if adopted must be first approved by the Group Board Audit Committee.

Once the Group Board Audit Committee accepts to adopt any of the above strategies, the internal audit must provide a plan to the Committee on the potential changes.
Adequate, relevant, complete and accurate records of information should be maintained which can be easily retrieved by those with a legitimate right of access. Also, information records should be secured from unauthorized alteration and that access is properly controlled. The Internal Audit Function should follow the Group policy and local rules and regulations with regards to retention of records. Team leaders are responsible for ensuring that this policy is complied with. Individual auditors must ensure that they keep appropriate records of their work and manage those records effectively.
The Internal Audit Function must be accountable to Group Board Audit Committee, on all matters related to the performance of its mandate as described in the internal audit charter.
Senior Management:
Senior Management of the Group & ABG Units are responsible to design, select, implement and operate internal audit control measures. In addition, they are responsible to implement agreed upon action plans in a timely manner.
Group Internal Audit Function:
The Group Head of Internal Audit is responsible to communicate the results of internal audit services to the Group Board Audit Committee and Senior Management quarterly and for each engagement as appropriate. Also, the Group Head of Internal Audit should inform Senior Management of all significant findings so that timely corrective actions can be taken. Subsequently, he/she should conduct a quarterly follow up on outcomes of these significant findings to ensure timely implementation and report such status to Senior Management and Group Board Audit Committee.
The Group’s Internal Audit Function will adhere to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, which are the Global Internal Audit Standards and Topical Requirements. The Group Head of Internal Audit will report periodically to the Audit Committee and Senior Management regarding the Internal Audit Function’s conformance with the Standards, which will be assessed through a quality assurance and improvement program.
Internal Auditors must maintain and continually develop their competencies to improve the effectiveness and quality of internal audit services.
The Group Head of Internal Audit should arrange appropriate ongoing training for the internal audit staff to meet the growing technical complexity of the Group’s activities and the increasing diversity of tasks that need to be undertaken as a result of the introduction of new products and processes and other developments in the financial sector.

We use cookies to improve your experience on the website as they enable you to enjoy certain features on the website such as messages tailored to your needs. They also help us understand how the site is being used so that we can continuously improve it. Find our more and set your cookie preference here. By continuing to use our website you consent to using cookies.