ESB Internal Audit Charter
Board Policy Statement
ESB subscribes to best practice corporate governance. It is the policy of the Board of ESB to have and support a Group Internal Audit (GIA) function that operates to best international standards.
Scope and Authority
GIA is an independent, objective assurance and consulting function charged with reviewing company activities across all areas within ESB Group, as a service to the Board and management. It helps the organisation accomplish its objectives by examining and reporting on the management of risk, the adequacy of internal control and governance processes, and on the achievement of proper, efficient, and effective use of resources.
GIA derives its authority from the Board through the Audit & Risk Committee and the Chief Executive. The internal audit activity is authorised with full, free, and unrestricted access to any and all of ESB Group records, physical properties, and personnel including the Chairman, the Chief Executive and the Chair of the Audit & Risk Committee.
Organisation, Independence and Objectivity
The Group Internal Auditor will report functionally to the Chair of the Audit & Risk Committee and administratively to the Deputy Chief Executive and will meet regularly with the Deputy Chief Executive to discuss all audits.
GIA will remain free from interference by any element in the organisation, including matters of audit selection, scope, procedures, frequency, timing, or report content to support a necessary independent attitude. Internal auditors will have no direct operational responsibilities and will remain independent of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records for the activities audited, or engage in any other activity that may impair the internal auditor’s judgment.
Internal auditors will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors will make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments. GIA may rely on the work of other assurance and consulting service providers, having considered the basis of this reliance and the competency, objectivity, and due professional care of the service providers.
The Group Internal Auditor will confirm the organisational independence, and appropriate resourcing, of the internal audit activity to the Audit & Risk Committee on an annual basis.
It is management’s responsibility to manage risk and maintain effective controls. Management have the primary responsibility for prevention of fraud and for detecting and dealing with any fraud that may occur. Reporting of suspected fraud should comply with ESB Anti-Bribery, Corruption and Fraud Policy and the ESB Whistleblowing & Protected Disclosures Policy.
Managers will proactively interface with auditors, respond to draft reports in accordance with agreed procedures and agree actions and timescales to rectify control weaknesses identified. Managers have responsibility to implement audit agreed actions in a timely manner.
Group Internal Audit Responsibilities
The scope of internal auditing encompasses the examination and evaluation of the adequacy and effectiveness of the organisation's governance, risk management, and internal controls as well as the organisation’s performance in achieving the stated goals and objectives. In fulfilling the role of independent re-assurance (‘third line of defence’) GIA will evaluate the following on a risk focused basis:
- governance processes.
- effectiveness of the organisation's risk management processes including risk exposure relating to achievement of the organisation’s strategic objectives.
- reliability and integrity of internal controls, management information and reporting and effectiveness of controls to safeguard the Group’s assets and interests.
- systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organisation.
- effectiveness and efficiency with which resources are employed.
- ·operations or programs, to ascertain if consistent with the organisation’s strategies, objectives and goals, and are being carried out as planned.
- The audit programme and methodology should take due account of the possibility of fraud, and include investigation of fraud or suspected fraud.
In addition, GIA will strive to add value to the organisation by:
- performing advisory and consulting services, without prejudice to assurance responsibilities, where the engagement has the potential to improve governance, risk management and control or process organisation
- evaluating specific operations at the request of the Board or management, as appropriate
- considering trends, emerging issues, new insights and future impact
- ensuring the Group Internal Auditor consults with the external auditor.
Internal Audit Plan
Following consultation with Executive Directors and senior management, the Group Internal Auditor will agree a risk based annual audit plan with the Chief Executive prior to approval by the Audit & Risk Committee. The Group Internal Auditor will review and adjust the plan, as necessary, in response to changes in the organisation’s business and risks and communicate changes to senior management and the Audit & Risk Committee.
Reporting and Monitoring
A written report will be issued by GIA for each internal audit engagement and circulated to the manager(s) concerned, the relevant Executive Directors, the Group Finance Director and Deputy Chief Executive. GIA will be responsible for follow-up on timely implementation of audit recommendations and will report on progress and significant non-implementation to the Audit & Risk Committee. The Group Internal Auditor will periodically report to the Audit & Risk Committee and senior management on audit results, performance relative to the internal audit plan, GIA KPIs and results of external assessments of the function. Reporting will also include significant control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the Board.
The Group Internal Auditor will ensure that confidentiality and adherence to regulatory requirements, including General Data Protection Regulations (GDPR), is maintained over audit reports and all information and records obtained in carrying out audits.
Quality Assurance and Improvement Programme
GIA conducts its activities in conformance with the International Standards for the Professional Practice of Internal Auditing (the Standards). The internal audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an evaluation of the internal audit activity’s conformance with the Standards, assess the efficiency and effectiveness of the internal audit activity and identify opportunities for improvement. The function will be subject to an external assessment every five years.
Staffing & Resources
GIA will be given the multi-disciplinary resources it requires to adequately discharge its responsibilities, including external specialist resources. Audit staff will have a recognised professional or third level qualification, or equivalent work experience. GIA is a vehicle for the development of staff with managerial potential. Business line management will provide support in the rotation of suitable staff into and out of the area.