The primary objective of Group-wide Internal Audit (‘GwIA’) is ‘to assist the Board, Group Executive Committee, Group Audit Committee (GAC) and Group Risk Committee (GRC) in protecting the assets, reputation and sustainability of the organisation through the assessment and reporting of the overall effectiveness of risk management, control and governance processes across the Group; and by appropriately challenging Executive Management to improve the effectiveness of those processes.’
GwIA activity is not restricted in scope in any way and it is empowered by the GAC to audit all parts of the Prudential Group and will have full access to any of the organisation’s records, physical properties and personnel. All employees are requested to assist GwIA in fulfilling its roles and responsibilities.
The Group Chief Internal Auditor (GCIA) is accountable to the GAC through a functional reporting line to the Chair of the Committee. The GCIA will periodically assess, and report to the GAC, on the continued adequacy of the function's mandate, independence, objectivity, authority, responsibility, resources and technical experience in order to enable it to accomplish its objectives.
GwIA Leadership Team
It is the responsibility of the GCIA to deliver the GwIA Mandate. In this regard the GCIA is supported by an organisational structure that includes a Leadership Team which comprises the appointed Audit Directors and other senior members of GwIA. The members of the Leadership Team are appointed by the GCIA.
The GwIA Leadership Team is responsible for all formal functional reporting requirements to the GAC and the Business Unit (BU) Audit Committees. The primary role of the Quality Assurance Director (QAD) is to monitor and evaluate adherence with all relevant IA standards of audit practice and GwIA audit methodology with the results of these assessments presented directly to the GAC.
4. Scope and Responsibility
The work of GwIA complements the wider Enterprise Risk Management framework of the Prudential Group in that it operates as a 'third-line of defence' in the provision of independent and objective internal control assurance. The assessment of the adequacy and effectiveness of the Risk Management, Compliance and Finance functions is within the scope of GwIA and as such GwIA, is independent of these functions and is neither responsible for, nor part of, them.
The scope of GwIA activities encompass the examination and evaluation of the adequacy and effectiveness of the Prudential Group’s systems of governance, risk management and internal control and the quality of performance in carrying out assigned responsibilities within the context of protecting the assets, reputation and future sustainability of the organisation.
The scope of GwIA includes:
- An independent assessment of risk and the design and operational effectiveness of key policies, procedures and controls implemented to mitigate the risks identified. This includes those in place to ensure appropriate levels of adherence to applicable laws, regulations and requirements of regulators.
- An assessment of whether risk appetite has been established, embedded and adhered to within the activities, limits and reporting of the Group, and whether these have been reviewed through the active involvement of the Board, its Committees and Executive Management.
- An assessment of whether the information presented to the Board, its Committees and Executive Management for strategic and operational decision making fairly represents the benefits, risks and assumptions associated with the strategy and corresponding business model.
- An evaluation as to whether the Group’s internal governance, policies and supporting processes deliver appropriate outcomes, and that they are in line with the objectives, risk appetite and values of the Group. This includes an evaluation as to whether the design and control of products, services and supporting processes deliver appropriate customer outcomes.
- An assessment of the risk and control culture of the Group.
- An assessment of the modelling and management of the Group’s capital and liquidity risks, as well as evaluating the means of verifying the liabilities of the organisation.
- An assessment of the means of safeguarding and verifying policyholder assets as well as those of the Group; and that the assets of the two remain appropriately segregated.
- Key corporate events such as significant business process changes, the introduction of new products and services, outsourcing decisions and acquisitions/divestments to determine whether key risks are being adequately addressed and reported. GwIA will determine which events are sufficiently high risk to warrant involvement on a real time basis.
- Making objective and appropriate recommendations to improve the Group’s control environment and assist the business achieve their strategies.
- Reporting significant matters arising to GAC and GRC.
- Providing assurance that issues raised are addressed and resolved to mitigate the risks reported on a timely basis.
All GwIA engagements will be conducted with proficiency and due professional care.
Internal Audit Plan of Coverage
The GCIA will submit at least annually an audit plan of coverage, related budget and resource plan to the GAC for review and approval. Individual BU audit plans will also be agreed with the relevant BU Audit Committee. The audit plan, including the frequency and method of audit cycle coverage, will be based on prioritisation of the identified 'audit universe' using an ‘Audit Needs’ risk-based methodology, incorporating input from GHO and BU stakeholders and will be subject to ongoing review to take account of emerging risks, specific events or changes in the structure or risk profile of the Group.
5. Independence and Objectivity
GwIA is committed to maintaining its independence and objectivity in the discharge of its responsibilities, and appropriate reporting lines are in place to support this goal:
- The GCIA reports all audit related matters to the GAC and communicates directly with the GAC through attendance at its meetings, as well as attending those of each BU Audit Committee. The GCIA will also have direct access to the Chair of the Board, and Chair of the GAC and will periodically meet with the GAC without the presence of management. For administrative purposes (excluding strictly all audit related matters) the GCIA is a direct report of the Group Chief Executive Officer (CEO).
- The GCIA in consultation with the Group CEO is empowered to attend and observe all or part of Group Executive Committee (GEC) meetings and any other key management decision making as appropriate.
- Audit Directors report to the respective BU Audit Committee Chair and the GCIA, as functional head. Audit Directors, while recognising local legislation or regulation as appropriate, are responsible for setting budgets and remuneration, conducting appraisals and reviewing the audit plan. The GCIA will consider the independence, objectivity and tenure of the Audit Directors when performing their appraisals.
- GwIA staff are expected to exhibit the highest level of professional objectivity in carrying out their duties, must make a balanced assessment of all relevant circumstances, remain impartial and seek to avoid any professional or personal conflict of interest. GwIA staff will have no direct operational responsibility or authority over any business activity or personnel outside of the function. From time to time GwIA may be requested to provide consultancy services, which are advisory in nature, relating to the evaluation and improvement of the control environment. Where such services entail significant involvement with the business or result in the business instigating major changes to its processes or activities, the GwIA staff involved will only provide assurance services to that area where there is no perceived or actual conflict of interest, in accordance with the GwIA Conflict of Interest procedure.
6. Relationships with Other Assurance Functions
GwIA will consider, and where appropriate coordinate with, the work of other assurance functions within the Prudential Group (Risk, Compliance, Finance etc.) as well as requirements from external bodies such as the external auditors and the Group’s regulators when determining the level of Internal Audit activity in any business area.
Through the exercise of informed judgement, the GCIA and Audit Directors are responsible for determining how much reliance can be placed on the work of other assurance functions following a thorough evaluation of the effectiveness of that function in relation to the area under review.
GwIA will establish and maintain a close and continuous relationship with the Group’s regulatory authorities. In addition, GwIA will work closely with the external auditors and, where possible, align annual plans to ensure maximum reliance can be placed on the work of GwIA.
7. Reporting and Monitoring
In most instances a written and graded report will be prepared and issued following the conclusion of each assurance engagement and will be distributed as appropriate. The GCIA may authorise the issue of a non-opinion bearing report. Details of key audit results and any exceptions identified are reported to the GAC, GRC, GEC and BU Audit Committees.
GwIA will provide GAC, at least annually, an assessment, based on the audit work performed, of the overall effectiveness of the governance, and risk and control framework of the organisation, including a conclusion on whether the organisation’s risk appetite framework is being adhered to, together with an analysis of themes, recurring issues and root causes of the issues identified and trends emerging from Internal Audit work and their impact on the organisation’s risk profile.
Through a standardised issues assurance process, GwIA will be responsible for monitoring and reporting the status of open audit findings to GAC and verifying the risks originally identified in audits have been appropriately addressed by management.
8. Standards of Audit Practice
The GwIA function will adhere to the Institute of Internal Auditors (IIA) requirements as set out in the IIA's 'Code of Ethics' and 'International Standards for the Professional Practice of Internal Auditing', the Chartered Institute of Internal Auditor’s (CIIA) revised guidance, ‘Effective Internal Audit in the Financial Services Sector’ (CIIA Code) and other relevant regulatory requirements. GwIA will conduct itself in accordance with standards, policies and practices as set out in the GwIA Procedures Manual, and will carry out its audit work in accordance with the GwIA Methodology.
The GCIA will ensure that the audit team has the skills and experience commensurate with the risks of the organisation. Where appropriate, independent internal or external technical specialists will be engaged to supplement the core team, and quality assurance and improvement practices. Where GwIA uses external resource, either to alleviate temporary resource constraints or to provide access to particular specialisms, such resource will be required to comply with the Charter and policy.
9. GwIA Performance Indicators
The GAC will assess the effectiveness and performance of GwIA using several performance measures / indicators, including appraisal of the ongoing internal Quality Assurance Improvement Programme, as well as obtaining an objective independent assessment of the effectiveness and performance of GwIA. These assessments ensure that the function maintains conformance with all relevant Internal Audit standards of audit practice, is adequately resourced, free from constraint and has the appropriate standing within the Group.
Reviewed and approved by the Group Audit Committee on 29 October 2019.