Skip to content
Log in

Internal Audit Charter

Issued: October 2025

Purpose

The purpose of the Internal Audit function is to strengthen Principality Building Society’s ability to create, protect, and sustain value by providing the Audit Committee and management with independent, risk-based, and objective assurance, advice, insight, and foresight. The Internal Audit function enhances Principality Building Society’s:

  • Successful achievement of its objectives.
  • Governance, risk management, and control processes.
  • Decision-making and oversight.
  • Reputation and credibility with its stakeholders.
  • Ability to serve the public interest.

Principality Building Society’s Internal Audit function is most effective when:

  • Internal Auditing is performed by competent professionals in conformance with The IIA’s Internal Audit Standards and Internal Audit Code of Practice, which are set in the public interest.
  • The Internal Audit function is independently positioned with direct accountability to the Audit Committee.
  • Internal Auditors are free from undue influence and committed to making objective assessments.

Commitment to adhering to the Internal Audit Standards

The Principality Building Society’s Internal Audit function will adhere to the mandatory elements of the Institute ofInternal Auditors' International Professional Practices Framework (IPPF), which include the Internal AuditStandards (the ‘Standards’) incorporating the Topical Requirements. The Chief Internal Auditor will reportannually to the Audit Committee regarding the Internal Audit function’s conformance with the Standards, whichwill be assessed through a quality assurance and improvement program.

Authority

The Principality Building Society’s Audit Committee grants the Internal Audit function the mandate to provide theAudit Committee and senior management with objective assurance, advice, insight, and foresight. The InternalAudit function’s authority is created by its direct reporting relationship to the Audit Committee. Such authorityallows for unrestricted access to the Board and Audit Committee (where appropriate). However, any instanceswhere highly sensitive information is required, Internal Audit will work alongside the Chief Executive and AuditCommittee Chair to ascertain the most appropriate means to share / corroborate the information for the specificrequirement. All Principality’s people must co-operate fully with, and support, Internal Audit so that deadlines forthe specific requirement can be met. The Audit Committee authorises the Internal Audit function to:

  • Have full and unrestricted access to all functions, data, records, information, physical property, and personnel pertinent to carrying out Internal Audit responsibilities. Internal Auditors are accountable for confidentiality and safeguarding records and information.
  • Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques, and issue communications to accomplish the function’s objectives.
  • Obtain assistance from the necessary personnel of Principality Building Society and other specialised services from within or outside Principality Building Society to complete Internal Audit services.
  • All the Principality’s people must co-operate fully and support Internal Audit so that deadlines for completing Internal Audit work and issuance of Internal Audit reports to the Audit Committee are met.
  • Internal Audit Team Members are personally accountable for safeguarding and using appropriately any information to which they are given access. 

Independence, organisational position and reporting relationships

Independence, organisational position ad reporting relationships The Chief Internal Auditor will be positioned at a level in the organisation that enables Internal Audit services and responsibilities to be performed without interference from management, thereby establishing the independence of the Internal Audit function. The Chief Internal Auditor will report functionally to the Audit Committee and administratively (for example, day-to-day operations) to the Chief Executive. This positioning provides the organisational authority and status to bring matters directly to senior management and escalate matters to the Audit Committee, when necessary, without interference and supports the Internal Auditors’ ability to maintain objectivity.

The Chief Internal Auditor will confirm to the Audit Committee, at least annually, the organisational independence of the Internal Audit function. If the governance structure does not support organisational independence, the Chief Internal Auditor will document the characteristics of the governance structure limiting independence and any safeguards employed to achieve the principle of independence. The Chief Internal Auditor will disclose to the Audit Committee any interference Internal Auditors encounter related to the scope, performance, or communication of Internal Audit work and results. The disclosure will include communicating the implications of such interference on the Internal Audit function’s effectiveness and ability to fulfill its mandate.

Changes to the charter

Circumstances may justify a follow-up discussion between the Chief Internal Auditor, Audit Committee, and senior management on the Internal Audit mandate or other aspects of the Internal Audit charter. Such circumstances may include but are not limited to:

  • A significant change in the Internal Audit Standards.
  • A significant acquisition or reorganisation within the organisation. 
  • Significant changes in the Chief Internal Auditor, Audit Committee, and / or senior management.
  • Significant changes to the organisation’s strategies, objectives, risk profile, or the environment in which the organisation operates.
  • New laws or regulations that may affect the nature and / or scope of Internal Audit services.

Audit Committee oversight

To establish, maintain, and ensure that Principality Building Society’s Internal Audit function has sufficient authority to fulfil its duties, the Audit Committee will:

  • Discuss with the Chief Internal Auditor and senior management the appropriate authority, role, responsibilities, scope, and services (assurance and / or advisory) of the Internal Audit function.
  • Ensure the Chief Internal Auditor has unrestricted access to, and communicates / interacts directly with the Audit Committee, including in private meetings without senior management present.
  • Discuss with the Chief Internal Auditor and senior management other topics that should be included in the Internal Audit Charter.
  • Participate in discussions with the Chief Internal Auditor and senior management about the “essential conditions” described in the Internal Audit Standards, which establish the foundation that enables an effective Internal Audit function.
  • Approve the Internal Audit function’s Charter, which includes the Internal Audit mandate and the scope and types of Internal Audit services.
  • Review the Internal Audit Charter annually with the Chief Internal Auditor to consider changes affecting the organisation, such as the employment of a new Chief Internal Auditor or changes in the type, severity, and interdependencies of risks to the organisation; and approve the Internal Audit charter annually.
  • Approve the risk-based Internal Audit plan.
  • Approve the Internal Audit function’s human resources administration and budgets.
  • Approve the Internal Audit function’s expenses.
  • Collaborate with senior management to determine the qualifications and competencies the organisation expects in a Chief Internal Auditor, as described in the Internal Audit Standards.
  • Authorise the appointment and removal of the Chief Internal Auditor.
  • Approve the remuneration of the Chief Internal Auditor.
  • Review the Chief Internal Auditor’s performance.
  • Receive communications from the Chief Internal Auditor about the Internal Audit function including its performance relative to its plan.
  • Ensure a quality assurance and improvement programme has been established and review the results annually.
  • Make appropriate inquiries of senior management and the Chief Internal Auditor to determine whether scope or resource limitations are inappropriate.

Chief Internal Auditor roles and responsibilities

Ethics and Professionalism

The Chief Internal Auditor will ensure that Internal Auditors:

  • Conform with the Internal Audit Standards, including the principles of Ethics and Professionalism: integrity, objectivity, competency, due professional care, and confidentiality.
  • Understand, respect, meet, and contribute to the legitimate and ethical expectations of the organisation and be able to recognise conduct that is contrary to those expectations.
  • Encourage and promote an ethics-based culture in the organisation.
  • Report organisational behaviour that is inconsistent with the organisation’s ethical expectations, as described in applicable policies and procedures.

Objectivity

The Chief Internal Auditor will ensure that the Internal Audit function remains free from all conditions that threaten the ability of Internal Auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. If the Chief Internal Auditor determines that objectivity may be impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties.

Internal Auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively, such that they believe in their work products, do not compromise quality, and do not subordinate their judgment on audit matters to others, either in fact or appearance.

Internal Auditors will have no direct operational responsibility or authority over any of the activities they review. Accordingly, Internal Auditors will not implement internal controls, develop procedures, install systems, or engage in other activities that may impair their judgment, including:

  • Assessing specific operations for which they had responsibility within the previous year.
  • Performing operational duties for Principality Building Society or its affiliates.
  • Initiating or approving transactions external to the Internal Audit function.
  • Directing the activities of any Principality Building Society employee that is not employed by the Internal Audit function, except to the extent that such employees have been appropriately assigned to Internal Audit teams or to assist Internal Auditors.

Internal auditors will:

  • Disclose impairments of independence or objectivity, in fact or appearance, to appropriate parties and at least annually, such as the Chief Internal Auditor, Audit Committee, management, or others.
  • Exhibit professional objectivity in gathering, evaluating, and communicating information.
  • Make balanced assessments of all available and relevant facts and circumstances.
  • Take necessary precautions to avoid conflicts of interest, bias, and undue influence

Managing the Internal Audit Function

The Chief Internal Auditor has the responsibility to:

  • At least annually, develop a risk-based Internal Audit plan that considers the input of the Audit Committee and senior management. Discuss the plan with the Audit Committee and senior management and submit the plan to the Audit Committee for review and approval.
  • Communicate the impact of resource limitations on the Internal Audit plan to the Audit Committee and senior management.
  • Internal Audit has the delegated authority to obtain resources, specialist services or peer / sector benchmarking analysis from a third party. Ideally this will be with a preferred sole co-source provider. In any instances where a co-source / third party is used to supplement the in-house Internal Audit team, any such provider will be required to comply with the principles of this Charter, must be clear of any conflicts or independence matters and comply with the IIA standards / IA Code.
  • Review and adjust the Internal Audit plan, as necessary, in response to changes in Principality Building Society’s business, risks, operations, programs, systems, and controls. ▪ Communicate with the Audit Committee and senior management if there are significant interim changes to the Internal Audit plan.
  • Ensure Internal Audit engagements are performed, documented, and communicated in accordance with the Internal Audit Standards.
  • Ensure effective and relevant quality review procedures, aligned to the relevant standards ae conducted by an experienced/ senior member of the Internal Audit Team.
  • Follow up on engagement findings and confirm the implementation of recommendations or action plans and communicate the results of Internal Audit services to the Audit Committee at each Committee and for each engagement as appropriate.
  •  Ensure the Internal Audit function collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the Internal Audit Standards and fulfil the Internal Audit mandate.
  • Identify and consider trends and emerging issues that could impact Principality Building Society and communicate to the Audit Committee and senior management as appropriate.
  • Consider emerging trends and successful practices in Internal Auditing. 
  • Establish and ensure adherence to methodologies designed to guide the Internal Audit function.
  • Ensure adherence to Principality Building Society’s relevant policies and procedures unless such policies and procedures conflict with the Internal Audit charter or the Internal Audit Standards. Any such conflicts will be resolved or documented and communicated to the Audit Committee.
  • Coordinate activities and consider relying upon the work of other internal and external providers of assurance and advisory services. If the Chief Internal Auditor cannot achieve an appropriate level of coordination, the issue must be communicated to senior management and if necessary escalated to the Audit Committee.
  • Meet with all the Executive and other relevant Senior Managers at least quarterly. The purpose of these meetings is to ensure that Internal Audit is aware of and understands business developments, risks, etc., and incorporate these, where necessary within the Internal Audit Planning and delivery. 
  • The Chief Internal Auditor will meet with the Society’s regulators, on request from either party, to discuss any aspect of Internal Audit work or findings. Generally, the Chief Executive, Audit Committee Chair, relevant Executives and Senior Management will be made aware of both the occurrence of the meeting in advance and the matters discussed. This may not occur in exceptional instances, for example as specifically requested by the regulator or if the matters discussed relate to whistleblowing or suspicions of fraud by Executive Directors. If requested to perform specific assurance work by any regulatory body, Internal Audit will ensure that the Internal Audit Plan is re-arranged to accommodate the request.

Communications with the Audit Committee and Senior Management

The Chief Internal Auditor will report to the Audit Committee and senior management regarding:

  • The Internal Audit function’s mandate.
  • The Internal Audit plan and performance relative to its plan. 
  • Internal Audit budget.
  • Significant revisions to the Internal Audit plan and budget.
  • Potential impairments to independence, including relevant disclosures as applicable.
  • Results from the quality assurance and improvement program, which include the Internal Audit function’s conformance with The IIA’s Internal Audit Standards / Internal Audit Code of Practice, and action plans to address the Internal Audit function’s deficiencies and opportunities for improvement.
  • Significant risk exposures and control issues, including fraud risks, governance issues, and other areas of focus for the Audit Committee.
  •  Results of assurance and advisory services.
  • Resource requirements. 
  • Management’s responses to risk that the Internal Audit function determines may be unacceptable or acceptance of a risk that is beyond Principality Building Society’s risk appetite.

Quality Assurance and Improvement Programme

The Chief Internal Auditor will develop, implement, and maintain a quality assurance and improvement programme that covers all aspects of the Internal Audit function. The programme will include external and internal assessments of the Internal Audit function’s conformance with the Internal Audit Standards, as well as performance measurement to assess the Internal Audit function’s progress toward the achievement of its objectives and promotion of continuous improvement. The programme also will assess, if applicable, compliance with laws and / or regulations relevant to Internal Auditing. Also, if applicable, the assessment will include plans to address the Internal Audit function’s deficiencies and opportunities for improvement.

Annually, the Chief Internal Auditor will communicate with the Audit Committee and senior management about the Internal Audit function’s quality assurance and improvement program, including the results of internal assessments (ongoing monitoring and periodic self-assessments) and external assessments. External assessments will be conducted at least once every five years by a qualified, independent assessor or assessment team from outside Principality Building Society; qualifications must include at least one assessor holding an active Certified Internal Auditor credential.

Scope and types of Internal Audit Services

The scope of Internal Audit services covers the entire breadth of the organisation, including all Principality Building Society’s activities, assets, and personnel. An Internal Audit Risk Universe and Three-year Plan is used to determine the scope, frequency and timing of work.

The scope of Internal Audit activities also encompasses but is not limited to objective examinations of evidence to provide independent assurance and advisory services to the Audit Committee and management on the adequacy and effectiveness of governance, risk management, and control processes for Principality Building Society. The nature and scope of advisory services may be agreed with the party requesting the service, provided the Internal Audit function does not assume management responsibility. Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during advisory engagements. These opportunities will be communicated to the appropriate level of management. Internal Audit engagements may include evaluating whether:

  • Risks relating to the achievement of Principality Building Society’s strategic objectives are appropriately identified and managed.
  • The actions of Principality Building Society’s officers, directors, management, employees, and contractors or other relevant parties comply with Principality Building Society’s policies, procedures, and applicable laws, regulations, and governance standards.
  • The results of operations and programs are consistent with established goals and objectives.
  • Operations and programs are being carried out effectively and efficiently.
  • Established processes and systems enable compliance with the policies, procedures, laws, and regulations that could significantly impact Principality Building Society.
  • The integrity of information and the means used to identify, measure, analyse, classify, and report such information is reliable. 
  • Resources and assets are acquired economically, used efficiently and sustainably, and protected adequately.