2018 Internal Audit Charter
2018 Internal Audit Charter
2018 Internal Audit Charter
November 2017
PUBLIC
Global Internal Audit Charter
Purpose
The primary role of Global Internal Audit (GBL INA) is to help the Board and Executive Management to protect
the assets, reputation and sustainability of the HSBC Group. GBL INA provides independent and objective
assurance as to whether the design and operational effectiveness of the Group’s framework of risk
management, control and governance processes, as designed and represented by management, is adequate.
The Group has adopted a risk management and internal control structure, referred to as the “Three Lines of
Defence”, to ensure it achieves its commercial aims while meeting regulatory and legal requirements and its
responsibilities to shareholders, customers and staff. GBL INA’s role as the third line of defence is independent
of the first and second lines of defence. In cases where GBL INA performs similar testing or monitoring
activities to those undertaken by the first or second lines of defence, these are undertaken as part of GBL INA's
independent assurance role and are not to be relied upon by management as a substitute for, or supplement to,
first or second line of defence activities.
Authority
GBL INA derives its authority from the Group’s Audit and Risk Committees, sub-committees of the Board of
Directors of HSBC Holdings plc, to which it has open access. GBL INA has, for the purpose of its work,
unrestricted access at any time to all the records, personnel, property and operations of the Group. The Audit
Committee oversees the independence and performance of GBL INA, reviewing the effectiveness of the
function, including its strategic focus, activities and plans, staffing, qualifications and budget. The Committee
also approves the qualifications, appointment or removal of the Group Head of Internal Audit.
The Group Head of Internal Audit reports functionally to the Chair of the Group Audit Committee and reports
administratively to the Group Chief Executive. The Group Head of Internal Audit will also provide reports to the
Risk Management Meeting of the Group Management Board in relation to the work of that function and the
disposition of its findings. The Group Head of Internal Audit is a member of the HSBC Group Management
Board but does not participate in decision making. Audit-related matters are not subject to approval by the
Group Management Board or any other Executive Governance body.
The Group Head of Internal Audit has access to the Group Chair, Chief Executive and Chairs of the Audit
Committee and Group Risk Committee whenever it is required and reports directly to the Audit and Group Risk
Committees on the state of risk management and internal control throughout the Group. GBL INA
representatives will attend all Audit and Risk Committee meetings across the Group, including executive
sessions, as may be appropriate. The Group Head of Internal Audit will confirm to the Audit Committee, at least
annually, the organisational independence of the Audit Function.
GBL INA will remain free from interference by any element in the organisation, including matters of audit
selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary
independent and objective mental attitude.
All GBL INA teams report to the Group Head of Internal Audit either directly or via the Audit Head of a particular
Business Line, Business Function, Region or Country and also to their respective Audit and Risk Committees.
GBL INA teams may also have an administrative reporting line to the local Chief Executive Officer.
GBL INA is not responsible for the management of risk or the implementation of an effective control framework
to mitigate risk to levels deemed to be acceptable to the Group. These areas are the responsibility of the Board
and management. Consequently, GBL INA personnel have no line responsibilities.
Staff seconded to GBL INA for particular assignments are required to adopt the same standards and procedures
as regards independence as permanent staff and are under the direction of GBL INA management for the
duration of their work.
PUBLIC
Accountabilities and Scope of Work
The Group Head of Internal Audit, is accountable for:
• Proposing GBL INA’s risk-based Audit Plan and programme of work, which is approved by the Audit
Committee annually, covering key risks, emerging risks, horizon risks and regulatory obligations, in line
with the Group’s risk management and internal control frameworks;
• Implementing the approved Audit Plan, including any regulatory or other special tasks or projects requested
by regulators and local Audit and Risk Committees;
• Recruiting, developing and retaining personnel with appropriate skills, knowledge, experience and
professional certifications to provide a credible challenge to the business and to meet the requirements of
this Charter. In addition, where specific expertise is required, GBL INA may utilise co-source and guest
auditors to support the audit worked planned;
• Issuing periodic reports to the Audit and Risk Committees which highlight key themes that have emerged
through audit activity, business and regulatory developments and provide GBL INA’s view of emerging and
horizon risks together with details of respective audit coverage undertaken or planned. The Group Head of
Internal Audit will also update the Committees on key audit initiatives and provide regular updates on the
progress of completion of the audit plan, including any changes; and
• Providing oversight and control over the GBL INA function.
The scope of the Audit Plan and the subsequent completion of the programme of work should provide
reasonable assurance to management and the Board as to whether the design and operation of the Group’s
framework of risk management, control and governance processes, as designed and represented by
management, is adequate.
Audit coverage is achieved using a combination of business and functional governance audits, process and
control audits, risk management framework audits, themed audits and project audits. In addition, GBL INA may
carry out regulatory audits, investigations and special reviews.
Results of audit work together with an assessment of the overall risk management and control framework are
reported to the Audit and Group Risk Committees as appropriate, as well as to such local Audit and Risk
Committees that oversee the areas reviewed. GBL INA reviews management action plans in relation to audit
findings and verifies the adequacy and effectiveness of the mitigating controls before formally closing the issue.
Audit units must maintain a close working relationship with their local external auditors. External auditors should
be kept informed of GBL INA activities and results, and be allowed free access to all internal audit reports and
supporting records.
GBL INA provides independent assurance to management on the effectiveness of the processes in place to
manage fraud. Where material fraud occurs, GBL INA will review the nature of the incident and the adequacy of
recent audit coverage to ascertain whether the fraud could/should have been detected and also whether any
control weaknesses that gave rise to the fraudulent opportunity could/should have been detected.
GBL INA adheres to The Institute of Internal Auditors' (IIA) mandatory guidance including the Core Principles,
Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice
of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental
requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal
audit activity’s performance. In addition, GBL INA complies with Practice Advisories, Practice Guides and
recommendations issued by the IIA to the extent that these apply.
Policies and procedures are set out in the Audit Instruction Manual (AIM). Internal processes are designed and
implemented to ensure consistent quality of GBL INA work across the Group.
The Head of Professional Practices reports directly to the Group Head of Internal Audit and is responsible for a
programme of work to evaluate conformance with the IIA Standards and GBL INA policies and procedures. The
Quality Assurance team, part of Professional Practices, is independent of those staff who carry out the audit
work.
PUBLIC
This Charter has been approved by the Group Audit Committee of HSBC Holdings Plc. It will be reviewed
annually by the Group Head of Internal Audit and any changes will be formally approved by the Group Audit
Committee.
PUBLIC