Executive summary

The Internal Audit Charter defines the role and responsibilities, authority, independence, and scope of the Group Internal Audit function (IA) at Starling Group (Group). Any breach must be reported without delay to the Chair of the Starling Group Holdings Limited (SGHL) and Starling Bank Limited (SBL) Board Audit Committees (each a BAC and together, the BACs).

This Charter shall be reviewed and approved annually by the BACs on behalf of the Boards of SGHL and sSBL (each a Board and together, the Boards).

The CIIA’s Code of Practice recommends that the Charter is published on the organisation’s public website. This is currently the Starling Bank website, until such a time where there is a Group website.

1. Purpose

1.1. IA will perform its work in accordance with the Global Institute of Internal Audit’s (GIIA) Global Internal Audit Standards, and the UK’s Chartered Institute of Internal Audit’s (CIIA) Code of Practice. This Charter is a fundamental requirement of both the Standards and the Code. IA will also comply with any requirements or guidance from the Prudential Regulation Authority and the Financial Conduct Authority.

1.2. The Global Internal Audit Standards define ‘internal auditing’ as: “An independent, objective assurance and advisory service designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.”

1.3. Within the three lines model of the Enterprise Risk Management Framework, the BAC has established IA to help protect the assets, reputation and sustainability of the Group. Internal auditing strengthens the organisation’s ability to create, protect, and sustain value by providing the Board and management with aims to contribute in a fair, balanced, reliable and forward-looking manner to the firm’s governance and internal control environment, independent, risk-based, and objective assurance, advice, insight, and foresight.

2. Roles and responsibilities

2.1. The GHIA

The GHIA, who heads up IA, will: 

2.1.1. Develop and maintain an internal audit strategy that is presented to the BACs. 

2.1.2. Develop and maintain an internal audit methodology that defines how engagements are performed. 

2.1.3. Develop a risk-based annual audit plan (and resource budget) to be approved by the BACs, and deliver it. Delivery is completed using the in-house IA, and / or using external providers. 

2.1.4. Where requested, perform assurance activities for external parties (e.g. regulators or payment service providers).

2.1.5. Report in writing on the outcome of all internal audit engagements, agree actions with management to remediate issues, and distribute reports as appropriate. 

2.1.6. Follow-up on agreed management actions in line with agreed methodology, validate their closure or risk-acceptance, and report on and escalate overdue actions as required. 

2.1.7. Implement a quality assurance and improvement programme (QAIP) that covers all aspects of IA, assessing compliance with all the GIIA Standards and the CIIA Code of Practice, and conformance with this Charter. Report the results of the QAIP at least annually to the BACs (typically through IA’s annual effectiveness self-assessment). 

2.1.8. Maintain relationships with control functions and the external auditors to optimise assurance coverage and enhance their assessment of the control environment. 

2.1.9. Provide a quarterly report to the BACs on the progress of the audit plan delivery and any proposed changes, the outcome of internal audit activities with key issues and management control approach, thematic and systemic issues, and progress on management completing agreed actions. 

2.1.10. Provide an annual opinion on the state of the control environment and management’s risk and control culture ahead of the BACs’ review of the draft Annual Report and Accounts. 

2.1.11. Operate the Group’s whistleblowing processes on behalf of the whistleblowing champion (the BAC Chair) in accordance with the Whistleblowing Policy. Note: Assurance over Whistleblowing is not provided by IA, to safeguard the independence and objectivity of the GHIA. 

2.1.12. Provide consultancy or advisory services to support the Group’s management, however this is done by exception. Any such work would be conducted in accordance with our audit methodology and procedures, with appropriate safeguards to independence and objectivity implemented and documented.

2.2. The BACs 

The BACs¹ will: 

2.2.1. Set the objectives and, with input from the Group Chief Executive Officer (CEO), review the performance of the GHIA, including making recommendations on remuneration to the Remuneration Committee as appropriate. 

2.2.2. Lead in the resolution of any conflicting priorities. 

2.2.3. Ensure that IA has access to sufficient resources to discharge its duties, and approve IA’s budget annually. 

2.2.4. Lead the BACs’ evaluation of the performance of the IA function on an annual basis. 

2.2.5. Challenge the reports submitted to each BAC and in turn challenge senior management on the control environment and its ongoing improvement. 

2.2.6. SGHL: Approve the appointment and removal of the GHIA. 

2.2.7. Consider and approve any exception to complying with the GIIA Standards and CIIA Code, when requested by the GHIA. 

2.2.8. SGHL: Commission an external quality assessment review, performed by an independent third party, at least every five years.

3. Authority

3.1. The GHIA is appointed and removed by the SGHL BAC. The GHIA reports functionally (objectives, performance, and reward) to the Chair of the SGHL BAC and administratively to the Group CEO. This ensures the independence and right level of standing, access and authority of the IA function. 

3.2. Each Board, its committees and senior management should set the right ‘tone at the top’ to ensure support for, and acceptance of, IA at all levels of the organisation. 

3.3. The GHIA has the right to attend and observe the SBL Executive Committee, the Boards, the Board Risk Committees, the BACs, the SBL Executive Risk Committee, and other sub-committees. The GHIA may delegate attendance to another member of the IA Function. 

3.4. IA has unrestricted access to all Group personnel, data, records and other information necessary for IA to deliver this Charter without interference. This includes the expectation to be informed proactively by senior management of any material decision, change, event or issue that could affect the control environment. IA will maintain the confidentiality and integrity of information in line with Group policies. 

3.5. The GHIA has direct and unrestricted access to the Chairs of the Boards and BACs and the Group CEO.

4. Independence and objectivity

4.1. The GHIA does not have any executive, managerial or operational powers or duties outside the management of the IA function. 

4.2. IA is independent of the day-to-day business of the Group. IA staff assume no operational responsibilities and will not review a business area or function in which they have had recent management or operational responsibility or are otherwise conflicted. 

4.3. IA staff must always remain objective and not be influenced by personal, business or other matters that could impair impartiality. IA staff must have no line responsibility or authority over any of the activities or operations they review and (except in circumstances approved by either BAC) are not authorised to: 

4.4. Safeguards to independence and objectivity are in place in line with Group-wide conflicts of interest policies and processes and audit-level attestations covering independence of IA staff performing the engagement. Safeguards are constantly monitored by the GHIA and reviewed annually. 

4.5. The Executive will input into matters related to audit selection, scope, procedures, frequency or report content but will not act in a way that could be perceived to affect the independence and objectivity of the IA function, and all final decisions in this regard rest with IA and the BACs. 

4.6. Resources for the IA function are approved by the BACs, including any material expenses incurred by the GHIA. The GHIA will report at least annually to the BACs, without management being present, on the independence of the IA function, its access to adequate resources and any issue they may wish to raise directly with the BACs.

5. Scope

5.1. The scope of IA is unrestricted. It covers all activities of Starling Group, all entities of Starling Group (including Starling Bank Ltd, Fleet Mortgages and Engine), all areas of current and future risks as well as their mitigating controls in the current and foreseeable business environment.

5.2. The scope of IA specifically includes: 

¹ Unless specified otherwise, these matters apply to each BAC. Sections of this Charter which are expected to apply primarily to the SGHL BAC are headed ‘SGHL’.