Skip to main content
Apply now

1. Purpose

Internal Audit will perform its work in accordance with the Chartered Institute of Internal Auditors FS Code and the International Professional Practices Framework (IPPF) (including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing). From January 2025, the IPPF will be replaced with the Global Internal Audit Standards, and the FS Code with the CIIA Code of Practice. This Charter is a fundamental requirement of both the Code and the Standards.

The Global Internal Audit Standards define ‘internal auditing’ as: “An independent, objective assurance and advisory service designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.”

Within the three lines model of the firm’s Enterprise Risk Management Framework, the BAC has established the Internal Audit function to help protect the assets, reputation and sustainability of Starling Bank Ltd. Internal auditing strengthens the organisation’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight. Internal Audit aims to contribute in a fair, balanced, reliable and forward-looking manner to the firm’s governance and internal control environment.

The three lines model at Starling Bank Ltd consists of:

  • The first line; who are responsible for identifying, assessing, controlling, monitoring and reporting risks in accordance with risk policies and methodologies, and the ERMF and operating within all limits applicable to their operations as cascaded from the Risk Appetite Statements.
  • The second line; who are independent from the first line are responsible for monitoring and challenging the application of the risk management framework by the first line through ongoing oversight and a programme of risk assurance and compliance monitoring, and providing oversight and challenge on all significant risks identified for the Bank, in order to ensure they are being appropriately monitored and controlled in line with risk appetite.
  • The third line (Internal Audit); accountable for providing independent assurance on governance, risk management and control effectiveness across the first and second lines, and providing independent assessment over the adequacy of first and second line activities in relation to all aspects of the business, including risk management.

This is aligned with industry accepted standards and practice.

Starling Bank’s Internal Audit mission statement is to provide timely, balanced, reliable and independent assurance to the BAC thereby helping them and senior management to protect Starling’s assets, reputation and sustainability.

2. Roles and responsibilities

2.1 The Internal Audit function

The internal audit function derives its authority and independence from the BAC.

  • To achieve its purpose, Internal Audit:
  • Assesses whether all significant risks are identified, measured, reported to the board and senior management, and mitigated,
  • Checks whether controls are designed adequately and operating effectively,
  • Challenges executive management to improve the effectiveness of internal controls, governance and risk management,
  • Coordinates with other assurance providers to optimise assurance coverage and outputs.

Where appropriate, Internal Audit may also provide assurance to external parties including regulators and similar industry bodies (e.g. payment schemes). This assurance follows standard IA audit methodology and procedures, and Terms of Reference of each engagement would detail any exception to our methodology as well as the GHIA’s approval.

We may also be called upon to provide consultancy or advisory services to support SBL’s management develop an effective control framework, however this is by exception. Any such work would be conducted in accordance with our audit methodology and procedures, with appropriate safeguards to independence and objectivity implemented and documented. Any exception to our methodology would require GHIA’s approval.

The GHIA operates the Bank’s whistleblowing processes on behalf of the whistleblowing champion (the Audit Committee Chair). This involves an assessment of any whistleblowing disclosures to assess severity and ensure appropriate, and compliant investigation in line with Bank policies. Independence and objectivity are safeguarded through the anonymous nature of the process. Internal Audit supports investigations arising from whistleblowing disclosures as requested. 2LoD Risk or external assurance suppliers provide periodic assurance over the whistleblowing framework. The Board approves the Whistleblowing policy at least annually upon recommendation from the Board Audit Committee.

Internal Audit influences senior management with recommendations that will help Starling achieve its strategic objectives over the long term.

Internal Audit will maintain a forward-looking, open, constructive and co-operative approach to its interactions with regulators, external auditors, internal control functions across the first and second lines of defence, and with management and employees of Starling Bank Ltd.

Internal Audit will comply with requirements and guidance that apply, including those published by the Prudential Regulation Authority, the Financial Conduct Authority, and the Chartered Institute of Internal Auditors (IIA). Specifically, Internal Audit will adopt best practice and comply with new standards published by the IIA including the 2024 Global Internal Audit Standards and the new CIIA Code of Practice.

Internal Audit may use external providers to help it deliver its mandate, in line with the firm’s Procurement and other applicable policies, and subject to the pre-approval of the CEO and Chair of the BAC.

Internal Audit will report in writing following the conclusion of each engagement, in the form agreed in the engagement’s terms of reference and in line with the internal audit methodology. Reports will be distributed as appropriate, and the BAC will receive a summary of findings and agreed management actions.

The GHIA is responsible for following-up and reporting on the delivery of agreed management actions and for confirming their risk-acceptance by the first or second line(s) of defence, or closure.

Internal Audit will maintain a quality assurance and improvement programme that covers all aspects of the function. The programme will assess compliance with all applicable standards, requirements and expectations. The outcome will be reported at least annually to the BAC as part of the annual self-assessment of the effectiveness of the internal audit function. An external quality assurance review performed by an independent third party will report to the BAC at least every five years, at the discretion of the Chair of the BAC.

2.2 The Chair of the BAC

The Chair of the BAC will:

  • Set the objectives and, with input from the Chief Executive Officer, review the performance of the Group Head of Internal Audit, including making recommendations on remuneration to the Remuneration Committee as appropriate;
  • Lead in the resolution of any conflicting priorities;
  • Ensure that Internal Audit has access to sufficient resources to discharge its duties;
  • Lead the BAC evaluation of the performance of the Internal Audit function on a regular basis;
  • Challenge the reports submitted to the BAC and in turn challenge senior management on the control environment and its ongoing improvement; and
  • Approve the appointment and removal of the GHIA.

2.3 The Chief Executive Officer

The CEO will:

  • Recommend the GHIA’s annual pay and reward package to the Chair of the BAC and then RemCo;
  • Contribute to the setting of the GHIA’s performance objectives and appraisal process;
  • Set work priorities for the Internal Audit function and the right ‘tone from the top’ in respect of Internal Audit;
  • Encourage the executive team to close all open management actions on time; and
  • Approve the contract for the engagement of any third-party supplier of internal audit activities.

2.4 The Group Head of Internal Audit

The GHIA will:

  • Coordinate the BAC meetings with the Finance function and Secretariat team;
  • Develop and maintain an audit strategy and methodology to be presented to the BAC;
  • Develop a risk-based annual audit plan (and resource budget) to be approved by the BAC and deliver it;
  • Report in writing without undue delay on the outcome of all internal audit engagements;
  • Follow-up on agreed management actions, validate their closure or risk-acceptance, and report on and escalate overdue actions as required;
  • Implement a quality assurance and improvement programme for internal audit activities and report annually to the BAC;
  • Maintain a close working relationship with control functions across the firm and provide an integrated assurance plan to the BAC at least annually;
  • Liaise with the external auditors and all other assurance providers to enhance their assessment of the control environment;
  • Provide a quarterly report to the BAC on the progress of the audit plan delivery and any proposed changes, the outcome of internal audit activities and key issues findings (good outcomes as well as material findings), thematic and systemic issues, an independent view on management’s reporting on risk management (including a view on, and timeliness of, remediation plans) and report on management actions;
  • Provide an annual report to the BAC on how the principles in the CIIA Code of Practice have been applied; and
  • Provide an annual opinion on the state of the control environment and management’s awareness and approach to controls ahead of the BAC’s review of the draft Annual Report and Accounts. The format of this annual opinion framework will evolve in line with expectations from the upcoming UK Corporate Governance Reform.

3. Authority

The GHIA is appointed and removed by the Chair of the BAC. The GHIA reports functionally to the Chair of the BAC and administratively to the Chief Executive Officer. This ensures the independence and right level of standing, access and authority of the Internal Audit function.

The board, its committees and senior management should set the right ‘tone at the top’ to ensure support for, and acceptance of, Internal Audit at all levels of the organisation.

The GHIA has a right to attend and observe in meetings of the Board of Directors and Senior Management relating to the remit of internal audit, specifically the enterprise-wide risk management framework, financial reporting, governance and controls, strategic meetings and relevant executive meetings. The GHIA may attend and observe the Executive Committee, the Board, the Board Risk Committee, the BAC, the Executive Risk Committee, and other sub-committees such as the Asset & Liability Committee, the Wholesale Credit Risk Committee, the Credit Risk Committee, the Impairment Committee, the Third Party Credit & Forward Flow Committee, the Operational Risk Committee, the Financial Crime Steering Committee, the Product and Conduct Committee, the Finance Committee and the Pricing Committee.

The GHIA has prompt, unrestricted access to all Starling Bank Ltd’s personnel, assets, information and systems during the performance of audits approved by the BAC in the annual internal audit plan and investigations approved by the GHIA or the Chair of the BAC. This includes the expectation to be informed proactively by senior management of any material decision, change, event or issue that could affect the control environment.

The GHIA has direct and unrestricted access to the Chair of the BAC and the CEO.

4. Independence and objectivity

The GHIA does not have any executive, managerial or operational powers or duties outside the management of the Internal Audit function.

Internal Audit is independent of the day-to-day business of the Bank. Internal Audit staff assume no operational responsibilities and will not review a business area or function in which they have had recent management or operational responsibility or are otherwise conflicted.

IA staff must always remain objective and not be influenced by personal, business or other matters that could impair impartiality. IA staff must have no line responsibility or authority over any of the activities or operations they review and (except in circumstances approved by the BAC) are not authorised to:

  • Perform any operational duties of the organisation except within IA;
  • Provide audit services in relation to a business area or activity for which they have held responsibility within the previous twelve months;
  • Develop or implement procedures or systems external to IA;
  • Initiate or approve any transactions external to IA;
  • Direct the activities of any employee not employed by IA; and
  • Engage in any other activity which could compromise their objectivity.

Safeguards to independence and objectivity are in place in line with Bank-wide conflicts of interest policies and processes and are monitored by the GHIA. Safeguards are reviewed annually.

The Executive will input into matters related to audit selection, scope, procedures, frequency or report content but will not act in a way that could be perceived to affect on the independence and objectivity of the Internal Audit function.

Resources for the Internal Audit function are approved by the BAC, including any material expenses incurred by the GHIA. The GHIA will report at least annually to the BAC, without management being present, on the independence of the Internal Audit function, its access to adequate resources and any issue they may wish to raise directly with the BAC.

5. Scope

The scope of internal audit is unrestricted. It covers all activities of Starling Bank Ltd, all areas of current and future risks as well as their mitigating controls in the current and foreseeable business environment.

The scope of IA specifically includes:

  • Governance arrangements, policies, processes and controls across the first two lines of defence;
  • Processes and controls supporting strategic and operational decision-making, and the delivery of strategic priorities;
  • The setting and adherence to risk appetite including the effectiveness of the enterprise-wide risk management framework;
  • Management’s control awareness and approach to addressing known issues;
  • Organisational Culture;
  • Capital, liquidity, regulatory and reputational risks and mitigating controls as well as material corporate and external events;
  • Environmental sustainability, climate change risks and social issues;
  • Financial crime, economic crime and fraud;
  • Technology, cyber, digital and data risks;
  • Information provided to senior management and the Board as part of the decision-making process, including risks identified and assumptions made;
  • Customer outcomes and the treatment of customers;
  • Products and services design and control, including customer interests and conduct risk;
  • The adequacy of the Risk management, Compliance, Finance and control functions;
  • Thematic reviews, as could be relevant to assess the overall control environment; and
  • Special investigations or engagements as relevant or requested by the Chair of the BAC, the Chief Executive Officer, or a regulator.
Help