Internal audit roles and responsibilities

A baseline definition of internal auditing provides a starting point for understanding the roles and responsibilities of internal audit function. The Institute of Internal Auditors ("IIA") offers the following description: "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." Major roles and responsibilities of internal audit function are summarised as below: evaluates and provides reasonable assurance that risk management, control, and governance systems are functioning as intended and will enable the organisation's objectives and goals to be met reports risk management issues and internal controls deficiencies identified directly to the audit committee and provides recommendations for improving the organisation's operations, in terms of both efficient and effective performance evaluates information security and associated risk exposures evaluates regulatory compliance program with consultation from legal counsel evaluates the organisation's readiness in case of business interruption maintains open communication with management and the audit committee teams with other internal and external resources as appropriate engages in continuous education and staff development provides support to the company's anti-fraud programs.

Reporting Structure of Internal Audit Function

Existing corporate governance regulations do not address the interaction between the audit committee and the internal audit function, or the responsibilities of the function. In most companies, the internal auditor traditionally reported to either the Chief Financial Officer or the Chief Risk Officer, though other may have existed in some companies. Today, the internal auditor may either report directly to the Audit Committee, or the Audit Committee will have a role in hiring, firing, evaluating and compensating the Chief Audit

Officer. The Audit Committees increasing role with regard to the internal audit is being undertaken to help ensure the internal auditors "independence" and objectivity. The relationship between the Audit Committee and the internal audit function should be clearly defined and addressed in the Audit Committees charter. The internal audit supports the organization by evaluating and ensuring the functionality of business processes, risk management and the management and administration systems. The core task of the internal audit is to evaluate the efficiency and appropriateness of Group functions' and units' internal auditing. In its task, the internal audit assesses compliance with operating principles, guidelines and reporting systems, protection of assets and the efficiency of resource usage. The internal audit unit acts under the supervision of the Group's President and CEO and the Audit Committee. An internal audit action plan of internal auditing is prepared for one calendar year at a time. The audit focuses on areas that have particular significance for the risk assessed and the Group's objectives at the time. The action plan will be reviewed with the management semi-annually, with regard to how up-to-date and appropriate it is. The extent and coordination of auditing will be ensured with regular contact and flow of information with other internal control functions and auditors. If necessary, internal auditing uses external outsourced services for temporary additional resourcing or performing assessment tasks that require special expertise. In this case, the external service providers act under the supervision of the head of the internal audit. A report is written for each audit and distributed to the Group's CEO, the senior management of the affiliated group being audited and the management of the audited function or unit. The audit reports are submitted to the auditors for information and to the parties that are considered relevant on the basis of the content of the report. The internal audit department shall compose a semi-annual summary report to the Audit Committee on the audits carried out, the most significant observations and the agreed measures. In addition, the semi-annual report shall state the most significant changes in carrying out the audits compared to the action plan and other main duties performed by the internal audit department, as well as any changes in resources. An annual report of the activity of the internal audit shall be composed for the Board of Directors.