Introduction
This charter defines the purpose, authority, independence, roles and responsibilities, quality assurance and scope of Internal Audit at Monzo. It is approved annually by the Audit Committee of the Monzo Bank Holding Group Limited ('MBHG') Board (the 'Audit Committee'). The charter is applicable to the Monzo Group (the 'Group' or 'Monzo'), which consists of MBHG and any of its subsidiaries (as defined in the UK Companies Act 2006).
Purpose
Internal Audit is Monzo’s “Third Line of Defence” (3LoD). Its mission is to help Monzo scale safely, by providing independent assurance that is designed for Monzo. Internal Audit provides Monzo’s Board and Executive Management with independent and objective risk-based assurance and insight on the adequacy and functioning of the system of internal control. Specifically, this covers whether Monzo’s framework for risk management, control, and governance are adequate and functioning effectively, and ensure:
- Effective risk management and accurate information: Significant risks are identified, reported, and controlled, and all financial, management, and operating information is accurate and timely.
- Compliance and customer outcomes: Monzo adheres to regulations, policies, standards, and its products and services deliver positive outcomes for customers.
- Achievement of objectives and protection of assets: Monzo successfully meets its goals and objectives while ensuring its assets, reputation, and sustainability are adequately protected.
Standards for the Professional Practice of Internal Auditing
Internal Audit will perform its work in accordance with the Chartered Institute of Internal Auditors Code of Practice, and the Global Internal Audit Standards (Standards) and Topical Requirements. The Chief Internal Audit Officer (CIA) will report at least annually to the Audit Committee regarding Internal Audit’s conformance with the Standards.
Mandate
Authority
The CIA and Internal Audit colleagues have the following authority:
Full, unrestricted, and timely access to all Monzo functions, data, records, information, property, and personnel, while adhering to Monzo's policies and maintaining confidentiality. Highly sensitive information may be restricted to the CIA.
Allocate resources, select subjects, determine scopes of work, and apply necessary audit techniques to achieve audit objectives.
Obtain necessary assistance from Monzo colleagues to carry out Internal Audit activities.
If Internal Audit experiences challenges in relation to any of the points above, the CIA will escalate to the Chair of the Audit Committee.
Internal Audit Independence and Reporting
The CIA is positioned to ensure Internal Audit operates independently from management interference. The CIA reports functionally to the Chair of the Audit Committee and administratively to the Chief Executive Officer (CEO), having executive power solely within Internal Audit. This allows direct escalation to senior management and the Audit Committee. Internal Audit's independence is confirmed by the CIA on an annual basis. Any limitations or interferences are documented and reported.
Monzo's Internal Auditors must have sound judgment, appropriate skills, experience, and engage in continuous professional development. While they should identify fraud indicators, they are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
Changes to the Mandate and Charter
The Internal Audit mandate or charter may be subject to change when significant events occur, such as updates to the Global Internal Audit Standards, Monzo acquisitions or reorganisations, shifts in key personnel (CIA, board, senior management), changes to Monzo's strategies, risk profile, or operating environment, and new laws or regulations affecting internal audit services.
Roles and responsibilities
Chair of the Audit Committee
To establish, maintain, and ensure that Monzo’s internal audit function has sufficient authority to fulfill its duties, the Chair of the Audit Committee will:
- Internal Audit’s authority: Discuss and advise on Internal Audit's authority, role, responsibilities, scope, services, and charter with the CIA and senior management, including ensuring CIA has unrestricted access to the Board. Assist in the resolution of any conflicting priorities that may arise.
- Approve: Review and approve the Internal Audit Charter (at least annually), risk-based internal audit plan, internal audit budget and human resources administration.
- Performance and quality: Receive regular communications from the CIA including Internal Audit performance relative to its plan, and ensure a quality assurance program is in place and reviewed annually.
- CIA matters: Authorise the appointment and removal of the CIA, approve the CIA's remuneration, and review the CIA's performance. If the CIA’s tenure is more than 7 years, the Audit Committee will explicitly discuss annually the Chair’s assessment of the CIA’s independence and objectivity.
- Scope and resources: Make inquiries to ensure adequate scope and resources for Internal Audit, and participate in discussions about the "essential conditions" for an effective Internal Audit function, as per Global Internal Audit Standards.
- Challenge: Challenge and review all reports submitted to the Audit Committee. Challenge management on the effectiveness of delivering an adequate risk and control environment at Monzo, particularly where significant issues have been identified.
Chief Internal Audit Officer (CIA)
Ethics and Professionalism
The CIA will ensure that internal auditors:
- Adhere to global standards: Uphold the Global Internal Audit Standards, including principles of integrity, objectivity, competency, due professional care, and confidentiality.
- Support ethical culture: Understand and contribute to Monzo's ethical expectations, promoting an ethics-based culture throughout the organisation.
- Report unethical conduct: Recognise and report any behavior that conflicts with Monzo's ethical standards, as defined in applicable policies and procedures.
Objectivity
The CIA ensures Internal Audit operates without bias, covering all aspects like engagement selection and communication. Any potential bias will be disclosed. Internal Auditors must remain impartial, ensuring quality and independent judgment. They cannot have operational roles that could compromise objectivity. Internal Auditors must:
- Avoid operational conflicts: Refrain from assessing past responsibilities, performing operational duties, approving transactions outside of Internal Audit, or directing non-Internal Audit employees (unless temporarily assigned to audit teams).
- Ensure and disclose objectivity: Disclose any potential impairments to independence or objectivity, maintain professional objectivity in all activities, make balanced assessments of information, and actively avoid conflicts of interest, bias, or undue influence.
The CIA will:
- Develop, manage, and adapt the audit plan: Create an annual risk-based Internal Audit Plan, adjust it as needed due to changes in Monzo's business, and communicate any resource limitations affecting the plan to the Audit Committee and senior management.
- Execute and follow-up on audits: Ensure each audit is thoroughly executed with clear objectives and proper resource allocation, document results, communicate findings, and follow up to ensure weaknesses are addressed.
- Maintain quality and standards: Ensure the Internal Audit function possesses the required competencies, adheres to methodologies and Monzo's policies (except where they conflict with standards), implement a quality assurance program, and uphold integrity, objectivity, confidentiality, and competency.
- Coordinate and communicate: Maintain a close relationship with Risk and Compliance, share information, coordinate planning, share audit results, liaise with external auditors, and provide regular reports (periodic and annual) to the Audit Committee.
- Review and assess risks: Evaluate emerging risks, including those related to strategic projects, assess risks following significant adverse events, and determine when real-time involvement is necessary for high-risk corporate events.
The CIA will communicate the following to the Audit Committee and Senior Management:
- Strategic and operational updates: The Internal Audit mandate, plan, performance, budget, and any significant revisions.
- Independence and quality: Potential impairments to independence and the results of the quality assurance program, including conformance with Global Internal Audit Standards and improvement plans.
- Risk and control insights: Significant risk exposures, control issues (including fraud and governance), results of assurance activities, and management's risk responses.
- Resource and capacity: Resource requirements and any challenges or limitations impacting the Internal Audit function.
Chief Executive Officer (CEO)
The CEO is responsible for the day to day line management of the CIA, considering input from the Chair of the Audit Committee. The CEO recommends the CIA's pay and reward, sets work priorities, and helps resolve conflicts.
Quality assurance
Internal Audit at Monzo has a quality assurance and improvement program encompassing all internal audit activities. This program evaluates Monzo's Internal Audit adherence to the Global Internal Audit Standards and measures performance to track progress toward objectives and foster ongoing improvement.
The CIA will communicate to senior management and the Audit Committee the progress of the quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.
Scope
The scope of Internal Audit covers all activities at Monzo. This includes all areas of current and future risks within Monzo, and an assessment of risk management and mitigation controls in Monzo’s current and expected business environment. For example:
- Assessing risk management and controls: Evaluating the adequacy and effectiveness of processes for controlling activities and managing risks, including the identification and management of key, emerging, and systemic risks.
- Reporting on controls and issues: Identifying and reporting significant control issues, tracking management's progress in addressing them, and assessing the effectiveness of control design, implementation, and sustainability.
- Evaluating culture and awareness: Assessing Monzo's risk and control culture, management's control awareness, and providing an overall annual opinion on the effectiveness of internal controls.
- Monitoring performance and liaising with regulators: Reporting on Internal Audit's progress against its objectives, the adequacy of its resources, and liaising with regulators by sharing relevant information.
- Special reviews and regulatory needs: Internal Audit can conduct special reviews, assignments requested by the senior management or the Audit Committee, and work required by regulators or to validate regulatory reporting.
- Control assurance and remediation: Targeted control assurance reviews are performed to independently verify progress or completion of significant management remediation efforts.
Internal auditing does not provide a substitute for controls executed by senior management, responsibility for operational effectiveness rests with them.