What newly DNB licensed institutions need to know about the Internal Audit function?

Internal Audit – Your Obligations

The DNB requires payment service providers to have an independent internal audit function, separated from management. This unit assesses the effectiveness of the company’s organisation, procedures and measures. This function:

• Conducts internal audits at least annually;
• Operates internally and independently from the management;
• Operates internally and independently of control measures in operational processes
• Assesses evolving risks and changing external and internal circumstances (e.g., regulatory changes, new products and services);
• Identifies and addresses any identified shortcomings, which are then corrected in collaboration with management;

The IA function can either be performed in-house (i.e. you build an internal audit team to perform audits) or outsourced (i.e. staffed entirely by a third-party provider). For newly licensed institutions, outsourcing is often favoured as it provides access to more experienced auditors and allows you to set up IA correctly from day one, without the added cost of dedicated employees.

The minimum requirements for the Internal Audit Function to have in place are an Engagement Letter, an IA Charter and an IA Plan for the upcoming years. 

1. Engagement Letter

The engagement letter (a document between the company and the Internal Audit service provider) describes the general objectives and scope of the engagement, the auditors in charge, the timeframe of the audit service, roles and responsibilities, and reporting obligations. 

2. IA Charter

The IA Charter is a document in which the IA defines, at the minimum:

• The purpose of IA and its mandate
• The reporting lines to the company Management Board (Raad van Bestuur) and Supervisory Board (Raad van Commissarissen)
• The responsibilities of Internal Audit
• The identity of the Chief Internal Auditor (CIA) who is overseeing the IA function
• A high-level view of the IA processes and reporting to the Board
• The responsibilities of the Company Board and Supervisory Board in relation to the IA function 

The IA Charter needs to be approved by the Company Board of Directors. It is reviewed at least annually, or whenever major changes in the governance and reporting lines of IA occur. All changes must be approved by the Company's Board

3. IA Plan

The IA plan is a document prepared by Internal Audit which includes the internal audit topics which need to be audited during an audit cycle (3 years normally). It aligns with the company’s strategy, objectives, and compliance requirements.

As an example, the IA Plan could cover:

• Compliance/legal risks (e.g. AML, GDPR, PSD2)
• Major risks of the organisation, including but not limited to:
  • Governance risks (conflicts of interest);
  • Outsourcing risks;
  • IT risks;
  • Financial (e.g. fraud) and accounting risks;  

The audit plan is discussed with senior management and the Board of Directors, who approve it before the audit delivery. Just as for the IA Charter, any major changes to the approved plan need to be re-approved by the Board of Directors. 

For small institutions in a set-up process, starting with 1 to 3 audits per year, maximum. The IA activity will increase as the company is growing and scaling up, eventually performing one audit a quarter and possibly more, depending on the size of the company.

Internal Audit Execution

Once the Engagement Letter, IA Plan and IA Charter are approved by both parties, Internal Audit can start delivering the audits on the audit plan. Here is what you can expect:

1. Pre-audit planning: IA provides an internal audit planning memo defining the scope, approach, and timing of the audit It also includes the IA team and identifies the audit actors within the organisation. This document is discussed and shared with the senior sponsor of the audit for approval.
2. Fieldwork and Testing (Execution Phase): A fieldwork program is developed by the IA function. During the audit, internal controls are tested, and data and pieces of evidence are collected to assess the risk areas previously defined in the audit plan and identify gaps and improvements. 
3. Final audit report: all findings identified during the audit are presented to the senior management and the company board of directors in the form of a report. It contains findings, ranked by severity, and their corrective actions. Recommendations are discussed with management with deadlines and need to be discussed and agreed upon with action plans. The Board must ensure that risks are addressed on time. 
4. Periodically, the Chief Internal Auditor presents to the Board of Directors findings themes and trends. IA is an ongoing process, with regular follow-ups. 

Outsourcing your internal audit function to Grant Thornton Netherlands gives you:

• immediate e access to internal audit expertise, knowledge and know-how
• access to specific expertise, like AML, outsourcing governance, baking and payment institution regulation demands, etc.
• ability to benchmark and share best practices from across the sector
• access to a global network, if needed.
• the opportunity to ensure proportionality in the internal audit work, by ensuring the internal audit work is proportional to the size and risk appetite of the institution; which means you do not have the internal auditors on your payroll, but they will come in to deliver the work required, when required.

More information on how we can help you establish the internal audit function that is fit for your organisation?

Reach out to us and we will be happy to help you.

Contact us