DANSKE BANK A/S Internal Audit Charter
Group Internal Audit
Danske Bank Group
1
Contents
1. | |||
2. | |||
3. | |||
4. | |||
4.1. | |||
4.2. | |||
4.3. | |||
4.4. | |||
4.5. | |||
4.6. | |||
5. | |||
6. | |||
7. | |||
8. | |||
9. | |||
2
1. Introduction
The Internal Audit Charter has been prepared based on the Executive Order no. BEK 1912 of 22/12/2015 on Auditing Financial Undertakings etc. as well as Financial Groups (Executive Order on Auditing) and with later changes, cf. BEK 1451 of 29/11/2016 and BEK 1548 of 17/12/2019.
The Internal Audit Charter provides the basis for the Group Internal Audit (GIA) function, its rights and obligations as well as responsibilities. The Internal Audit Charter applies to the Danske Bank Group (Group). The Board of Directors (BoDs) of the Group's subsidiaries adopt the Internal Audit Charter, with the adjustments that local audit legislation and/or practice may require.
GIA is established by the BoD in legal entities of the Group as an independent function with employees located in Copenhagen, Trondheim, Stockholm, Helsinki, Belfast and Vilnius.
The BoD of Danske Bank A/S appoints and employs the Chief Audit Executive (CAE) who is accountable for the internal audit deliveries across the Group. All Danish legal entities must also appoint the CAE. In foreign legal entities the CAE, or a delegate appointed by the CAE, is appointed as the Head of Internal Audit unless local regulatory requirements prescribe otherwise. Legal entities and branches across the Group employ GIA staff members.
2. Purpose
The primary role of GIA is to help the BoD and the Executive Leadership Team (ELT) to protect the assets, reputation and sustainability of the Group. Internal auditing is an independent and objective activity, aiming to add value and improve the Group's operations. By applying a systematic and disciplined approach, it helps the Group achieve its objectives through the evaluation and enhancement of the effectiveness of the organization's risk management, control, and governance processes, with the following purpose statement:
Keep the Group Safe and Sustainable by providing assurance and insights that matter.
3. Scope of internal audit activities
Internal audit assessments include evaluating whether the actions of Group's officers, directors, employees, and contractors are in compliance with the Group's policies, procedures, and applicable laws, regulations, and governance standards. The assessments also evaluate whether established processes and systems are adequate to ensure compliance with the policies, procedures, laws, and regulations that could significantly impact the Group. Furthermore, the assessments examine the reliability and integrity of information, as well as the methods used to identify, measure, analyze, classify, and report such information.
GIA is responsible for auditing Danish and non-Danish subsidiaries and units of the Group using a risk-based approach. GIA's scope is unrestricted and includes all areas of the Group including those managed by outsourcing partners.
The CAE is responsible for ensuring that sufficient competencies exist within GIA to conduct audit tasks. If sufficient competencies do not exist within GIA, then GIA may obtain external independent and competent support. However, GIA remains accountable for the audit activity.
3
GIA's activities do not include Consulting Services, apart from those recommendations that by nature are provided as part of GIAs advisory or assurance work in line with the International Standards for the Professional Practice of Internal Auditing (IPPF).
GIA performs internal audit activities pursuant to the Audit Agreement between External Audit and the CAE of Danske Bank (Audit Agreement). The Audit Agreement includes an overall description of the audit activities and sets out the division of work between External and Internal Audit. The Audit Agreement contains guidelines for the co-operation between External and Internal Audit; including how External Audit can use work performed by GIA. Furthermore, it details the manner and extent to which information related to an audit activity should be exchanged between the External and Internal Audit functions.
According to Section 20 (4) of the Executive Order on Auditing, the BoD has decided that the CAE shall not issue an auditors' report on the Annual Report.
Specific audit assignments may be performed upon request from the Audit Committees (ACs), other BoD Committees, the BoDs, and Management Boards across the Group or from the CAE provided that this is reported in the Long Form Audit Report (or equivalent) of the legal entity in question. Such assignments may not place the CAE in a situation where he/she provides assurance of a matter or a document that has been established, issued or assured by GIA.
Providing assurance via issuance of Audit Reports is an important part of GIA's value creation together with acting as a challenging sparring partner. This role involves assisting the business in focusing on addressing the right risks thereby reducing the risk of loss and the likelihood of mistakes. It also includes identifying areas of possible non-compliance, providing clear and direct reporting and leveraging information gained from one business line for the benefit of another. Also, GIA provides the business with several declarations during the year to be delivered to external parties in cases where the Group have an obligation to give assurance to their partners and/or customers.
4. Organisation
4.1. Management
Solely the BoD of Danske Bank A/S may effect appointment and dismissal of the CAE.
No later than one month after the appointment or resignation of the CAE, the Danish FSA shall be informed.
No later than one month after the dismissal or resignation of the CAE, the BoD and the CAE shall submit to the Danish FSA separate statements providing the background for such a decision.
Upon the appointment of the CAE, the CAE must have a theoretical education equivalent to what is required to become an 'approved auditor' and must have participated in audit work for at least five years of which three years must have been within the past five years. Further, the CAE must have gained audit experience from the financial industry or from a large/complex company.
4
The CAE is the Head of GIA.
The CAE may not take part in other work in the Group except for what is included in this Internal Audit Charter and in the Audit Agreement. Also, the CAE may not take on other positions without obtaining approval from the Bo D if required according to section 80 in the Danish Financial Business Act and/or the Service Agreement for the CAE. Chairman of the AC must agree to CAE lecturing, teaching, examination tasks and similar jobs and jobs of an audit technical nature. Similar conditions apply to GIA staff, however subject to agreement with the CAE.
The CAE will have unrestricted access to and communicate and interact directly with the BoD and with the Audit Committee, including in private meetings, without management present.
Where the tenure of the CAE exceeds seven years, the AC should explicitly discuss annually the AC Chairman's assessment of the CAE's independence, objectivity and competence level.
4.2. Staff
The recruitment and dismissal of GIA staff are subject to approval by the CAE.
Whatever their organisational position within the Group, the GIA staff reports on audit matters to the CAE. GIA staff may only carry out audit work as described in this Internal Audit Charter and audit work that they have the competencies to perform.
The CAE is responsible for ensuring that the staff has the qualifications required for performing the audit activities. The CAE is responsible for setting guidelines that ensure that GIA staff is ascertained appropriate training.
GIA departments may be established outside of Denmark to audit non-Danish subsidiaries and units if that is locally required or required by the CAE and approved by the AC. The local GIA departments report to the CAE.
4.3. Secrecy etc.
The CAE is subject to the provisions governing professional secrecy under section 117 of the Danish Financial Business Act and applicable local requirements. GIA shall report to the ACs, to other BoD committees if deemed relevant, and to the BoDs of the companies covered by this Internal Audit Charter as well as to External Audit. The professional secrecy applicable to the CAE shall also apply to the staff of GIA.
4.4. Conflicts of interest
If by marriage, permanent cohabitation, adoption or fosterage or by relationship or marriage in lineal descent or ascent or by collateral kinship as close as nephews and nieces, the CAE becomes attached to anybody in the Group, the CAE shall inform the relevant ACs, BoDs and External Audit. Similarly, the staff of GIA shall inform the CAE in case the above were to apply to them.
The reward to the CAE is a fixed salary and the CAE is not eligible to participate in the bonus plan. Pursuant to Section 77 of the Danish Financial Business Act, the CAE may neither have
5
loans, obtain guarantees or own shares in any of the legal entities covered by this Internal Audit Charter, provide security, nor undertake guarantees of any of these legal entities.
The staff of GIA may only take out loans or obtain guarantees in the companies covered by this Internal Audit Charter, if such loans and guarantees are based on the same terms as apply to other staff of the Group. Similar rules apply to the staff's credit collaterals in respect of the above-mentioned companies (in connection with securities, guarantees etc.).
The CAE and the staff of GIA may have no direct operational responsibility or authority over any of the activities audited and may not participate in bookkeeping or similar registration forming the basis for matters on which GIA's opinion must be issued or participate in the drafting of documents on which opinions are issued.
The CAE and the staff of GIA may not within the past 12 months have performed such duties that by issuing an opinion, the CAE would comment on his/her own work or work performed by the staff of GIA.
GIA has laid down ethical guidelines for its staff. The CAE will confirm to the relevant BoDs, at least annually, the organizational independence of the GIA activities.
4.5. Budget
The BoD in Danske Bank A/S shall - based on review and recommendation from the AC of Danske Bank A/S - approve GIA's Group Audit Plan (Plan), including the annual budget for GIA. Similarly, audit plans covering relevant subsidiaries shall be approved by the BoD of the respective subsidiary.
The CAE may use co-sourcing to support delivering the audit tasks. The associated cost shall be presented to the AC, e.g. on a yearly basis when the budget is put forward for review and recommendation for approval by the BoD.
The CAE may defray expenses within the approved budget.
Distribution of the cost of GIA to legal entities and branches covered by this Internal Audit Charter reflects the principles in the Intra Group Agreement.
4.6. Access to information
GIA, with strict accountability for confidentiality and safeguarding of records and information, is authorized full, free and unrestricted access to any and all of the Group's records, physical properties, and personnel pertinent to carrying out any engagement. All employees must assist GIA in fulfilling its roles and responsibilities.
In addition, the BoDs, ACs and other BoD Committees, and Boards of Management across the Group must inform the CAE of matters of importance to the evaluation of the Group and/or of legal entities and branches.
The CAE has access to the ACs', other BoD Committees' and to the BoD's minute books of the Group companies as well as to other written material which he/she deems to be relevant, and he/she shall be entitled to request all information, which he/she deems necessary to conduct audit activities.
6
The CAE and/or a person appointed by the CAE attends AC, other BoD Committees and BoD meetings during discussion of matters of relevance to the audit or to the presentation of the Annual Report. The CAE and/or a person appointed by the CAE is obliged to take part in the BoD handling of the matters in question if so requested by a BoD member.
The CAE must attend BoD meetings when the BoD discuss the Long Form Audit Report in relation to the annual financial statement.
5. GIA activities
The planning and performance of the work of GIA is subject to the provisions of the Executive Order on Auditing as well as the International Standards for the Professional Practice of Internal Auditing (IPPF), and the UK 'Internal Audit Financial Services Code of Practice - Guidance on effective internal audit in the financial services sector'.
GIA prepares a 6+6 Audit Plan twice a year for endorsement by the Audit Committee and approval by the Board of Directors. The 6+6 Plan includes a committed plan for the first six months and an outlook for the subsequent six months. This Plan is dynamic and risk-based, and it is continuously updated to maintain a comprehensive view of risks. The updates occur based on regular interactions with key stakeholders across business units and functions, and by monitoring market conditions, regulatory changes, and trends to stay aware of new and upcoming risks. The CAE is responsible for communicating any significant interim changes to the internal audit plan to the ELT and the Audit Committee, and to ensure that such changes are endorsed by the Audit Committee.
All areas of the Group are subject to audit with a frequency determined by the risk of the area (audit cycle). Based on an assessment of risk and materiality relating to the Group strategic goals, the Plan must ensure that areas assessed to be material and at high risk are in scope for auditing every year.
The audit strategy is to perform controls-based audit using a risk-based approach. However, it is assessed how to take into consideration the most efficient combination of test of controls, data analytics and substantive testing.
Specifically with reference to the Danish Act on Measures to Prevent Money Laundering and Financing of terrorism (Anti-money Laundering Act), GIA shall as part of its audit activities assess whether policies, procedures and controls are planned and works in a safe manner and in accordance with the Anti-money Laundering Act.
Danske Bank A/S has implemented a Whistleblowing Policy. The CAE is informed on concerns from the reporting that Group Compliance put forward to the ACs or to other relevant BoD Committees. To the extent that the whistleblowing is related to Group Compliance, due to risk of conflict of interest, the investigation performed by GIA, cf. the Whistleblowing Policy.
6. Communication
The CAE periodically reports to the ELT, BoD and AC on significant risk exposures and control issues, including fraud risks.
Reports from GIA are prepared quarterly for the AC of Danske Bank A/S, Northern Bank, Danica
7
and Realkredit Danmark. Similar reports may be prepared to other BoD Committees in Danske Bank A/S in agreement with those committees.
For each of the Danish legal entities the CAE prepares and presents a Long Form Audit Report at BoD meetings at least once a year. All BoD members and External Audit sign the Long Form Audit report.
For the BoD in Danske Bank A/S, Danica and Realkredit Danmark a Long Form Audit Report is prepared semi-annually.
According to the Executive Order on Auditing, the CAE must issue a Long Form Audit Report at year-end, in which observations brought to the attention of the BoD during the year are included in a summary. The summary must include a status on the observations relating to the accounting year in question and on observations still outstanding in the Long Form Audit Report on the Annual Report for the previous year.
After completion of audit tasks, prior to the reporting to the ACs and BoDs, audit reports are issued to the responsible managers across the Group and to relevant members of the ELT in Danske Bank A/S. Further, Group Risk Management and Group Compliance receive a copy of issued audit reports.
An assessment of the design and/or operational effectiveness of the internal controls are reported in the audit reports based on the following scale:
Report rating | Definition |
Management | One or more significant deficiencies exist in governance, risk |
Attention Level 1 | management or control processes, such that reasonable assurance |
cannot be provided with regard to the achievement of control and/or | |
business objectives in scope of the audit activity. | |
The deficiencies have the potential to materially impact the Group's | |
capital or liquidity position, are Group wide (or relate to thematic | |
issues across the Group) or are related to important matters on the | |
Group's reputation, regulatory or governance agenda. | |
Management | One or more significant deficiencies exist in governance, risk |
Attention Level 2 | management or control processes, such that reasonable assurance |
cannot be provided with regard to the achievement of control and/or | |
business objectives in scope of the audit activity. | |
Management | Deficiencies exist in governance, risk management or control |
Attention Level 3 | processes, such that reasonable assurance may be at risk regarding |
the achievement of control and/or business objectives in scope of the | |
audit activity. | |
Management | Governance, risk management, and control processes are adequately |
Attention Level 4 | designed and operating effectively to provide reasonable assurance |
regarding the achievement of control and/or business objectives in | |
scope of the audit activity. |
For audit reports rated 'Management Attention Level 1' and 'Management Attention Level 2', the report rating will be supplemented by a change of direction to signal the development since the last audit (if any).
8
GIA may also report in the form of an audit letter, with or without audit observations.
Rating of observations raised in the audit reports/letters are as follows:
Priority | Definition |
Priority 0 | In one or more of the Danske Bank Risk Assessment Matrixes the risk |
associated with the observation is within the Very High risk rated area. | |
Priority 1 | In one or more of the Danske Bank Risk Assessment Matrixes the risk |
associated with the observation is within the High risk rated area. | |
Priority 2 | In one or more of the Danske Bank Risk Assessment Matrixes the risk |
associated with the observation is within the Medium risk rated area. |
All observations graded 'Priority 0' or 'Priority 1' in audit reports rated 'Management Attention Level 1' or 'Management Attention Level 2' are included in the quarterly reporting to the ACs and in the reporting to the BoD's. Other Priority 0, 1 and 2 observations - alone or associated with other observations - may at the discretion of the CAE be incorporated in the reporting.
Open observations are reviewed by GIA on a regular basis in collaboration with those in the business responsible for remediation to discuss progress on implementation according to agreed deadlines.
Further to the above, GIA reports on Management's Risk Culture, Awareness and Response in the audit reports based on the following scale:
- Strong
- Adequate
- Weak
The outcome of this assessment is included in the quarterly reporting to the ACs and may be included in the reporting to other BoD Committees and BoDs as well.
If GIA identify material errors, irregularities or significant non-compliance with business procedures, the CAE must promptly report them to the ELT in Danske Bank A/S, External Audit, and to the relevant ACs and/or BoDs.
The CAE has the responsibility to ensure that trends and emerging issues that could impact the Group are considered and communicated to the ELT and to the Audit Committee/BoD as appropriate.
7. The Danish Financial Supervisory Authority (FSA)
The Executive Order on Auditing sets out several statements and declarations, which the CAE must include in the Long Form Audit Report issued in connection with finalising the Annual Report of each of the Danish legal entities. This includes an overview on the audit activities performed as well as on conclusions derived.
According to Section 27 in the Executive Order on Auditing, and if the financial undertaking is included in Section 1 in the Executive Order on Auditing, GIA must conclude whether the company's risk management; the compliance function; standard operating procedures; and internal controls on all material and high risk areas are designed and operating appropriately.
9
According to Section 28 (2) of the Executive Order on Auditing GIA must confirm that GIA has not been in a situation, where GIA has provided assurance or information about matters or documents that employees in GIA have established the basis for.
According to Section 28 (3) of the Executive Order on Auditing GIA must confirm that GIA has received all information requested.
According to Article 25(2) of the Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 on investment firms, GIA concludes on its review of the reporting to the BoDs from Group Compliance and from Group Risk Management.
The financial undertakings submit a copy of the Long Form Audit Reports regarding the Annual Reports of the Danish legal entities to the Danish FSA together with the Annual Report approved by the BoD.
8. Quality Assurance and Improvement Program
GIA maintains a Quality Assurance and Improvement Program that covers all aspects of the internal audit activities. The program includes an evaluation of GIA's conformance with the Standards and an evaluation of whether internal auditors apply The IIA's Code of Ethics. The program will also assess the efficiency and effectiveness of the internal audit activities and identify opportunities for improvement.
The CAE will communicate to ELT and AC on GIA's quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the Group.
9. Publication
The Internal Audit Charter will be published at Danske Bank's website.
10. Amendments to the Internal Audit Charter
Solely upon approval by the BoD of Danske Bank A/S the Internal Audit Charter may be amended.
Should amendments of Acts or Executive Orders cause requirements for amendments, or should the CAE find that it is appropriate to amend the Internal Audit Charter, it is the duty of the CAE to submit proposals for such amendments to the BoD.
Copenhagen, 2 May 2024.
Stina Kjellström
Chief Audit Executive
Approved by the BoD of Danske Bank A/S 2 May 2024.
Frederik Bjørn
10
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
Danske Bank A/S published this content on 16 May 2024 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 16 May 2024 10:57:06 UTC.
