Instructions for Internal Audit in Norges Bank
Laid down by the Executive Board on 13 June 2007, amended on 6 May 2009, 25 April 2012, 25 October 2017 and 13 June 2018.
Pursuant to Section 30a of the Norges Bank Act, Norges Bank is required to have an internal audit unit that reports to the Executive Board (also cf Section 9 of Regulation No. 1630 of 17 December 2009 on Risk Management and Internal Control at Norges Bank). In accordance with the Act, Internal Audit shall assess the Bank’s internal control, routines and other conditions that are significant for the Bank’s operations.
These instructions are laid down by the Executive Board and cover the areas of responsibility and authority of Internal Audit in Norges Bank.
The Executive Board shall regularly update the instructions in accordance with input from the Audit Committee. Internal Audit is at all times responsible for providing the Executive Board with information on changes to standards that are relevant for the content of these instructions.
2. Role and purpose
The Regulation on Risk Management and Internal Control at Norges Bank requires the Executive Board to ensure the adequacy of risk management and internal control at Norges Bank. Internal Audit’s role is to support the Executive Board’s follow-up of Norges Bank’s operations by providing independent assessments and advice on the Bank’s corporate governance in accordance with plans approved by the Executive Board.
In addition to the audit plan, the Head of Internal Audit may also decide to perform special assignments at the request of the Bank’s operating units and management or on his/her own initiative, as long as it does not interfere with Internal Audit’s independence and objectivity and takes into consideration the audit plan and the available resources. Significant assignments are to be cleared with and reported to the Audit Committee.
Internal Audit shall serve as report recipient in Norges Bank’s whistleblowing channel and ensure that reports are processed according to principles and guidelines for internal disclosure.
Internal Audit shall serve as secretariat for the Executive Board’s Audit Committee and assist the Committee in fulfilling the mandate issued by the Executive Board.
3. Professional basis
Internal Audit shall perform its tasks in accordance with ethical rules and the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing, under which Internal Audit is subject to external evaluation at least once every five years.
Internal Audit shall develop a management system with defined roles, work routines and audit methodology that ensures the implementation of and compliance with the IIAs standards and these instructions. The organisation and focus of Internal Audit’s auditing work is described in detail in the annex.
4. Organisation and independence
Internal Audit reports to the Executive Board via the Audit Committee. The Head of Internal Audit reports administratively to the Governor. The Executive Board approves Internal Audit’s audit plans and budgets upon the recommendation of the Audit Committee.
Internal Audit employees shall exercise objectivity and may not have direct operational responsibility or authority related to the activities being audited, nor can they be involved in any activity that may influence Internal Audit’s judgement.
Under its current standards, Internal Audit has the authority to decide on the organisation and focus of its projects.
The Head of Internal Audit is subject to the same requirements for the exercise of authority as other executive positions in Norges Bank.
5. Authorisations and rights
The Head of Internal Audit shall have the unlimited right of access to all of the Bank’s affairs, including the personnel, documents, systems and physical property that are relevant for the unit’s tasks. Normally, this right of access is also given to auditing personnel within their area of responsibility, but the individual providing the information may demand the right to inform the Head of Internal Audit directly if there are special grounds for this. The organisation shall provide Internal Audit with the assistance and facilities that are necessary to perform approved tasks.
In accordance with the Regulation on Risk Management and Internal Control at Norges Bank, the Head of Internal Audit shall have the right to be present at Executive Board meetings. The Head of Internal Audit can also be present at meetings of the Executive Board’s subcommittees when matters relevant to performing Internal Audit’s tasks are considered.
On its own initiative, Internal Audit shall keep itself briefed on and be given the opportunity to express an opinion concerning all important organisational changes in strategy, organisation, internal control and corporate governance.
6. Reporting and communication
Internal Audit shall have a continuous dialogue with the organisation’s management and with the Chair of the Audit Committee. Appropriate dialogue, transparency and cooperation with the external auditor and the Office of the Supervisory Council shall be established.
The Head of Internal Audit shall on his/her own initiative immediately inform the Governor and the head of the Audit Committee of conditions that are of significance for the Bank’s operations and of major errors, losses, irregularities, and deficiencies in internal control or other circumstances that he/she finds it necessary to report. Internal Audit is responsible for reporting to the Bank’s management on significant amendments to rules or other changes to the framework that may affect its functions. The Head of Internal Audit shall regularly report to the Audit Committee on the unit’s level of expertise.
Annex: Organisation of Internal Audit’s audit work
The Executive Board’s annual audit plan
Internal Audit shall formulate proposals for the Executive Board’s annual audit plans. The Executive Board approves the audit plans upon the recommendation of the Audit Committee. Any changes to the approved annual plan shall be put before the Audit Committee for approval.
Planning shall ensure that auditing is conducted in accordance with the Executive Board’s need for independent assessments. Audit plans shall be based on assessments of risks reflecting the areas’ defined corporate objectives, work processes, regulations and framework from governing bodies, including ethical guidelines.
On the basis of Internal Audit’s assessments of an updated risk situation, an update of the Executive Board’s audit plan shall be proposed after half a year and together with a review of the status of the audit plan for the year.
The planning process shall facilitate constructive dialogue with the organisation’s management and effective coordination with the Office of the Supervisory Council.
Internal Audit’s annual report to the Executive Board
Under the Regulation on Risk Management and Internal Control at Norges Bank, the Head of Internal Audit shall issue a report on risk management and internal control at least once a year.
The annual report shall be based on observations from executed audit projects, knowledge obtained through the Bank’s internal reporting and continuous dialogue with key Bank employees.
Implementation of audit projects
Internal Audit shall perform audits in accordance with the Executive Board’s audit plan. In planning individual audit projects, risk assessments shall be developed. The risk assessments serve as a basis for the definition of purpose, scope and criteria for the audit project and shall include:
- Importance of performance related to revised processes or activities.
- Risk of breaching applicable laws and regulations.
- Risk of breaching guidelines laid down by governing bodies, including ethical guidelines.
Internal Audit shall have access to personnel and resources that it deems necessary in order to perform audits. The Head of Internal Audit is responsible for deciding on the focus of the audit project meetings and who should participate in the meetings.
The results of individual audit activities that have been performed, and any suggested improvements, shall be communicated to the head of the audited unit. Internal Audit periodically reports the results of its work to the Executive Board via the Audit Committee.