Internal Audit Charter

("Bankeaz | Internal Audit Charter") (Version: 1.0, Date: 30.05.2024)

Internal Audit Charter
Introduction

This charter defines the purpose, reporting, authority, independence, scope, roles and responsibilities, and quality assurance of internal audit at Arcadia | Bankeaz.

It is approved annually by the Audit Committee of the Board.

Purpose

Internal Audit is Arcadia | Bankeaz’ “Third Line of Defense” (3LoD). Internal Audit provides Arcadia | Bankeaz’ Board and Executive Management with independent and

objective assurance on the adequacy and functioning of the system of internal control. Specifically, this should cover whether Arcadia | Bankeaz’ framework for risk

management, control, and governance processes are adequate and functioning as intended and in a manner that ensures:

● Arcadia | Bankeaz’ assets, reputation and sustainability are adequately protected by its system of internal control.
● all significant risks are appropriately identified, reported to the Board and the Group’s Senior Leadership Team and effectively controlled.
● significant financial, management, and operating information is accurate, reliable and delivered in a timely manner.
● Arcadia | Bankeaz’ actions are in compliance with policies, standards, procedures, and applicable laws and regulations.
● products, services and processes result in fair outcomes for Bankeaz’ customers.

Standards for the Professional Practice of Internal Auditing

Internal Audit will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, including the

Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the

Definition of Internal Auditing. The Head of Internal Audit will report periodically to the audit committee regarding Internal Audit’s conformance to the Code of Ethics and

the Standards.

Reporting

Internal Audit at Bankeaz is directed by the Head of Internal Audit (HoIA). The HoIA will report functionally to the Chair of the Audit Committee, and administratively to the

Chief Executive Officer (CEO). This level of seniority within the organization ensures the appropriate standing, access and authority to challenge the executive.

A written report will be prepared and issued by the HoIA following the conclusion of each internal audit review and will be distributed as appropriate. Internal audit results

will also be communicated to the Audit Committee.

Internal Audit reports may include management’s response and corrective action taken or to be taken. Management’s response should include a timetable for completing

the corrective actions, and an explanation for any corrective actions that will not be taken.

Internal Audit is responsible for appropriate follow-up after issuing a report. All significant findings will remain open until the Internal Audit agrees that they may be closed.

Authority

The Head of Internal Audit and IA colleagues are authorized to:

● have full, unrestricted and timely access to all functions, systems, records, property, and colleagues, at all times adhering to Bankeaz’ relevant policies and
procedures;

(A holder of highly confidential or sensitive information is entitled to restrict access to the Head of Internal Audit alone).

In any case the level of access to information will be full compliance with the GDPR duties;

● the right to be informed proactively by management of any material decision, change, events and issues;
● have an enterprise-wide remit and mandate, which includes assessing the adequacy and effectiveness of the Risk Management, Compliance, and Finance functions;
● have the right to attend and observe any executive committee meetings or other management decision-making forums;
● have full and free access to the Audit Committee and its Chair;
● Although it is not the role of IA to second guess the decisions made by the Board, its scope should include information presented to the Board for strategic and
operational decision making where applicable to audit engagements;

● allocate resources, select subjects, determine scopes of work, and apply the techniques required to accomplish audit objectives;
● obtain the necessary assistance of Bankeaz colleagues in the execution of IA activities.

If Internal Audit experiences challenges in relation to any of the points above, the Head of Internal Audit will escalate to the Chair of the Audit Committee.

Independence & Objectivity

The HoIA shall have no executive or managerial powers and duties within Arcadia | Bankeaz except those relating to the management of the Internal Audit function.

Arcadia | Bankeaz’ internal auditors will remain free from interference from any element of the company, including matters of audit selection, scope, procedures,

frequency, timing, or report content to maintain the necessary independence and objectivity to fulfill their role.

Internal Audit staff will need to have sound judgment. This will require them to have appropriate skills, experience and expertise and to conduct their work with proficiency

and due professional care. Internal Audit staff will engage in continuing professional development. If the knowledge, skills and competencies required to perform an

engagement are not available within Internal Audit, the Head of Internal Audit will obtain alternative advice, assistance or resources.

The HoIA will confirm to the Audit Committee, at least annually, the organizational independence of internal audit at Arcadia | Bankeaz, its access to adequate resources

and any issue they wish to raise directly with the committee.

Whilst Internal Audit staff should have sufficient knowledge to identify the indicators of fraud, they are not expected to have the expertise of a person whose primary

responsibility is detecting and investigating fraud.

Scope

The scope of Internal Audit covers all activities at Arcadia GmbH and all its subsidiaries ("Arcadia | Bankeaz"). This includes all areas of current and future risks within

Arcadia | Bankeaz, and an assessment of risk management and mitigation controls in Arcadia | Bankeaz’ current and expected business environment.

The scope of Internal Audit at Arcadia | Bankeaz specifically includes, but is not limited to:

● providing an assessment on the adequacy, effectiveness and execution of Arcadia | Bankeaz’ processes for controlling its activities and managing its risks;
● forming an independent view of whether the key risks to the organization have been identified, including emerging and systemic risks, and assess how effectively
these risks are being managed;

● reporting on significant control issues that could have an adverse impact on the achievement of Group goals and objectives;
● reporting on management’s progress in addressing significant control issues;
● reporting on control effectiveness in terms of design, implementation, sustainability, and management information;
● assessing the risk and control culture of Arcadia | Bankeaz including whether processes, actions and ‘tone from the top’ are in line with espoused values, ethics, risk
appetite and policies;

● reporting on management's control awareness (attitude and approach taken by all levels of management);
● providing an overall annual opinion on the effectiveness of internal controls;
● reporting on the progress of the IA function in meeting its functional objectives and on the adequacy of its resources using appropriate KPIs;
● liaising with the Group’s regulators, sharing information with them that is relevant to their responsibilities.

In addition, Internal Audit may carry out special reviews or other assignments as required by the Executive or the Chair of the Audit Committee and undertake work

required by regulators or to validate regulatory reported matters as necessary.

Internal Audit may also undertake specific controls assurance work to independently validate progress or completion of large scale management remediation programs.

Internal auditing does not provide a substitute for controls executed by senior management – responsibility for operational effectiveness rests with them.

Roles and responsibilities
- Head of Internal Audit (HoIA)

The HoIA will:

● develop a flexible Internal Audit Plan (“the Plan”) using a risk-based methodology;
● review and adjust the internal audit plan, as necessary, in response to changes in Arcadia | Bankeaz’ business, risks, operations, programs, systems, and controls;
● ensure each audit is executed, including the establishment of clear objectives and scope, the assignment of appropriate and adequately supervised resources, the
documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to

appropriate parties;

● follow-up on audit findings to provide assurance that any identified weaknesses and corresponding actions have been addressed;
● evaluate and assess emerging risks, including those related to projects that are intended to help Arcadia | Bankeaz achieves its strategic priorities and/or delivers new
or changed services and processes. (IA should determine whether corporate events are sufficiently high risk to warrant involvement on a real time basis).

● implement a quality assurance and improvement program that covers all aspects of internal audit;
● maintain a close and collaborative working relationship with Arcadia | Bankeaz’ Risk and Compliance functions, sharing risk and control information as necessary,
coordinating planning and sharing results of any audit work; and

● provide a periodic audit report and an annual report for presentation to the Audit Committee at its formal meetings throughout the year. This report is to include the
status of the Plan, any proposed amendments to the plan, the results of all audit activities and details of any significant issues identified;

● communicate to senior management and the audit committee the impact of resource limitations on the internal audit plan;
● perform audit activity to review any post-mortem and ‘lessons learned’ analysis following Arcadia | Bankeaz suffering a significant adverse event. This review activity
will assess the roles of both the “first and second lines of defense” and IA’s own role;

● liaise with external auditors in the achievement of suitable coverage across the activities of the Group;
● ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld.

- Chair of the Audit Committee

The Chair of the Audit Committee will:

● review and approve with input from the CEO on the HoIA’s performance objectives and monitor performance against these with both the CEO and the HoIA.

Performance appraisals will consider the independence, objectivity and tenure of the HoIA. If the HoIA’s tenure is more than 7 years, the Audit Committee will explicitly
discuss annually the Chair’s assessment of the HoIA’s independence and objectivity;

● review and approve the HoIA’s annual pay and reward package to be proposed to the Remuneration Committee (as per the IIA guidance);
● assist in the resolution of any conflicting priorities that may arise;
● ensure the HoIA has support in securing people to deliver the Plan and discharge internal audit’s duties;
● monitor and review the effectiveness of the internal audit function;
● lead the audit committee in the challenge and approve the audit Plan;
● challenge and review all reports submitted to the Audit Committee and in turn challenge management on the effectiveness of delivering an adequate risk and control environment at Arcadia | Bankeaz where significant issues have been identified; and

● approve the appointment and termination of appointment of the HoIA.

- CEO

The CEO is responsible for the day to day line management of the HoIA taking into account input from the Chair of the Audit Committee. He will:

● recommend the HoIA’s annual pay and reward package;[1] [2];
● set work priorities and assist in the resolution of any conflicting priorities that may arise; and
● approve the contract for the engagement of third party providers of outsourced or co-sourced internal audit services.[3] [4].

Quality assurance

Internal Audit will maintain a quality assurance and improvement program that covers all aspects of internal audit activity. The program will include an evaluation of

whether internal audit at Arcadia | Bankeaz has conformed with the Definition of Internal Auditing, the International Standards, and an evaluation of whether internal

auditors at Bankeaz adhere to the IIA’s Code of Ethics.

The program will also assess the efficiency and effectiveness of internal audit at Arcadia | Bankeaz and identify opportunities for improvement.

The HoIA will communicate to senior management and the Board the progress of the quality assurance and improvement program, including results of ongoing internal

assessments and external assessments conducted at least every five years.

Bankeaz | App Logo
Bankeaz | App Logo
________________________________________________________________________________________