Principle 10: Internal audit
The internal audit function should provide independent assurance to the board and should support board and senior management in promoting an effective governance process and the long-term soundness of the bank.
138. An effective and efficient internal audit function constitutes the third line of defence in the system of internal control. It provides an independent assurance to the board of directors and senior management on the quality and effectiveness of a bank's internal control, risk management and governance systems and processes, thereby helping the board and senior management protect their organisation and its reputation [See BCBS, The internal audit function in banks, 2012, available at www.bis.org/publ/bcbs223.pdf.].
139. The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively.
140. There should be no "dual hatting" by the heads of these functions.
141. The board and senior management contribute to the effectiveness of the internal audit function by:
• providing the function with full and unconditional access to any records, file data and physical properties of the bank, including access to management information systems and records and the minutes of all consultative and decision-making bodies;