Internal Audit Charter

2025
 Table of Content
Introduction 2
Definitions 2
Mission of Internal Audit 3
Internal Audit Authority 3
Operational Structure 4
Independence of Internal Audit 4
Audit Methodology 5
Scope of Internal Audit 5
Impartiality of Internal Audit 7
Professionalism 8
Accountability of the Group Chief Internal Auditor 9
Internal Audit Plan 10
Reporting and Monitoring 10
Criteria for Outsourcing Internal Audit Engagements 11
Coordination and Collaboration with Other Control Functions 12
Coordination and Collaboration with the subsidry 13
Coordination with External Auditors 13
Quality Assurance and Improvement Program 14
External Communication 14
Access 15
Approvals 15
 Introduction

The Internal Audit Charter (hereinafter “the Charter”) defines and describes the
principles and basic operational concepts of the Internal Audit within NBB. In addition,
the Charter also defines the set of principles and rules which Auditors must adhere to
when performing their roles.
In line with regulatory requirements, this charter will be available to Internal and
External Stakeholders through the Bank’s official website.
The Charter is in compliance with the current legal and regulatory framework.
The Internal Audit Charter will be reviewed by the Board Audit Committee either
annually or when there are material changes in the operation, the responsibilities,
the organizational structure of the IAD or auditing practices which necessitate
amendments to the charter. The Audit Committee’s approval will be sought for any
amendments to the charter.

2. Definitions

Internal Audit

Internal Auditing is defined by the Institute of Internal Auditors (IIA) as “an

independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations. It assists an organization to accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control and governance processes.”

Role of Internal Audit

The Internal Audit function is established by the Board Audit Committee and its roles
and responsibilities are defined by the Board Audit Committee as part of their oversight
role.

Internal Audit Charter

The Internal Audit charter is a formal document that defines the authority, scope of
work, and responsibility of Internal Audit Function. The charter establishes the Internal
Audit Function’s position, power and responsibilities within the Bank; and authorizes
access to records, personnel, and physical properties relevant to the performance of
engagements.

3. Mission of Internal Audit

3.1. Perform all and any type of audits to all units, activities and third parties who
provide substantial (critical) services to the Bank, in order to form a reasonable,
objective and independent opinion about the adequacy and the effectiveness of the
Internal Control System (hereinafter “ICS”) of NBB.

3.2. Provide objective assurance, as defined, through the Audit Committee to the
Board of Directors of NBB with regards to the results of the assessment of the
adequacy and effectiveness of the Internal Control System of the Bank.

3.3. Perform any other activity that is specifically required by the legal and regulatory
framework.

3.4. Assess the Internal Control System based on criteria derived from international
standards and best practices.

4. Internal Audit Authority

4.1. The Internal Audit function, with strict accountability for confidentiality and
safeguarding records and information, is authorized full, free, and unrestricted
access to any and all of Bank’s records, physical properties, and personnel pertinent
to carrying out any engagement.

4.2. All employees are requested to assist the Internal Audit activity in fulfilling its
roles and responsibilities. Restriction to these accesses imposed by any employee or
management of the Bank, which prevents the Internal Audit function from performing
its duties, will be reported immediately to the Group Chief Executive Officer (GCEO)
and to the Audit Committee, based on circumstances as determined by the Group
Chief Internal Auditor (GCIA).

4.3. The Internal Audit function will also have free and unrestricted access to the
Board. The GCIA will have direct access to the Audit Committee and will communicate
directly to the Chairperson of the Audit Committee, any matter that is believed to be
of sufficient magnitude and importance to require immediate attention of the Audit
Committee.

5. Operational Structure

5.1. The Internal Audit function is a single pool of auditors led by the GCIA, who is
responsible for setting the strategy and ensuring that the function operates smoothly
in accordance with the law, regulations, and international best practices.

5.2. Auditors are allocated to audit teams according to audit requirements and
time constraints of specific audit engagements. Participation of experts (internal
or external) may be sought whenever this is deemed necessary and only following
approval by the Audit Committee with regard to the associated cost.

5.3. The Internal Audit function has an annual budget, which is executed under the
supervision of the Audit Committee, always in accordance with the Bank’s established
procedures regarding the request for proposals, selection process and invoice
settlement.

6. Independence of Internal Audit Function

6.1. The Internal Audit function in the Bank is a permanent function. The Audit
Committee of the Board in coordination with the Bank’s GCEO will ensure that
appropriate measures are taken, including providing appropriate resources and staffing
to ensure that the Internal Audit function achieves its objectives and accomplishes
its mission.

6.2. The GCIA will report functionally to the Audit Committee of the Board and
administratively (i.e. day to day operations) to the GCEO.

6.3. The Internal Audit function will have no direct operational responsibility or
authority over any of the activities that are subject to audit. Accordingly, it will not
develop nor install systems or procedures, prepare records, or engage in any other
activity that would normally be audited and will be independent from day-to-
day internal control process in order to be able to carry out its assignments with
objectivity and impartiality.

7. Audit Methodology

The audit methodology applied by the Internal Audit function is in compliance with
the Standards for the Professional Practice of Internal Auditing of the Institute of
Internal Auditors (hereinafter “the Standards”).

8. Scope of Internal Audit Function

8.1. The scope of coverage for the Internal Audit function will consider the whole
Bank’s universe /activities. Audit planning is performed based on a risk assessment
for the Three Year Strategic audit plan. The audit centers which comprise the audit
universe of the Bank are assessed and prioritized for audit according to their risk
profile.
8.2. The scope of Internal Audit will include the examination and evaluation of
the appropriateness and effectiveness of risk management, internal control and
governance processes and the manner in which assigned responsibilities are fulfilled
by the various branches and departments in the Bank.

8.3. Internal Audit activities include investigating whistleblowing cases as per the
requirement of the whistleblowing policy (whenever referred to Internal Audit by the
Chairperson of the Audit Committee).

8.4. The scope and objective of the Internal Audit will also cover (but not limited to)
the following:

8.4.1. Review of the application and effectiveness of risk management procedures

and risk assessment methodologies.

8.4.2. Review of the management and financial information systems, including the
electronic information system and electronic banking services.
8.4.3. Review of the accuracy and reliability of the accounting records and financial
reports.

8.4.4. Review of the Bank’s system of assessing its capital in relation to its estimate of
risk.

8.4.5. Testing of both transactions and functioning of specific internal control

procedures.

8.4.6. Adherence to legal and regulatory requirements, code of conduct and the
implementation of policies and procedures.

8.4.7. Testing of the integrity, reliability and timeliness of the regulatory reporting.

8.4.8. Carrying out special investigations at the request of the Board Audit Committee
or GCEO, as appropriate.

8.4.9. Compliance with policies, procedures and risk controls.

8.5. Reliability and timeliness of financial and management information including

electronic information systems.

8.6. Assess the independence of external auditors.

8.7. Perform consulting and advisory services. These services can be provided on a
wide range of topics, such as risk management, internal controls, governance, and
process improvement. Example of consulting or advisory services that the Internal
Audit function may provide:

8.7.1. Assessing the effectiveness of the Bank’s risk management framework.

8.7.2. Evaluating the design and effectiveness of internal controls.

8.7.3. Providing advice on how to improve governance practices.

8.7.4. Assisting with the implementation of new processes or systems.

8.8. Any consulting or advisory services, if accepted, must be in line with the internal
audit standards and must not compromise the auditor’s independence. Further the
following terms and conditions must be applied:

8.8.1. The Internal Audit function must not provide consulting or advisory services on
any activity or entity that it has recently audited.

8.8.2. The Internal Audit function must not provide consulting or advisory services on
any activity or entity that is responsible for its oversight or evaluation.

8.8.3. The Internal Audit function must not provide consulting or advisory services on
any activity or entity that is involved in a conflict of interest with the internal audit
function.

8.8.4. The Internal Audit function must disclose all potential conflicts of interest to
the audit committee before providing any consulting or advisory services.

8.8.5. The Internal Audit function must obtain written approval from the audit
committee before providing any consulting or advisory services.

8.8.6. The Internal Audit function must provide regular reports to the audit committee
on all consulting or advisory services that it has provided.

9. Impartiality of Internal Audit

9.1. Internal Audit should be objective and impartial when performing the audit
assignments and should be free from bias and interference.

9.2. Internal Audit should avoid any conflict of interest.

9.3. Whenever practical, assignments to staff within Internal Audit function should
be rotated periodically.

9.4. Internally recruited auditors should not audit activities or functions in which they
recently worked in for the last two years.

9.5. The Internal Audit should not be involved in the operations of the Bank or in
selecting or implementing internal control measures to avoid impairment of its
judgmental independence.
9.6. In cases where audit opinion is requested , for an important new risky activity or
system, the auditors will only give comments and should not be made responsible
for the development and introduction of any measure as such tasks will remain the
Responsibility of management.

9.7. The Internal Audit can audit such activities and subsequent internal audit reports
can contain recommendations relating to deficiencies or weaknesses and suggestions
for improvements.

9.8. Internal auditors will exhibit the highest level of professional objectivity in
gathering, evaluating, and communicating information about the activity or process
being examined. Internal auditors will make a balanced assessment of all the relevant
circumstances and not be unduly influenced by their own interests or by others in
forming judgments.

9.9. Annually, the GCIA will confirm to the Board Audit Committee, his independency
and the organizational independence of the Internal Audit activity.

10. Professionalism

10.1. The Internal Audit function will govern itself by adherence to The Institute
of Internal Auditors’ guidance as applicable to guide the Internal Audit operations
including the Definition of Internal Auditing, the Core Principles, the Code of Ethics,
and the International Standards for the Professional Practice of Internal Auditing
(Standards). This guidance constitutes principles of the fundamental requirements
for the professional practice of Internal Auditing and for evaluating the effectiveness
of the Internal Audit activity’s performance.

10.2. The Internal Audit activity will also adhere to the Bank’s relevant policies and
procedures and the Internal Audit activity’s standard operating procedures manual.

10.3. All staff members of the Internal Audit should have sufficient and up-to-date
knowledge of auditing techniques.

10.4. Professional competence of Internal Audit staff should be maintained through

systematic training. Professional competence should be assessed taking into account
the nature of the role and the auditor’s capacity to collect, examine and evaluate
information, and to communicate the findings properly given the growing technical
complexity of the Bank’s activities.

10.5. Whenever practicable, rotation of staff within the Internal Audit should be
carried out periodically to reduce the negative impact of routine tasks that could
affect the auditor’s capacity for critical judgment. Where possible, the Group Chief
Internal Auditor may explore the possibility of deputing members of the Internal Audit
team to external audit firms. Further, co-sourcing arrangements with the external
audit firms can also be considered.

10.6. All Internal Audit staff should sign and acknowledge a standard code of conduct
document establishing the principle and rule of conduct covering the way Internal
Audit Assignments should be carried out.

11. Accountability of the Group Chief Internal Auditor

11.1. Annually assesses whether the authority and responsibility of the IAD as
defined in the Charter, continues to be adequate to enable the Internal Audit
activity to accomplish its objectives. The result of the periodic assessment should be
communicated to the Audit Committee.

11.2. Ensures that the Internal Audit Charter is reviewed periodically and that the
charter is approved by the Audit Committee.

11.3. Ensures that Internal Audit function complies, where applicable with the
International Standards document “Standards for the Professional Practice of Internal
Auditing”.

11.4. Establish and review on a regular basis the Audit Plan and the written Policies
and Procedures for the IAD.

11.5. Ensure continuous enhancement of professional competence and training of

the audit staff and that the necessary resources are available.

11.6. Officially inform Senior Management about audit findings, agreed action and
current status. Additionally report to the Board Audit Committee on the same, further
commenting regarding the assessment of the adequacy and effectiveness of the
internal control system as well as the achievement of internal audit objectives.

11.7. Support the Audit Committee in assessing the independence, accountability

and effectiveness of the external auditors and in monitoring the rotation
arrangements of the audit partners according to the regulatory requirements.

12. Internal Audit Plan

12.1. The Group Chief Internal Auditor will submit to the Board Audit Committee the
risk based Internal Audit Plan for review and approval. The internal audit plan will
consist of a work schedule as well as resource requirements to properly and efficiently
execute and implement the plan. The Internal Audit Plan should be submitted to the
Board Audit Committee during the fourth quarter of each year

12.2. The Group Chief Internal Auditor will communicate the impact of resource
limitations and significant interim changes to senior management and the Board
Audit Committee.

12.3. The Internal Audit Plan will be developed based on a prioritization of the audit
universe using a risk-based methodology, including input from senior management
and the Board Audit Committee.

12.4. The Group Chief Internal Auditor will review and adjust the plan, as necessary,
in response to changes in the organization’s business, risks, operations, programs,
systems, and controls.

12.5. The progress of the plan along with any significant deviation from the approved
internal audit plan will be communicated to GCEO and the Audit Committee of the
Board through periodic activity reports.

13. Reporting and Monitoring

13.1. A written report will be prepared and issued by the Group Chief Internal Auditor
or designee following the conclusion of each internal audit engagement and will be
distributed as appropriate.

13.2. The Internal Audit report should include management’s response and
corrective action taken or to be taken in regard to the specific findings and
recommendations.
13.3. Management’s response, provided by management of the audited area should
include a target date for anticipated completion of action to be taken and an
explanation for any corrective action that will not be implemented.

13.4. The Internal Audit function will be responsible for appropriate follow-up on
engagement findings and recommendations to ensure they are resolved within a
reasonable period of time.

13.5. Internal Audit results will also be communicated on a quarterly basis to the
Audit Committee of the Board.

14. Criteria for Outsourcing Internal Audit engagements

14.1. When to Outsource

14.1.1. The Internal Audit function may outsource some of its engagements to
external experts when:

a) The engagement requires specialized skills or knowledge that the Internal Audit
function does not have.

b) The engagement is complex or time-consuming.

c) The engagement is geographically remote and would be difficult for the Internal
Audit function to perform.

d) Outsourcing the engagement would be more cost-effective.

14.2. How to Outsource

14.2.1. When outsourcing an engagement, the Internal Audit function must:

a) Select a qualified and experienced external expert.

b) Conduct due diligence on the external expert to ensure that they have the
necessary skills, experience, and independence to perform the engagement.
c) Enter into a written agreement with the external expert that clearly defines the
scope of the engagement, the deliverables, the timeline, and the fees.

d) Monitor the external expert’s performance throughout the engagement and

ensure that they are meeting the terms of the agreement.

e) Review the external expert’s work and report on their findings to the Senior
Management and the Audit Committee.

14.3. Additional Criteria

14.3.1. In addition to the above criteria, the following will also be considered when
outsourcing internal audit engagements:

a) The nature of the engagement. Some engagements involve sensitive information,

may be less suitable for outsourcing.

b) The regulatory environment. Some regulations may restrict or prohibit the

outsourcing of certain internal audit engagements.

All the above criteria are to be discussed with the Audit Committee and the Audit
Committee approval is required before outsourcing any engagements.

15. Coordination and Collaboration with Other Control Functions

15.1. The Internal Audit function will coordinate and collaborate with other control
functions within the bank to promote the effectiveness of its work. This will include:

15.1.1. Regular meetings with the Risk Management, Compliance, and other Control
functions to discuss top risks, audit plans, and findings.

15.1.2. Sharing of audit reports and other control-related documents with other
control functions.

15.1.3. The GCIA attending the bank’s Operational Risk Committee, Information
Security Committee, and Compliance Committee as an observer.
 16. Coordination and Collaboration with the Subsidiary

The Subsidiary’s (BisB) Chief Internal Auditor is to report administratively to the GCIA
and functionally to the Subsidiary’s Board Audit Committee. The GCIA is authorized to
attend the Subsidiary’s Board Audit Committee meetings as an “Observer” to ensure
alignment between the subsidiary (BisB) and parent (NBB) overall audit strategy.

The GCIA should define the group’s Internal Audit strategy, determine the organization
of the Internal Audit function both at the parent’s and the subsidiary’s level (in
consultation with these entities’ respective Audit Committees and in accordance with
local laws) and formulate the Internal Audit principles, the audit methodology and
quality assurance measures. The GCIA must also determine the audit scope for every
Internal Audit exercise, by the parent’s Internal Audit function, for every subsidiary on
an annual basis in compliance with local regulations and incorporate local knowledge
and experience.

17. Coordination with External Auditors

17.1. The Internal Audit function will coordinate with the external auditors through
the following procedure:

17.1.1. At the beginning of each audit year, the Internal Audit function will provide
the External Auditors with a copy of its approved annual audit plan.

17.1.2. Periodically, the Internal Audit function will meet with the External Auditors
to discuss their audit plans and findings.

17.1.3. The Internal Audit function will provide the external auditors with copies of
its audit reports.

17.1.4. The Internal Audit function will receive the draft copy of the External Auditor
management letter and coordinate with the relevant stakeholders to obtain feedback,
seek CEO approval, and communicate the final official copy to the external auditor.
The Internal Audit function will also provide the External Auditor, Audit Committee,
and GCEO with regular updates on the progress achieved in resolving the external
auditor’s reported issues.
17.1.5. The Internal Audit function will resolve any audit differences with the external
auditors in a timely and professional manner.

18. Quality Assurance and Improvement Program (QAIP)

The Internal Audit activity will maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity.

The program will include an evaluation of the Internal Audit activity’s conformance
with the Definition of Internal Auditing and the Standards where applicable of
whether Internal Auditors apply the Code of Ethics. The program also assesses the
efficiency and effectiveness of the Internal Audit activity and identifies opportunities
for improvement.

The Group Chief Internal Auditor will communicate to the Audit Committee of the
Board on the Internal Audit activity’s quality assurance and improvement program,
including results of ongoing internal assessments and external assessments. In
line with the Institute of Internal Auditors (IIA) and Central Bank of Bahrain (CBB)
requirements, external quality assessments will be carried out at least once every
five years.

19. External Communication

All communication of the Internal Audit Department with third parties, external to
NBB, must be authorized by the Chairperson of the Audit Committee or the CEO.

The CBB may at its own discretion communicate directly with the Group Chief Internal
Auditor to discuss issues of material concerns related to risks, compliance, and internal
controls.

All Internal Audit reports along with updates on resolved and pending issues must be
submitted to CBB at least three weeks prior to the Prudential Meeting date.
 20. Access

Only the Audit Committee has unrestricted access to the audit files. Access to
those files by any other individual is only permitted upon written approval by the
Chairperson of the Audit Committee.

21. Approvals

The Audit Committee Charter will be approved by the Board of Directors. The Audit
Committee will approve the Internal Audit Charter and the Three Year Audit Plan and
Scope. The detailed procedures and processes for the Internal Audit Department
will be approved by the Group Chief Internal Auditor and communicated to the Audit
Committee for ratification.