Audit Committee
Audit Committee members
Phil Rivett (Chair), Alan Keir, Sally Orton and Anand Aithal.
Audit Committee Terms of Reference
Approved by the Board of Nationwide Building Society (the Society) on 25 September 2024 to take effect on 01 October 2024
1. Purpose and authority
1.1 The purpose of the Audit Committee (the committee) is to provide oversight and advice to the Board in respect of financial and non-financial reporting, internal and external audit, and the adequacy and effectiveness of internal controls and risk management systems of the Society (on a solo and consolidated basis), and to report formally to the Board on those matters after each meeting.
2. Authority
2.1 The Committee is a Committee of the Board and has delegated authority from the Board to which it regularly reports in respect of its functions and responsibilities as set out in these Terms of Reference.
2.2 The Committee may sub-delegate any or all of its powers and authority as it sees fit, including, without limitation, the establishment of sub-committees to analyse particular issues and to report back to the Committee.
2.3 The Committee has authority to oversee any investigation of activities relating to the Group which are within these Terms of Reference.
2.4 The Committee is authorised to seek any information it requires from any employee of the Group in order to perform its duties or call any employee to be questioned at a meeting of the Committee as and when required.
2.5 The Committee may obtain, at the Group's expense, external legal or other professional advice on any matter within these Terms of Reference.
2.6 The Committee Chair and the Society Secretary are authorised by the Board to review and approve any non-material change required to be made to these Terms of Reference. Any such change shall be reported to the Board.
3. Membership
3.1 Members of the Committee shall be appointed by the Board, on the recommendation of the Nomination and Governance Committee in consultation with the Chair of the Committee.
3.2 The Committee shall be made up of at least three directors of the Society, including a member of the Board Risk Committee. The Committee as a whole shall have competence relevant to the banking sector and at least one of whom shall have recent and relevant financial experience. All members of the Committee shall be independent non-executive directors.
3.3 The Board shall appoint the Committee Chair who shall be an independent non-executive director.
3.4 In the absence of the Committee Chair and/or an appointed deputy, the remaining members present shall elect one of themselves to chair the meeting.
3.5 The Chair of the Society shall not be a member of the Committee.
3.6 Appointments to the Committee shall be for a period of up to three years, which may be extended for a further three-year period (or, in exceptional circumstances, two such periods), provided the director still meets the criteria for membership of the Committee.
3.7 Only the members of the Committee have the right to attend Committee meetings. Other individuals such as the Chair of the Society, Group CEO, Group CFO, Group CRO, Chief Internal Auditor, Executive Directors of the Society or VMUK, members of the VMUK board audit committee (VMBAC), external audit partners, external adviser(s), and representatives from relevant business functions of the Group may be invited to attend all or part of any meeting as and when appropriate.
4. Secretary
4.1 The Society Secretary or their nominee shall act as the Secretary of the Committee and will ensure that the Committee receives information and papers in a timely manner to enable full and proper consideration to be given to the issues.
5. Quorum and mode of meetings
5.1 The quorum necessary for the transaction of business shall be two members, one of whom must be the Chair of the Committee or their appointed deputy.
5.2 A duly convened meeting of the Committee at which a quorum is present shall be competent to exercise all or any of the authorities, powers and discretions vested in or exercisable by the Committee.
5.3 In the event of difficulty in forming a quorum, independent non-executive directors of the Society who are not members of the Committee may be co-opted as members for individual meetings.
5.4 A decision of the Committee may be taken by written resolution or via electronic means. A decision in this instance will be valid only if taken by a quorum as set out in 5.1 above.
5.5 The members of the Committee shall be deemed to meet together if they are in separate locations, but are linked by conference telephone, video or other communication equipment. For the avoidance of doubt, a quorum in such event shall be as set out in 5.1 above. Such a meeting shall be deemed to take place where the largest group of members of the Committee participating is assembled or, if there is no such group, where the Chair of the meeting is located.
6. Frequency of meetings
6.1 The Committee shall meet at least four times at appropriate times in the financial reporting and audit cycle, and otherwise as required.
6.2 Outside of the formal meeting programme, the Committee Chair, and to a lesser extent other Committee members, will maintain a dialogue with key individuals involved in the Group's governance, including the Chair of the Society, the Group CEO, the Group CFO, the External Audit lead partner and the Chief Internal Auditor.
6.3 At least once a year, without the presence of executive management, the Committee shall meet with the external auditors to discuss matters relating to their remit and any issues arising from the audit. The Committee shall meet once a year with the Group CRO, and once a year with the Chief Internal Auditor, without other executive management present. In addition, the chair of the VMBAC shall be given the right of direct access to the Chair of the Committee.
7. Notice of meetings
7.1 Meetings of the Committee shall be called by the Secretary of the Committee at the request of the Committee Chair.
7.2 Meetings of the Committee shall be called by the Secretary of the Committee at the request of any of its members or at the request of external or internal auditors if they consider it necessary.
7.3 Unless otherwise agreed, notice of each meeting confirming the venue, time and date together with an agenda of items to be discussed, shall be forwarded to each member of the Committee and any other person required to attend no later than three working days before the date of the meeting.
7.4 Supporting papers shall be sent to Committee members and to other attendees as appropriate, at the same time.
8. Minutes of meetings
8.1 The Secretary of the Committee shall minute the proceedings and resolutions of all meetings of the Committee.
8.2 The Secretary of the Committee shall record any conflicts of interest reported at the meeting.
8.3 Draft minutes of Committee meetings shall be circulated to all members of the Committee. Agreed minutes are available to all members of the Board (unless, in the opinion of the Committee Chair, it would be inappropriate to do so).
9. Duties and responsibilities
Financial Reporting
The Committee shall:
9.1 monitor the integrity of the consolidated and solo financial statements of the Society, including annual and interim reports, preliminary results announcements, summary financial statements and any other formal announcements relating to financial performance (by reviewing significant financial reporting issues and judgements which they contain, and all material information presented with the financial statements). In particular, the Committee shall review and challenge where necessary, taking into account the external auditor’s views:
9.1.1 the appropriateness and application of significant accounting policies and any changes to them;
9.1.2 the methods used to account for significant or unusual transactions where different approaches are possible;
9.1.3 whether applicable accounting standards have been adopted and appropriate estimates and judgements made;
9.1.4 whether the financial statements, taken as a whole, are fair, balanced and understandable and provide the information necessary to members to assess the Society and the Group's performance, business model and strategy,
9.1.5 the appropriateness of preparing annual and interim reports on a going concern basis, and any identified material uncertainties to the Society’s ability to continue to do so over a period of three years, and
9.1.6 all material information presented with the financial statements;
9.2 review any financial information contained in other publicly disclosed documentation,
9.3 review and challenge where necessary management’s assessment of the Society's Financial Position and Prospects and Directors’ Risk Assessment; and
9.4 where it is not satisfied with any aspect of the proposed financial reporting, it shall report its views to the Board.
Non-Financial Reporting
9.5 The Committee shall review any relevant non-financial disclosures (including those related to climate and ESG matters), including, but not limited to, any such disclosures made within the Society’s annual and interim reports.
Internal Controls and Risk Management Systems
The Committee shall:
9.6 keep under review the adequacy and effectiveness of the Society and the Group's systems of internal controls, including the internal financial controls system, that identify, assess, manage and monitor financial risks and other internal control and risk management systems. For the avoidance of doubt, the oversight of financial risks, is the responsibility of the Board Risk Committee; and
9.7 review and recommend to the Board for its approval the statements to be included in the annual report concerning the maintenance of the internal control and risk management framework prior to their endorsement by the Board and the external auditors.
Remuneration
9.8 The Committee shall provide input to the Remuneration Committee to assist that committee in its assessment of possible impacts on variable remuneration. Such “input” may be provided in conjunction with the Board Risk Committee.
9.9 The Committee shall review any recommendations, including those made by the Investigations Oversight Committee, to the Remuneration Committee in respect of serious breaches of risk management or significant audit-related issues.
Internal Audit
The Committee shall:
9.10 monitor, review and assess the effectiveness, performance, resourcing, independence and standing of the Society's Internal Audit function;
9.11 oversee the work of Internal Audit which reports functionally into the Chair of the Committee
9.12 approve the appointment and removal of the Chief Internal Auditor;
9.13 approve the Internal Audit Charter;
9.14 review and approve the Annual Internal Audit Plan and budget, ensuring appropriate coverage of systems for ensuring compliance with the regulatory environment within which the Society and the Group operates, including assurance over the effectiveness of the Risk function;
9.15 ensure Internal Audit has unrestricted scope, the necessary resources and access to information to enable it to fulfil its mandate, ensuring that there is open communication between different functions and that the Internal Audit function evaluates the effectiveness of these functions as part of its Internal Audit Plan, and ensuring that the Internal Audit function is equipped to perform in accordance with appropriate professional standards for internal auditors;
9.16 consider findings of internal investigations and review and monitor management's responsiveness to the findings and recommendations of the Chief Internal Auditor to protect the Society and the Group's assets, reputation and sustainability and ensure the effectiveness of relevant risk management and governance processes;
9.17 ensure material issues arising from the work of Internal Audit relating to matters falling within the scope of other committees are communicated to those committees and that feedback is received from them. Accordingly, Internal Audit shall provide relevant reports to other committees; and
9.18 obtain an internal effectiveness review on an annual basis and obtain an independent and objective external assessment of the Internal Audit function as a whole at least every five years in accordance with the Chartered Institute of Internal Auditors International Standards.
The Committee Chair shall:
9.19 set out the objectives of the Chief Internal Auditor and assess their performance with support from the Group CEO and oversee and approve the appointment process for the independent assessor to review the internal audit function at least every five years;
9.20 ensure that the Chief Internal Auditor shall be given the right of direct access to the Chair of the Board and to the Committee, providing independence from executive management and accountability to the Committee; and
9.21 recommend the annual remuneration of the Chief Internal Auditor for approval by the Remuneration Committee.
External Audit
The Committee shall oversee the relationship with the external auditor including, but not limited to:
Engagement Terms and Fees
9.22 considering and making recommendations to the Board, to be put to members for approval at the Society Annual General Meeting (AGM), in relation to the appointment, re-appointment and removal of the external auditor, which may include consideration of the risk of auditor withdrawal from the market;
9.23 overseeing the selection process for the new auditor and if an auditor resigns, investigating the issues leading to this and decide whether any action is required;
9.24 overseeing the tender of the external audit appointment at least every 10 years, and the rotation of the audit partner / firm in accordance with regulatory requirements;
9.25 approval of the auditor’s remuneration, whether fees for audit or non-audit services, ensuring that the level of fees is appropriate to enable an effective and high-quality audit to be conducted;
9.26 review and approval of the auditor’s engagement letter;
Independence and Quality Control
9.27 assessing annually the auditor’s independence and objectivity, taking into account relevant professional and regulatory requirements and the relationship with the audit firm as a whole, including the provision of any non-audit services;
9.28 satisfying itself that there are no relationships (such as family, employment, investment, financial or business) between the auditor and the Society or the Group (other than in the ordinary course of business);
9.29 agreeing with the Board a policy on the employment of former employees of the external auditor, and monitoring the implementation of this policy;
9.30 developing and implementing a policy on the supply of non-audit services by the external auditor, taking into account any relevant ethical guidance on the matter;
9.31 assessing annually the external auditor’s qualifications, expertise and resources and the effectiveness of the audit process which shall include a report from the external auditor on their own internal quality procedures;
9.32 undertaking an annual review of the effectiveness of the external audit process;
9.33 monitoring the auditor's compliance with relevant ethical and professional guidance on the rotation of audit partners and senior staff, the level of fees paid by the Society compared to the overall fee income of the firm, office and partner and other related requirements;
9.34 meeting regularly with the external auditor, including once at the planning stage before the audit and once after the audit at the reporting stage. The Committee shall meet the external auditor at least once a year, without management being present, to discuss their remit and any issues arising from the audit;
Conduct and Results of Audit
9.35 reviewing the annual audit plan and ensuring that it is consistent with the scope of the audit engagement;
9.36 reviewing the findings of the audit with the external auditor. This shall include but not be limited to:
9.36.1 a discussion of any major issues which arose during the audit,
9.36.2 any significant or unresolved accounting and audit judgements, problems or reservations,
9.36.3 major judgemental areas,
9.36.4 alternative accounting treatments together with the potential ramifications,
9.36.5 any significant adjustments,
9.36.6 the going concern assumption and viability statement,
9.36.7 compliance with accounting standards, stock exchange rules and legal requirements,
9.36.8 reclassifications or proposed additional disclosures,
9.36.9 any material changes in accounting policies and practices, any communications provided by the external auditor to management,
9.36.10 levels of errors identified during the audit, and
9.36.11 any other matters the external auditor wishes to discuss;
9.37 reviewing any representation letter(s) requested by the external auditor before they are signed by management; and
9.38 reviewing the management letter and managements response to the auditors findings and recommendations.
10. Consolidated Oversight
VM SUB-GROUP
10.1 The VMBAC is responsible for overseeing the management of financial and regulatory reporting and the internal financial controls in place across the VM Sub-Group, as outlined in its charter.
10.2 The Committee is responsible for overseeing the financial and non-financial reporting, internal and external audit, and the adequacy and effectiveness of internal controls and risk management systems of the Group and, therefore, exercises a degree of oversight over the VM Sub-Group in the context of the Group's consolidated position.
10.3 In exercising this oversight, the Committee shall:
10.3.1 review the composition, powers and responsibilities of the VMBAC, including by approving any material changes to its terms of reference; and
10.3.2 work and liaise as necessary with the VMBAC. In exercising its responsibilities, the Committee will have the right to request that the VMBAC take action or provide information, documentation and assistance such as the Committee shall determine.
THE MORTGAGE WORKS
10.4 The Society’s enhanced regulated subsidiary is known as The Mortgage Works (UK) plc (“TMW”). The Committee’s responsibilities in relation to TMW are as follows:
10.4.1 to provide oversight of external audit within TMW and consider, and if appropriate, endorse material deviations by TMW from the approach adopted for the audit of the Society,
10.4.2 to provide oversight of internal audit work conducted within TMW in addition to Society wide internal audits; and
10.4.3 to work and liaise as necessary with TMW and their Directors.
10.5 In exercising its responsibilities, the Committee shall have the right to request TMW Directors to take action or provide information and documentation from time to time such as it shall determine.
11. Reporting responsibilities
11.1 The Committee Chair (or their elected nominee) shall report formally to the Board on its proceedings after each meeting on all matters within its duties and responsibilities including the significant issues that it considered in relation to the financial statements and how these issues were addressed; its assessment of the effectiveness of the external audit process; and any other issues on which the Board has requested the Committee’s opinion.
11.2 The Committee shall make whatever recommendations to the Board it deems appropriate on any area within its remit where action or improvement is needed.
11.3 A report to members on the Committee’s activities is to be included in the Society’s Annual Report and Accounts. The report shall include a description of significant issues dealt with by the Committee.
11.4 Where any disagreements between the Board and the Committee cannot be resolved, the Committee has the right to report the issue to members as part of its activities in the Annual Report and Accounts.
12. Decision making and Senior Manager & Certification regime responsibilities
12.1 All members of the Committee are responsible for and bound by the decisions taken by the Committee whether or not they actively supported or participated in the decisions although dissent may be recorded.
12.2 A member of the Committee who is a Senior Management Function (SMF) Holder under the Senior Manager and Certification Regime (SMCR) remains individually accountable for their contributions to collective decisions and their implementation insofar as those contributions are in scope of their Senior Manager responsibilities and therefore they also remain accountable for taking reasonable steps in respect of their function and allocated responsibilities.
13. Annual General Meeting
13.1 The Chair of the Committee or a deputy chosen from the Committee membership shall attend the Annual General Meeting to respond to any member questions on the Committee's activities or any matter within the remit of the Committee.
14. Miscellaneous
14.1 Where there is a perceived overlap of responsibilities between the Committee and the Board Risk Committee, the respective Committee Chairs shall have discretion to agree the most appropriate Committee to fulfil any obligation. An obligation under the Terms of Reference of the Committee or the Board Risk Committee will be deemed by the Board to have been fulfilled provided it is dealt with by either of the Committee or the Board Risk Committee.
The Committee shall:
14.2 give due consideration to applicable laws and regulations including the PRA and FCA’s Principles and Rules and associated guidance, the UK Listing Authority’s Listing Rules and Disclosure Guidance and Transparency Rules, the Building Societies Act 1986, the Financial Reporting Council’s Audit Committees and the External Audit: Minimum Standard, and to the recommendations in the UK Corporate Governance Code, as appropriate;
14.3 be cognisant of any conduct risks arising (or increasing) as a result of their judgment and will take proactive steps to avoid or mitigate these risks where possible;
14.4 work and liaise as necessary with all other Board Committees as required;
14.5 have access to sufficient resources in order to carry out its duties, including access to Secretariat for assistance as required;
14.6 receive appropriate and timely training, both in the form of an induction programme for new members and on an on-going basis for all members; and
14.7 at least once a year, review its own performance, constitution and Terms of Reference to ensure it is operating effectively and in line with PRA and FCA requirements, and report the results of this review and recommend any changes necessary to the Board for approval.
For the purposes of these Terms of Reference, terms shall have the meanings given to them in the Governance Framework document and the “Society Plan” shall mean Nationwide’s Strategy.
Nationwide Internal Audit Charter
January 2024
1. Introduction
The activities of Internal Audit (IA) in Nationwide Building Society and its subsidiary companies are governed by the Internal Audit Charter. The Charter defines the role, authority and responsibilities of IA and is approved annually by the Audit Committee.
The contents of the document are as follows:
- Purpose and scope
- Authority
- Independence
- Responsibilities of IA
- Audit Practice Standards
2. Purpose and scope
As Nationwide’s third line, IA provides independent assurance to the Board and executive management on the design adequacy and operating effectiveness of governance, risk management and internal controls to monitor, manage and mitigate key risks to achieving Nationwide’s objectives and protecting its assets, reputation and sustainability. IA has adopted a risk-based approach to be better placed to respond to the dynamic risk environment that Nationwide operates in.
IA’s scope is unrestricted and covers all the activities of the Society, its subsidiaries and those performed by third parties on behalf of the Society. This includes but is not restricted to:
- the design adequacy and operational effectiveness of Nationwide’s governance structures, policies, processes and controls, including achievement of intended outcomes;
- the information presented to the Board and Executive management for strategic and operational decision making;
- the setting of, and adherence to, risk appetite;
- Nationwide’s risk and control culture;
- Nationwide’s values and culture which underpin our Mutual ethos articulated through the Nationwide Strategy;
- risk of poor customer treatment and/or not meeting our consumer duty obligations, giving rise to conduct or reputational risk;
- capital and liquidity risks;
- key events, including significant process changes, introduction of new products and services;
- outsourcing decisions and acquisitions / divestments; and
- effectiveness of the risk management framework, including the adequacy and effectiveness of the risk management, compliance and finance functions.
3. Authority
IA derives its authority from the Board through the Audit Committee. This includes prompt and unrestricted access to all systems, records, property and personnel, the right of attendance at management committees and executive meetings in an observational capacity, and the right to be informed of material decisions and change. All relevant information and data obtained by IA in the course of audit work is treated with confidentiality. Additionally, the Chief Internal Auditor has direct and unrestricted access to the Chair of the Board and the Chair of the Audit Committee.
4. Independence and Objectivity
IA is independent of the Society’s operational management and has no direct operational responsibility or authority over the activities it reviews.
All IA employees report directly or indirectly to the Chief Internal Auditor. They are responsible for being independent, objective, and constructive in the conduct of their work and avoiding conflicts of interest and personal, business or other issues that may impair impartiality.
In order to ensure independence:
- the Chief Internal Auditor reports directly to the Chair of the Audit Committee, with a secondary administrative reporting line to the Chief Executive;
- the Audit Committee Chair is responsible for setting the objectives and reviewing the performance of the Chief Internal Auditor, including making recommendations on remuneration to the Remuneration Committee as appropriate;
- the Audit Committee holds, at least annually, a meeting with the Chief Internal Auditor without management being present, to ensure that the Chief Internal Auditor has an opportunity to raise any issues directly with the Committee;
- the Chief Internal Auditor meets regularly with the Audit Committee Chair in private to ensure that the Chief Internal Auditor has an opportunity to raise any issues directly;
- IA employees have no operational responsibilities for any of the activities reviewed, and policies are in place to ensure that any employees working on projects or organisational wide initiatives, transferring into, or seconded to, IA from other Functions, are not involved in auditing activities for which they have been responsible for 12 months;
- IA does not set risk appetite, implement risk management processes, carry out quality assurance, controls testing or risk oversight on behalf of management, or design and implement risk mitigation activities in response to control weaknesses reported;
- The Audit Committee have approved IA to undertake investigation activity with appropriate safeguards to independence in place;
- on the approval of the Chief Internal Auditor, IA can engage in consultancy work to assist management in activities such as developing effective control frameworks. This will form a limited proportion of IA’s work, and individuals’ involvement in the work is considered in light of their future audit work to ensure IA’s independence and objectivity are not compromised; and
- The Chief Internal Auditor confirms IA’s independence to the Audit Committee on an annual basis.
5. Responsibilities of IA
The principal responsibilities of IA in planning, executing and reporting on its work are as follows:
- developing a risk-based Internal Audit Plan on a 6-monthly basis, showing a view for the following 6 months with an indication of audits planned for the subsequent 6 months. The plan is designed to provide assurance over key risks and allow flexibility to respond to business and risk profile changes. It is presented for approval by the Audit Committee.
- completing the audit work set out in the Audit Plan and reporting findings to management;
- providing quarterly reports to the Audit Committee including significant control weaknesses, themes arising from audit work and other interactions with management, emerging risks and issues, significant findings from selected post-incident reviews of major adverse events, and the effectiveness of management in addressing issues raised;
- providing at least annually an assessment of the overall effectiveness of the governance and risk and control framework across Nationwide;
- undertaking risk-based issue validation (as agreed by the Audit Committee) to conclude on whether actions taken by management in response to issues raised are appropriate and implemented effectively;
- taking into consideration the work of first and second line control and oversight functions including evaluating the adequacy and effectiveness of those Functions and assessments on whether to amend the scope or nature of audit activity, and co-ordinating work as appropriate;
- liaising with the Society’s external auditors to co-ordinate work and to maximise efficiency; and
- maintaining an open relationship with regulators, including in exceptional circumstances communicating significant issues to regulators in the event that management has not done so.
It is the responsibility of the Chief Internal Auditor to manage IA effectively. This includes:
- setting the strategy for the Audit Function and driving actions to deliver that strategy;
- ensuring that appropriate skills and resources are maintained and reported regularly to discharge IA’s responsibilities effectively, including the use of external specialists through co-source arrangements;
- Developing and maintaining quality assurance and improvement practices. This includes maintaining an independent Quality Assurance team, and ensuring that the scope of quality assurance work is appropriate and that results of this activity are reported and are used to drive continual improvement
- in audit quality;
- using methodology guidance that supports the delivery of effective and efficient audit engagements;
- using a suite of management information to monitor the performance of IA;
- ensuring that operational risks within IA are managed; and
- working with management to facilitate secondments of employees into and out
Additionally, at least once every five years IA’s effectiveness will be evaluated by an external and independent organisation.
6. Audit Practice Standards
IA conforms with the Chartered Institute of Internal Auditors (CIIA) Internal Audit Financial Services Code of Practice (Published January 2021) and operates in accordance with the CIIA International Professional Practices Framework (IPPF).
The Chief Internal Auditor is responsible for ensuring that IA complies with the mandatory elements of the framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing) as well as appropriate guidance, and regulatory requirements. This is confirmed by the Chief Internal Auditor on an annual basis to the Audit Committee informed by the Quality Assurance and Improvement programme of work to evaluate conformance with CIIA Standards and IA policies and procedures. The Quality Assurance team, part of IA Strategy and Operations, is independent of those staff who carry out the audit work. IA must also comply with all relevant policies, procedures and professional body standards of conduct.