Internal Audit Charter

Code of Business Conduct and Ethics
External Auditor Tender Process Policy
Health, Safety and Welfare Policy
Related Party Transactions Policy
Internal Audit Charter
Data Privacy Policy
Cyber Security Policies
EDP Policy and Procedural Guidelines
Human Rights Policy Statement
ESG and Sustainability Charter
Download PDF

I. Mission Statement ​

The mission of Internal Audit (IA) is to provide independent, objective assurance and consulting activity guided by the principle of adding value to improve the operations of LT Group, Inc. It helps LT Group, Inc. in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of the organization’s governance, internal control and risk management as well as provide strong oversight support to its subsidiaries’ Internal Audit activities under a centralized internal audit function structure ensuring that the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors (IIA) and the IT Audit and Assurance Standards and IS Control Professionals Standards of ISACA are met.

II. Authority ​

The internal audit activity shall have free and unrestricted access to the Audit and Risk Management Committee and any other member of the Board of Directors as needed to fulfill its responsibilities.

Authority is granted for full, free and unrestricted access to any and all of the *Company’s records, physical properties, and personnel relevant to any function under review. All employees are requested to assist IA in fulfilling their staff function.

Documents and information given to internal auditors during a periodic review will be handled in the same prudent and confidential manner as by those employees normally accountable for them.

For purposes of this charter, *Company means LT Group, Inc. as holding company only

III. Independence and Objectivity ​

The Chief Audit Executive (CAE) shall report directly/functionally to the Audit and Risk Management Committee and may report administratively to the President and Chief Executive Officer.

All internal audit activities must remain free of influence by any element in the organization, including matters of audit selection, scope, procedures, frequency and timing.

The internal audit review and appraisal process does not in any way relieve other persons in the Company of the responsibilities assigned to them. Responsibility for complying with policies and procedures as well as correcting deficiencies rests with the respective employees and management.

The CAE will confirm to the Audit and Risk Management Committee, at least annually, the organizational independence of IA.

All internal audit personnel shall act with integrity in carrying out their duties and responsibilities. They should respect the confidentiality of information acquired in the course of the performance of their duties and should not use it for personal gain or malicious actions. Moreover, internal audit personnel shall avoid conflicts of interest. Internally-recruited internal auditors shall not engage in auditing activities for which they have had previous responsibility before a one-year “cooling off” period has elapsed. The internal audit personnel shall adhere at all times to the Company’s Code of Ethics; to an established code of ethics for internal auditors such as that of the Institute of Internal Auditors; and to internal policies regarding independence and objectivity of internal auditors.

IV. Responsibility

IV.A General Responsibility

The CAE and staff of the Internal Audit have the responsibility to:

  • Develop a flexible annual audit plan using an appropriate risk-based audit methodology, including any risks or control concerns identified by the Audit and Risk Management Committee/Senior Management (SM) and submit that plan to the Audit and Risk Management Committee for review and approval as well as periodic updates.
  • Implement the annual audit plan, as approved by the Audit and Risk Management Committee, taking into consideration any special tasks or projects that may be requested by SM.
  • Issue periodic reports to the Audit and Risk Management Committee and SM summarizing results of audit and investigation activities.
  • Consider the scope of work of the external auditors and regulators, as appropriate, for the purpose of providing optimal audit coverage to the organization at a reasonable overall cost.
  • Maintain a professional internal audit staff with sufficient knowledge, skills, experience, and preferably with professional certifications to meet the requirements of this Charter.
  • Keep the Audit and Risk Management Committee informed of emerging trends and successful practices in internal auditing and governance.
  • Periodically provide information on the status and results of the annual audit plan and the sufficiency of activity resources.
  • Coordinate with and provide oversight of other control and monitoring functions (i.e., finance, risk management, compliance, security, legal, ethics, environmental, external audit)
  • Ensure compliance with the following procedures for Subsidiaries:
    • The Chief Audit Executive (the Group CAE) of the Internal Audit of LT Group, Inc. will be in-charge of the group’s internal audit function, covering the audit of all the LT Group Inc. subsidiaries (except PNB). The Group CAE will functionally report to LT Group Inc. Audit and Risk Committee and the respective subsidiaries’ Audit Committee (except PNB).
    • LT Group Inc. Audit and Risk Management Committee and the Audit Committee of the respective subsidiaries (except PNB) shall ensure that the scope of internal audit activities of LT Group Inc. Internal Audit is adequate considering the size, risk profile and complexity of operations of the subsidiaries, respectively.
    • Cognizant of the close supervision exercised by Bangko Sentral ng Pilipinas over banks, the internal audit function of the Philippine National Bank will be considered as a stand-alone activity and will only be given minimal oversight by the Group IA.
    • The Group IA will not include in its coverage the Joint Venture arrangements between LT Group, Inc. and other parties where the former has no management control over such arrangements.
    • (See Annex A – Organization Chart of the LT Group, Inc. and Subsidiaries Internal Audit Function Structure)

IV.B Assurance Services

The provision of assurance services is the prime responsibility of IA and it involves the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusion regarding a process, system or other subject matter. These responsibilities include the following:

  • Provide annually an assessment on the adequacy and effectiveness of the Company’s processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
  • Report significant issues related to the processes for controlling the activities of the Company and its subsidiaries, including potential improvements to those processes, and provide information concerning such issues through resolution.
  • Provide assurance to the Audit and Risk Management Committee and SM that risk management processes within the Company are effective and efficient by focusing on key Company risks identified with management and reporting on the quality of the mitigating controls implemented by management.
  • Provide reasonable assurance that the environment in information technology is operating as intended by policy, and application systems are functioning effectively and efficiently to address possible risk exposures of the Company.

IV.C Consulting Services

Consulting services are advisory in nature, and address governance, risk management, and control processes to the extent agreed upon with SM or Audit and Risk Management Committee. It is performed by the IA based on its potential to improve management of risks, add value, and improve the Company’s operations without assuming management responsibility. The nature and scope of the consulting engagement are subject to agreement with the business unit. Under these circumstances, internal auditors may perform the following:

  • Conduct special examinations at the request of SM or the Audit and Risk Management Committee. The auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
  • Investigate allegations concerning fraud, accounting, internal controls, and ethics violations and notify Management and the Audit and Risk Management Committee of the results. However, internal auditors are not expected to have knowledge equivalent to that of a person whose primary responsibility is detecting and investigation fraud. Also, audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected.
  • Review the planning, design, development, and implementation of major computer-based system during its pre-implementation stage to determine whether:
    • Adequate controls are incorporated in the systems.
    • Thorough systems checking are performed at appropriate stages.
    • System documentations are complete and accurate.
  • Conduct periodic audits of data processing and make post-implementation evaluation of major data processing systems to determine whether these systems meet their intended purposes and objectives.
  • Assist the Company in meeting its objectives and improving key business processes.
  • Evaluate and assess significant merging/consolidated functions and new or changing services, processes, operations and control processes coincident with their development, implementation, and/or expansion.

IV.D Enabling Risk Management

Internal auditors have a key role to play in the risk management process of the organization by assisting both SM and Audit and Risk Management Committee to:

  • Help the Audit and Risk Management Committee and SM to identify and mitigate or minimize risk of not meeting the objective of the Company.
  • Facilitate self-assessments by SM of the impact of key Company risks and its risk management effectiveness on all relevant levels of the Company.
  • Provide advice and counsel on risk management activities, controls and processes
  • Support SM in their responsibility to continuously evaluate the system of internal control.

IA is not responsible for any of the business policies, processes or activities that it audits, or for the design, implementation, or operation of controls or for risk management and control.

These are management’s responsibilities and IA will conduct its work in such a manner as to assist management in discharging these responsibilities.

V. Audit Scope

The scope of Internal Audit encompasses the examination and evaluation of the adequacy and effectiveness of the Company’s governance, risk management processes, systems of internal control structure, and the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. It shall cover, among others:

  • Examination and evaluation of the adequacy and effectiveness of the internal control systems.
  • Review of the application and effectiveness of risk management process and risk assessment methodologies
  • Review of the management and financial information systems, including the electronic information system and other electronic services.
  • Assessment of the accuracy and reliability of the accounting system and of the resulting financial reports.
  • Review of the systems and procedures of safeguarding assets.
  • Review of the system of assessing capital in relation to the estimate of organizational risk.
  • Transaction testing and assessment of specific internal control procedures.
  • Review of the compliance system and the implementation of established policies and procedures.

VI. Audit Plan

The CAE shall submit and present to the Audit and Risk Management Committee an annual risk-based audit plan, staffing plan, and budget for the following fiscal year. The annual audit plan is to be developed based on a prioritization of the audit universe using internal audit’s risk-based audit methodology. Any significant deviation from the formally approved audit plan shall be communicated to the Audit and Risk Management Committee through periodic activity reports.

The CAE will evaluate the resource needs and related costs based on the annual riskbased audit plan. A resource plan will be presented to Management and the Audit and Risk Management Committee as part of annual planning process. Subject matter resource if required in areas such as IT, information security, program, fraud, regulatory compliance or geographic needs and others will be identified, proposed, approved and contracted through an appropriate third party professional services firm. The Audit and Risk Management Committee will be notified in advance of any significant changes in the third party service provider activities, terms, scope, etc.

VII. Audit Report

A written report will be reviewed and approved by the CAE before its issuance following the conclusion of each audit and will be distributed as appropriate. When the CAE delegates these duties, he shall retain overall responsibility. A copy of the report and a summary, as appropriate, will be forwarded to the Chief Executive Officer and the Audit and Risk Management Committee. Generally, the submission of the regular audit report to the Audit and Risk Management Committee shall be within three (3) months after the termination of the audit fieldwork. In case of delay, a written justification shall be provided to the CAE explaining the reasons for such delay. However, the risk-based submission of reports shall be as follows:

  • Rated High Risk – within 30 days from end of audit fieldwork;
  • Rated Moderate Risk – within 60 days from end of audit fieldwork;
  • Rated Low Risk – within 90 days from end of audit fieldwork;
  • Non-Rated Special Audit-Cash Count reports – within 30 days from culmination of fieldwork.
  • Non-Rated Pre-Implementation Reviews of Application Systems – within 90 days from end of audit fieldwork (same with that of Low Risk rated units).
  • Non-Rated Special Audit (Irregularities/Fraud Investigation) and Consultancy Engagement reports – within 30 days from culmination of fieldwork (same with that of High Risk Rated units).
  • Initial/Advance reports to the Audit and Risk Management Committee on the results of the Special Audits (Irregularities/Fraud Investigation – within 1 week from the start of audit field work.

The CAE or designate may include in the audit report the auditee’s response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management’s response should include a timetable for anticipated completion of action to be taken and an explanation for any recommendations not addressed. In cases where a response is not included within the audit report, management of the audited area should respond, in writing, within 30 days from the date of issuance of the report.

VIII. Quality Assurance

IA shall implement quality measures to ensure integrity, efficiency, and professionalism in all the work being performed. Quality measures shall be designed to help the internal audit activity add value and improve the Company’s operations. Periodic customer feedback is proactively obtained to help ensure a continuously improving level of service.

The CAE shall periodically assess whether the internal audit activity’s purpose, authority, and responsibility, as defined in the internal audit charter, continue to be adequate to enable the activity to accomplish its objectives. The results of this periodic assessment shall be communicated to the Audit and Risk Management Committee, the SM and the Board of Directors.

IX. Code of Ethics and Professional Standards

IA shall govern themselves in accordance with the Company’s Business conduct and Code of Ethics for CPAs, the Institute of Internal Auditors (IIA) “Code of Ethics”, and ISACA’s Code of Professional Ethics. Internal Audit shall meet the International Standards for the Professional Practice of Internal Auditing of the IIA and the IT Audit and Assurance Standards and IS Control Professionals Standards of ISACA. The IIA’s “Practice Advisories” and ISACA’s “Guidelines” shall also be adhered to as applicable.

In addition, IA shall conform to the Company’s policies and procedures and the IA’s audit manual. The audit manual shall include attribute, performance, and implementation standards to guide the Internal Auditors.

X. Guidelines for Outsourcing Internal Audit Activities to External Experts

The Company may outsource internal audit activities in accordance with existing regulations and professional practice framework on outsourcing and with internal policies on outsourcing of the internal audit function, except for areas covered by existing statutes such as the Bank Secrecy Law and Data Privacy Act. Outsourcing shall be done to have access to certain areas of expertise that are not available to the internal audit function or to address resource constraints. Provided, that: The internal audit activity shall not be outsourced to the Company’s own external auditor/audit firm nor to internal audit service provider that was previously engaged by the Company in the same area intended to be covered by the internal audit activity that will be outsourced, without a one-year “cooling off” period. Provided, further, that: The CAE shall ensure that the knowledge or inputs from the outsourced experts shall be assimilated into the Company to the greatest extent possible.

Outsourcing of specific IA activities should be documented through an engagement contract or letter, with elaborate disclosures on objectives and scope of work, deliverables and time frames, access to records, personnel and physical properties, information regarding assumptions and procedures to be employed, ownership and custody of engagement work papers, and the confidentiality and restrictions on information obtained during the engagement, among others.

If IA intends to use and rely on the work of external service provider, the CAE needs to consider the competence, independence, and objectivity of the external service provider, even if the said external service provider is selected by Senior Management or the Board.

The CAE should review the work of external service providers to evaluate the adequacy of work performed and the sufficiency of information obtained to afford a reasonable basis for the conclusions reached and the resolution of exceptions or other unusual matters.

XI. Guidelines for Coordination with the External Auditor and Supervisory Authority

  1. Oversight of the work of external auditors and supervisory authority, including coordination with the internal audit activity, is the responsibility of the Board. Coordination of internal and external audit work is the responsibility of the Chief Audit Executive (CAE). The CAE obtains the support of the Board to coordinate audit work effectively.
  2. The Company may use the work of external auditors and supervisory authority to provide assurance related to activities within the scope of internal auditing. In these cases, the CAE takes the steps necessary to understand the work performed by the external auditors, including:
    • The nature, extent, and timing of work planned by external auditors, to be satisfied that the external auditors‘ planned work, in conjunction with the internal auditors‘ planned work, must contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.
    • The external auditor‘s assessment of risk and materiality.
    • The external auditors‘ techniques, methods, and terminology to enable the CAE to (1) coordinate internal and external auditing work; (2) evaluate, for purposes of reliance, the external auditors‘ work; and (3) communicate effectively with external auditors.
    • Access to the external auditors‘ programs and working papers, to be satisfied that the external auditors‘ work can be relied upon for internal audit purposes. Internal auditors are responsible for respecting the confidentiality of those programs and working papers. 
  3. The external auditors and supervisory authority may rely on the work of the internal audit activity in performing their work. In this case, the CAE needs to provide sufficient information to enable external auditors and supervisory authority to understand the internal auditors‘ techniques, methods, and terminology to facilitate reliance by external auditors and supervisory authority on work performed. Access to the internal auditors‘ programs and working papers is provided to external auditors and supervisory authority in order for them to be satisfied as to the acceptability of relying on the internal auditors‘ work.
  4. It may be efficient for internal and external auditors to use similar techniques, methods, and terminology to coordinate their work effectively and to rely on the work of one another.
  5. Planned audit activities of internal and external auditors and supervisory authority need to be discussed to ensure that audit coverage is coordinated and duplicate efforts are minimized where possible. Sufficient meetings are to be scheduled during the audit process to ensure coordination of audit work and efficient and timely completion of audit activities, and to determine whether observations and recommendations from work performed to date require that the scope of planned work be adjusted.
  6. The internal audit activity‘s final communications, management‘s responses to those communications, and subsequent follow-up reviews are to be made available to external auditors and supervisory authority. These communications assist external auditors and supervisory authority in determining and adjusting the scope and timing of their work.
  7. Internal auditors need access to the external auditors‘ presentation materials and Management Letters. Matters discussed in presentation materials and included in Management Letters need to be understood by the CAE and used as input to internal auditors in planning the areas to emphasize in future internal audit work. After review of Management Letters and initiation of any needed corrective action by appropriate members of SM and the Board, the CAE ensures that appropriate follow-up and corrective actions have been taken.
  8. The CAE is responsible for regular evaluations of the coordination between internal and external auditors or supervisory authority. Such evaluations may also include assessments of the overall efficiency and effectiveness of internal and external audit activities, including aggregate audit cost. The CAE communicates the results of these evaluations to SM and the Board, including relevant comments about the performance of external auditors.

XII. References

Internal Audit Structure

Download PDF

Links

About
Governance
Disclosures
Investor Relations
News

Contact

  • 11th Floor Unit 3 Bench Tower, 30th Street corner Rizal Drive, Crescent Park West 5, Bonifacio Global City, Taguig City, Philippines
Contact Us

© 2019, LT Group, Inc. All Rights Reserved.

Powered by Mabuhay Digital Technologies Inc.