Internal Audit Policy¶
| Code | GOV-006 |
| Domain | Governance & Accountability |
| Owner | Chief Internal Auditor |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD10 |
| Review date | 2027-03-25 |
Regulations: APS 310 · DTA Governance Standard¶
Purpose¶
Govern the platform's internal audit function — its charter, independence requirements, risk-based audit plan, fieldwork standards, and reporting obligations to the Board Audit Committee.
Scope¶
The internal audit function and all auditable areas of the platform in NZ and AU, including all business functions, system domains, and outsourced activities that carry material risk.
Policy statements¶
The platform SHALL maintain an internal audit function that is operationally and organisationally independent of the activities it audits. The Head of Internal Audit SHALL report functionally to the Board Audit Committee and SHALL not have a functional reporting line to any first-line or second-line executive.
The Board Audit Committee SHALL approve the annual internal audit plan. The plan SHALL be risk-based and SHALL provide coverage of all material risk domains and regulated activities at a frequency proportionate to their assessed risk. The plan SHALL be refreshed to reflect significant changes in the risk environment.
Internal audit SHALL have unrestricted access to all functions, systems, records, staff, and third-party providers necessary to execute the audit plan. Management SHALL not limit the scope of an audit engagement without Board Audit Committee approval. Any scope limitation SHALL be disclosed in the audit report.
Audit fieldwork SHALL be conducted in accordance with internal audit professional standards. Working papers SHALL be retained for a minimum of seven years and SHALL be available to the Board Audit Committee and external auditors on request.
All audit reports SHALL be issued in final form to management and the Board Audit Committee within 30 days of fieldwork completion. Reports SHALL include: findings with risk ratings, root cause analysis, management responses, agreed remediation actions, owners, and target dates.
Management SHALL track all internal audit findings to closure. Overdue findings SHALL be reported to the Board Audit Committee at each quarterly meeting. Findings rated high or critical that remain open beyond 90 days SHALL be escalated to the full Board.
The Head of Internal Audit SHALL present to the Board Audit Committee quarterly on audit plan progress, findings status, resource adequacy, and any independence concerns or scope limitations encountered.
The internal audit function SHALL be subject to an independent external quality assessment at least every five years, with findings reported to the Board Audit Committee.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-002 | Immutable transaction log | LOG |
Internal audit has immutable access to all financial transactions — no data can be altered post-audit |
| MOD-012 | KYC audit trail store | LOG |
Internal audit can independently verify KYC decisions without relying on agent memory |
| MOD-015 | False positive management | LOG |
Compliance team adjudication decisions logged for audit review and QA sampling |
| MOD-018 | Alert case management system | LOG |
Compliance function performance measurable — alert volumes, aging, disposition rates reportable |
| MOD-038 | Data quality & reconciliation monitor | LOG |
Internal audit has access to reconciliation break history — data quality is auditable |
| MOD-044 | JWT role-based access control | LOG |
All authenticated API calls logged with user ID, role, endpoint, and timestamp |
| MOD-046 | Privileged access management (PAM) | LOG |
All production access sessions available to audit — who accessed what and when |
| MOD-047 | Agent action logger | LOG |
Internal audit can reconstruct any agent action — no action is unlogged |
| MOD-048 | System decision log | LOG |
Automated decisions subject to audit — third line can sample and QA system decisions |
| MOD-054 | Call recording & transcript attachment | LOG |
Call corpus provides audit evidence for sales practice and conduct reviews |
| MOD-056 | Compliance visibility engine | LOG |
WIKI_IMPORT_LOG and OBLIGATION_EVENTS are append-only audit tables recording every wiki-sync run and every obligation state transition with timestamp and run_id — immutable per NFR-024. |
| MOD-070 | Transaction history & search | LOG |
Customer-facing transaction history is derived from the immutable ledger — any access or export request is logged. |
| MOD-076 | Observability platform | LOG |
Platform-level system events, errors, and performance anomalies are captured in the observability store — available for internal audit review. |
| MOD-079 | Snowflake decision publication service | LOG |
Every applied decision is recorded with its source Snowflake computation, contract version, policy reference, and operator identity — immutable audit trail. |
| MOD-080 | Statutory financial reporting & ERP integration | LOG |
All ERP journal entries and statutory extracts are logged with the source data lineage — auditors can trace every figure to its transaction origin. |
| MOD-104 | AWS shared infrastructure bootstrap | LOG |
CloudTrail is enabled across all accounts from bootstrap — every AWS API call is logged from day one, satisfying the operational audit trail requirement. |
| MOD-126 | Power of attorney and third-party authority | LOG |
All third-party authority registrations, amendments, revocations, and transactions made under authority are logged immutably to the audit trail. |
| MOD-127 | Product configuration panel | LOG |
Every product configuration change — rate, fee, term, threshold — is logged immutably with the proposer, approver, timestamp, and before/after values for full audit trail coverage. |
| MOD-129 | Teller operations and branch cash management | LOG |
Every teller transaction is logged with the teller's staff ID, branch code, session ID, and timestamp in addition to the standard transaction audit trail — the teller identity is immutably recorded at the database layer. |
| MOD-131 | Mutual governance and AGM administration | LOG |
All AGM administration actions — notice dispatch, proxy receipt, vote recording, result declaration — are logged with the acting staff member's ID and timestamp. |
| MOD-133 | Trust account management | LOG |
All trust account opening events, trustee changes, beneficiary changes, and account governance events are logged as immutable records for regulatory and audit purposes. |
| MOD-134 | Community account management | LOG |
All signatory additions, removals, and authority changes are logged immutably with the date and acting staff member. |
| MOD-138 | Deceased customer and estate management | LOG |
All deceased estate events (notification of death, freeze, LPR registration, access grants, distributions, closure) are logged immutably with the acting staff member and timestamp. |
| MOD-140 | Chart of accounts and GL configuration | LOG |
All chart of accounts changes are logged immutably with the proposer, approver, timestamp, and before/after state, providing a complete audit trail for internal and regulatory review. |
| MOD-151 | Risk case console | LOG |
All risk cases, decisions, and resolutions are available to the internal_audit role for examination — no case can be deleted. |
Part of Governance & Accountability · Governance overview
Compiled 2026-05-22 from source/entities/policies/GOV-006.yaml