THE ARCG CHARTER

Issued in March 2008

Audit Review & Compliance Group - ARCG

Index

Part A Internal Audit

Purpose
Charter
Mission
Independence
Scope & Responsibilities
Authority
Accountability
Standards

Part B Compliance
Introduction
Guiding Principles
Function & Task of Compliance
Scope of Compliance
Organisation of Compliance Function within ARCG
Reporting Lines & Communication Lines
Independence
Authority
Standards
Accountability

Page 2 of 9
Audit Review & Compliance Group - ARCG

ARCG CHARTER
This document has been divided into two parts; Part A relates to Internal Audit which
comprises four Divisions, Risk Review, Retail Audit, Operations & IT Audit and Fraud
& Investigation; Part B relates to Compliance.

PART A – INTERNAL AUDIT

PURPOSE

Internal Audit is an independent appraisal function established within the Bank to

examine and evaluate its activities from a controls and risk perspective. The
objective of Internal Audit is to assist members of the bank, especially management
and the Board of Directors, in the effective discharge of their responsibilities by
furnishing them with analyses, appraisals, recommendations, counsel, and
information concerning the activities reviewed and by promoting effective control at
reasonable cost. The information furnished to each may differ in format and detail,
depending upon their requirements, requests and the nature of the assignments.

Internal Audit examines and evaluates the adequacy and effectiveness of the system
of internal control provided by the Bank. The objective is to provide all levels of
management with sufficient, relevant and useful information that will help them
assure:

¾ The reliability and integrity of information.

¾ Compliance with policies, plans, procedures, laws and regulations.
¾ The safeguarding of assets.
¾ The economical and efficient use of resources.
¾ The accomplishment of established objectives.
¾ Reliability of structure on segregation of roles and responsibilities.

In line with Mashreq’s commitment and accountability to its Board of Directors, a

professional, independent Audit, Review and Compliance Group has been setup
(herein mentioned as ARCG) as part of being compliant to bank’s policies and
procedures as well as local and international regulations, statutes and laws as
applicable in the banking and financial industry.

The purpose of this charter is to define the role and responsibilities of the Internal
Auditing function within the organization, authorize their unrestricted access to all
the entity’s records, information, personnel, and locations needed in the performance
of audits, reviews. It also defines the nature, objective and scope of internal auditing
activities and to delegate to the Head of ARCG the authority necessary to achieve
these objectives.

ARCG has independent status in Mashreq and will not be involved in the day to day
operations or internal checking systems and will also not be involved or responsible
for implementation of internal control systems. ARCG may be consulted when
considered necessary, in assessing the adequacy of controls when first implemented
and during changes in control specifications.

Page 3 of 9
Audit Review & Compliance Group - ARCG

Internal Control is the responsibility of management. It is a process designed to

provide reasonable assurance of:

¾ Control over operations;

¾ Prevention of frauds
¾ Adequate self checking mechanisms and timely detection & resolution of
errors
¾ Reliable financial data;
¾ Compliance with applicable laws and regulations;
¾ Top down control culture and bank’s risk appetite assessed through sound
and tested risk evaluation processes.

The required reasonable assurance exists when all the components of management
control (the control environment; risk assessment processes; control activities;
information and communication systems; and monitoring activities) are present and
operate effectively.

Internal Audit is an independent, objective assurance and consulting activity which

is managed within the bank as an integral part of its risk management, control and
governance processes. It assists management in accomplishing their objectives by
assessing the state of internal control. In that regard, internal audit:

¾ Assists management in understanding and assessing risks;

¾ Evaluates the adequacy of techniques and controls to manage risk;
¾ Provides an assessment of the level of comfort that risk management, control
and governance processes are operating effectively and efficiently;
¾ Identifies and recommends changes that add value;
¾ In a consultative capacity advises on efficiency of controls and effectiveness
of structure on new initiatives and during change processes.

Through these assurance and consultative activities, Internal Audit assists

management in accomplishing its objectives by bringing a systematic disciplined
approach to evaluate and improve the effectiveness of risk management, control and
governance processes.

CHARTER

The Charter serves as a guide to Internal Audit in the performance of its duties. The
Charter does not include, nor is it intended to include, all of their duties or
responsibilities, as they may exist from time to time.

The Charter is intended to:

¾ Provide a written record of formally approved policies of Internal Audit;

¾ Provide a basis for the evaluation of the performance of Internal Audit by the
management of the Bank;
¾ Serve as a basic document in the Bank for administration of Internal Audit.

This charter describes the mission, independence and objectivity, scope and
responsibilities, authority, accountability and standards of the Internal Audit function.

Page 4 of 9
Audit Review & Compliance Group - ARCG

MISSION

The mission of Internal Audit is to ensure that the Bank’s businesses are conducted
according to the highest professional and ethical standards by providing an
independent, objective assurance function and by advising on best practice. Through
a systematic and disciplined approach, Internal Audit helps the Bank accomplish its
objectives by evaluating and improving the effectiveness of risk management,
control and governance processes.

INDEPENDENCE

To ensure independence, Internal Audit is directly responsible to Head ARCG who

reports to the CEO. In addition, it reports regularly to both the Audit and Compliance
Committee of the Leadership Forum and the Audit Committee of the Board of
Directors.

SCOPE AND RESPONSIBILITIES

The scope of internal audit work includes the review of risk management procedures,
internal control systems, information systems, and governance processes. This work
also involves periodic testing of transactions, best practice reviews, special audits,
appraisals of regulatory requirements, investigation and implementing measures to
help prevent and detect fraud.

To fulfill its responsibilities, Internal Audit shall:

¾ Identify and assess potential risks to the Bank’s business.

¾ Review the adequacy of controls established to ensure compliance with
policies, plans, procedures, and business objectives.
¾ Assess the reliability and security of financial and management information
and the systems and operations (in-house or outsourced) that produce this
information.
¾ Assess the means of safeguarding assets.
¾ Review established procedures and systems and propose improvements.
¾ Appraise the use of resources with regard to economy, efficiency and
effectiveness.
¾ Contribute to the development of projects, selected according to the risk
involved, by confirming that the Bank’s project methodology is followed and
that, in particular, adequate controls are incorporated.
¾ Follow up recommendations to make sure that effective remedial action is
taken.
¾ Carry out ad hoc appraisals, audits, or reviews requested by the
Management/ Audit Committee.
¾ Review specific operations at the request of the Audit Committee or
management as part of the business.
¾ Carry out examination & investigation of reported willful fraudulent acts, or
other suggested activities internal or external.

Page 5 of 9
Audit Review & Compliance Group - ARCG

AUTHORITY

Internal Audit aims to promote effective controls at reasonable cost. To achieve this,
Internal Audit is authorised in the course of its activities, to:

¾ Enter all areas of the Bank and have unrestricted access to any documents
and records, personnel, core issue analysis, investigation and determination
of facts and statement of recommendations in its reports, considered
necessary for the performance of its functions.
¾ Require all members of staff and Management to supply such information and
explanations as may be needed within a reasonable period of time.

Senior Management should inform Internal Audit immediately on any occurrence of

any significant incident concerning security and/or compliance with regulations and
procedures, without delay.

ACCOUNTABILITY

Internal Audit shall prepare, in liaison with the Head of ARCG, an annual audit plan.
The plan is based on a risk model that identifies business risks, and on input from
line managers. It provides information about the risk assessment, the current order
of priority of audit projects and how they are to be carried out.

The plan shall be presented to Head of ARCG and the Audit Committee for approval.
In case of need, adjustments may be made to the plan during the year. Any such
changes would have to be approved by the Head of ARCG and communicated to the
Audit Committee.

Internal Audit is responsible for planning, conducting, reporting and following up on

audit projects included in the audit plan, and decides on the scope and timing of
audits. The details of these processes are defined in the Internal Audit Manual.

The above does not restrict Internal Audit in initiating any action and/or
recommendation, including an unscheduled audit; where exceptions, risks, process
gaps/efficiency, losses, near losses or other matter requiring preventive action,
should they deem it necessary. Senior Management may also investigate/ highlight
concern which may prompt action by internal audit.

Audit fieldwork shall be conducted in a professional and timely manner. Reporting of

results will include an open process to agree on the facts and the validity of audit
recommendations. A detailed audit report and a letter to Management will
summarise the objectives and scope of the audit as well as observations and
recommendations. In all cases, follow-up work will be undertaken to ensure
adequate response to audit recommendations.

Internal Audit shall coordinate with external audit to ensure proper coverage and
avoid duplication of effort.

STANDARDS
Internal Audit adheres to the standards of best professional practice, such as those
published by the Institute of Internal Auditors and the Information Systems Audit

Page 6 of 9
Audit Review & Compliance Group - ARCG

and Control Association, and the relevant reports and recommendations of the Basel
Committee on Banking Supervision.

PART B - COMPLIANCE

INTRODUCTION

“The Compliance function within the bank is the independent oversight on behalf of
senior management of those core processes and related policies and procedures that
seek to ensure that the bank is in conformity with industry-specific laws and
regulations in letter and spirit, thereby maintaining the bank’s reputation.”

The Board of Directors of Mashreq is fully committed to its Corporate Values and to
the preservation of the integrity and reputation of the bank by complying with laws
and regulations in each of the markets it operates in. Integrity is the corner stone of
the compliance function as it is the pivot of the bank’s Corporate Values.

The following describes the role and responsibilities of the compliance function within
Mashreq, its position and authority.

GUIDING PRINCIPLES

The starting point for compliance is formulated in six guiding principles:

1. Compliance is the individual and collective responsibility of each staff member

in the bank within the given area of his/her responsibilities. All staff should be
aware of relevant regulations and policies, be knowledgeable on how to
comply and believe in the need to be compliant.
2. Business unit management is responsible for compliance and acts as role
models for all staff.
3. The compliance function exercises independent oversight, enables and
supports everyone to fulfill their roles, instills compliance discipline and
ethical business conduct, prevents and detects violations of compliance
policies.
4. The compliance approach is in principle risk-based, except where a rules-
based approach is required on a case to case basis.
5. The compliance function acts in partnership with the business with complete
access to business information and strategy.
6. The compliance function encompasses industry-specific laws and regulations
as well as related business conduct.

FUNCTION AND TASKS OF COMPLIANCE

The function and tasks of Compliance are the following:

¾ Identify risks and regulations relevant to the bank’s activities

¾ Design policies and procedures to minimize regulatory and reputation risk
¾ Advise, train and provide reports (to senior management) with regard to
regulations and the compliance with these regulations
¾ Promote effective compliance and ensure or oversee follow-up in case of
non-compliance
¾ Manage regulatory inquiries and incidents

Page 7 of 9
Audit Review & Compliance Group - ARCG

¾ Build and manage ongoing relationships with key regulators

SCOPE OF COMPLIANCE

The compliance function within the bank provides independent oversight on behalf of
senior management of those core processes and related policies and procedures that
seek to ensure the bank is in conformity with industry-specific laws and regulations
in letter and spirit, thereby maintaining the bank’s reputation. This includes sanctions
and client acceptance and anti money laundering, the protection of clients against
miss selling by the bank (e.g. personal investment policy, conflict of interest, chinese
walls) and ‘good citizenship’ (e.g. HR’s code of conduct).

The compliance scope does not include regulations and policies covering capital
adequacy, accounting standards, credit administration etc. These are primarily
covered by other support functions and business units, where applicable in
consultation and cooperation with Compliance.

ORGANISATION OF COMPLIANCE FUNCTION WITHIN MASHREQ

Compliance is a support function of Mashreq and is a part of Audit, Review and

Compliance Group (hereinafter referred to as ARCG) at the Head office. All
compliance officers report, directly or via the management team of embedded
compliance managers, hierarchically to the Head of Compliance ARCG, who has a
direct reporting line to ARCG head.

Compliance activities are predominantly performed in business-aligned groups to

reflect the diverse nature of Mashreq’s business and the need for a direct interface
with business management.

Activities that require consistency or highly specialised skills across businesses are
conducted in dedicated organisational units in coordination with compliance, ARCG.
For cross-cutting activities, compliance, ARCG steps in as a centre of excellence.
Formal mechanisms are put in place to ensure ‘one face to the regulator’ which is the
Head of Compliance, ARCG on an overall level and embedded compliance managers
for their respective business units.

REPORTING LINES AND COMMUNICATION LINES

The Head of Compliance, ARCG reports directly to the ARCG Head who is the
member of the Leadership Forum. Thus compliance representation is at the senior
most level in the overall hierarchy.

The Heads of the embedded Compliance functions maintain intense and close
communication with senior management within their jurisdiction and have overall
responsibility for the quality of the professional practices in their department. They
have a solid reporting line into the Head of Compliance, ARCG.

An activity that requires overall consistency is client acceptance and anti-money

laundering. Therefore, this activity is conducted by Compliance with close alignment
with the embedded compliance functions within Business Units.

Page 8 of 9
Audit Review & Compliance Group - ARCG

Compliance maintains close relationships with other key divisions within ARCG. These
divisions are Risk Review, Operational & IT Audit, Retail Audit and Fraud &
Investigations Division.

INDEPENDENCE

Compliance is independent from the business and other line functions. Therefore the
Head of Compliance reports directly to the Head of ARCG who is a member of the
Leadership Forum (LF) and has representation to the Board of Directors through
Chief Executive Officer of the bank and to the Audit & Compliance Committee of the
LF.

AUTHORITY

The compliance function has free access to information and personnel and has the
right to advise internal audit to conduct investigations of possible breaches of the
compliance policy and if required to appoint outside experts to perform this task.

Compliance is the principal interface with the regulators on compliance issues. All
contacts with the regulators on compliance issues are managed through or in
consultation with Compliance.

STANDARDS

The senior management of Mashreq is committed to preserving the integrity and

reputation of the bank by complying with applicable laws and regulations in each of
the markets in which it operates. Employees must adhere to all laws and regulations
applicable to Mashreq and to the ethical standards set by Mashreq and those who do
not may face disciplinary action. All employees are expected to observe high
standards of conduct and be aware of the laws and regulations of other countries
when conducting cross border transactions.

In addition, Compliance represents Mashreq in external bodies / forums that focus on

compliance issues and best practices (e.g. World Check, Complinet, Gulf Coop.
Council, Hawkama Institute of Corporate Governance).

ACCOUNTABILITY

Compliance staff are available to provide guidance and support to the Businesses on
issues related to laws and regulations. The overall Annual Compliance Plan is
approved by the Head of ARCG.

Compliance follows a risk based approach in addressing issues escalated to it or

resulting from the monitoring conducted by Audit.

NOTE
Any changes to the contents of this document require the approval of the Head of
ARCG, who will communicate such changes to the Audit & Compliance Committee for
their ratification.

Page 9 of 9