One of the great challenges every organization faces is assuring efficient and effective risk management (policies and processes designed to leverage or mitigate risks to the organization’s advantage). When done well, internal audit provides that assurance as part of its role to protect and enhance organizational value.
For internal audit to operate at the highest levels, it must have clearly defined and articulated marching orders from the governing body and management. This is most easily achieved with a well-designed internal audit charter.
The IIA’s Perspective
Every organization can benefit from internal audit, and an internal audit charter is vital to the success of the activity (IIA Standard 1000). The charter is a formal document approved by the governing body and/or audit committee (governing body) and agreed to by management. It must define, at a minimum:
- Internal audit’s purpose within the organization.
- Internal audit’s authority.
- Internal audit’s responsibility.
- Internal audit’s position within the organization.
Why the Internal Audit Charter Is Important
A charter provides the organization a blueprint for how internal audit will operate and helps the governing body to clearly signal the value it places on internal audit’s independence.
Ideally, it establishes reporting lines for the chief audit executive (CAE) which support that independence by reporting functionally to the governing body (or those charged with governance) and administratively to executive management.
It also provides the activity the needed authority to achieve its tasks, e.g., unfettered access to records, personnel, and physical properties relevant to performing its work.
The IIA has identified seven key areas that support the overall strength and effectiveness of the activity and should be covered in the internal audit charter.
While some internal audit charters may not include all of these elements, any area the charter fails to address threatens to weaken it and, ultimately, the activity.
- Mission and Purpose:
- Internal audit’s mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
- Internal audit’s purpose is to provide independent, objective assurance and consulting services designed to add value and improve the organization’s operations.
- International Standards for the Professional Practice of Internal Auditing:
- The internal audit activity will govern itself by adherence to the mandatory elements of The IIA’s International Professional Practices Framework (IPPF) including its Standards, Core Principles for the Professional Practice of Internal Auditing, Definition of Internal Auditing, and Code of Ethics.
- Authority – The charter should include:
- A statement on the CAE’s functional and administrative reporting relationship in the organization.
- A statement that the governing body will establish, maintain and assure that the internal audit activity has sufficient authority to fulfill its duties by:
- Approving the internal audit charter.
- Approving a timely, risk-based, and agile internal audit plan.
- Approving the internal audit budget and resource plan.
- Receiving timely communications from the CAE on performance relative to its internal audit plan.
- Actively participating in discussions about and ultimately approving decisions regarding the appointment and removal of the CAE.
- Actively participating in discussions about and ultimately approving the remuneration of the CAE.
- Making appropriate inquiries of management and the CAE to determine if there are any inappropriate scope or resource limitations.
- Developing and approving a statement that the CAE will have unrestricted access to, and communicate and interact directly with, the governing body without management present.
- Developing and approving an authorization that the activity will have free and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.
- Independence and Objectivity – The charter should include:
- A statement that the CAE will ensure that the internal audit activity remains free of conditions that threaten the ability of the activity to carry out its activities in an unbiased matter. If independence or objectivity is impaired in fact or appearance, the CAE will disclose the details of the impairment to the appropriate parties.
- A statement that the internal audit activity will have no direct operational responsibility or authority over any of the activities audited.
- A statement that if the CAE has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established to limit impairments to independence and objectivity.
- A requirement for the CAE to confirm at least annually the independence of the internal audit activity to the governing body.
- Scope of Internal Audit Activities – The charter should include:
- A statement that the scope of the internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments on the adequacy and effectiveness of governance, risk management, and control processes.
- A statement that the CAE will report periodically to senior management and the governing body on the results of its department and the work the activity performs.
- Responsibility – The charter should include:
- Statements as to the responsibility for:
- Submitting at least annually a risk-based internal audit plan.
- Communicating with senior management and the governing body the impact of resource limitations on the plan.
- Ensuring the internal audit activity has access to appropriate resources with regard to competency and skill.
- Managing the activity appropriately for it to fulfill its mandate.
- Ensuring conformance with IIA Standards.
- Communicating the results of its work and following up on agreed-to corrective actions.
- Coordination with other assurance providers.
- Statements as to the responsibility for:
- Quality Assurance and Improvement Program – The charter should include:
- A statement that the internal audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity including its evaluation of conformance to IIA Standards.
- A requirement for the CAE to report periodically the results of its quality assurance and improvement program to senior management and the governing body and to obtain an external assessment of the activity at least once every five years.