pp-the-internal-audit-charter.pdf

The Internal Audit Charter

A Blueprint to Assurance Success

Introduction

One of the great challenges every organization faces is assuring efficient and

effective risk management ― those policies and processes designed to

leverage or mitigate risks to the organization’s advantage. When done well,

internal audit provides that assurance as part of its role to protect and enhance

organizational value.

For internal audit to operate at the highest levels, it must have clearly defined and

articulated marching orders from the governing body and management. This is

most easily achieved with a well-designed internal audit charter.

The IIA’s Perspective

Every organization can benefit from internal audit, and an internal audit

charter is vital to success of the activity (IIA Standard 1000). The charter is a

formal document approved by the governing body and/or audit committee

(governing body) and agreed to by management. It must define, at minimum:



Internal audit’s purpose within the organization.



Internal audit’s authority.



Internal audit’s responsibility.



Internal audit’s position within the organization.

The IIA has produced model charters available to IIA members here

eight languages.

Why the Internal Audit Charter Is Important

A charter provides the organization a blueprint for how internal audit will

operate and helps the governing body to clearly signal the value it places on

internal audit’s independence.

Ideally it establishes reporting lines for the chief audit executive (CAE) that support

that independence by reporting functionally to the governing body (or those

charged with governance) and administratively to executive management.

It also provides the activity the needed authority to achieve its tasks, e.g.,

unfettered access to records, personnel, and physical properties relevant to

performing its work.

KEY TAKEAWAYS

The internal audit charter is vital

to internal audit’s success and

should be reviewed annually by

the governing body.

The internal audit charter

should be approved by the

governing body and agreed to by

senior management.

The charter should at a minimum

include internal audit’s purpose

and mission, authority,

responsibility, its independent

reporting relationships, scope

and requirement to conform to

IIA Standards.

The internal audit charter should

include details of how the internal

audit activity will assess and

report on the quality of the

internal audit activity.

A charter provides a blueprint for

how internal audit will operate

and allows the governing body to

clearly signal the value it places

on internal audit’s independence.

IIA POSITION PAPER

Because internal audit can operate across the entire spectrum of industries, from

financial services to chemical manufacturing to government, the audit charter

allows the scope of internal audit activity to be defined specifically to unique needs

of the organization.

The charter can provide — in great detail if desired — what work internal audit will

undertake and the support it will receive from senior management and the

governing body to achieve that work. Finally, the audit charter serves as a

reference point to measure the effectiveness of the internal audit activity.

Vital Components of an Internal Audit Charter

The IIA has identified seven key areas that support the overall strength and

effectiveness of the activity and should be covered in the internal audit charter.

While some internal audit charters may not include all of these elements, any area

the charter fails to address threatens to weaken it and, ultimately, the activity.



Mission and Purpose:

o Internal audit’s mission is to enhance and protect

organizational value by providing risk-based and objective

assurance, advice, and insight.

o Internal audit’s purpose is to provide independent, objective

assurance and consulting services designed to add value and

improve the organization’s operations.



International Standards for the Professional Practice of Internal Auditing:

o The internal audit activity will govern itself by adherence to the

mandatory elements of The IIA’s International Professional

Practices Framework (IPPF) including its Standards, Core

Principles for the Professional Practice of Internal Auditing,

Definition of Internal Auditing, and Code of Ethics.



Authority – The charter should include:

o A statement on the CAE’s functional and administrative

reporting relationship in the organization.

o A statement that the governing body will establish, maintain and

assure that the internal audit activity has sufficient authority to

fulfill its duties by:

 Approving the internal audit charter.

 Approving a timely, risk-based, and agile internal

audit plan.

 Approving the internal audit budget and

resource plan.

 Receiving timely communications from the CAE

on performance relative to its internal audit plan.

 Actively participating in discussions about and

ultimately approving decisions regarding the

appointment and removal of the CAE.

FIVE QUESTIONS

Stakeholders must send a clear

and unambiguous message

about internal audit’s role in

the organization.

Here are five key questions they

should be asking:

Has the governing body created

an internal audit charter that

establishes the activity’s

purpose and mission, scope,

authority, responsibility, and

reporting relationships?

Does the charter address

establishing reporting

relationships that enable

independence and objectivity of

the CAE?

Does the charter clearly establish

internal audit’s right to complete

and unfettered access to all

records and people to the extent

necessary to carry out its work?

Does the audit charter clearly

define the responsibility of

the CAE?

In addition to requiring internal

audit to comply with IIA global

internal audit standards, does the

audit charter require the activity

to report on its effectiveness?

 Actively participating in discussions about and ultimately approving the remuneration of the CAE.

 Making appropriate inquiries of management and the CAE to determine if there are any

inappropriate scope or resource limitations.

 Developing and approving a statement that the CAE will have unrestricted access to, and

communicate and interact directly with, the governing body without management present.

 Developing and approving an authorization that the activity will have free and unrestricted

access to all functions, records, property, and personnel pertinent to carrying out

any engagement, subject to accountability for confidentiality and safeguarding of records

and information.



Independence and Objectivity – The charter should include:

o A statement that the CAE will ensure that the internal audit activity remains free of conditions that threaten the

ability of the activity to carry out its activities in an unbiased matter. If independence or objectivity is impaired

in fact or appearance, the CAE will disclose the details of the impairment to the appropriate parties.

o A statement that the internal audit activity will have no direct operational responsibility or authority over any of

the activities audited.

o A statement that if the CAE has or is expected to have roles and/or responsibilities that fall outside of internal

auditing, safeguards will be established to limit impairments to independence and objectivity.

o A requirement for the CAE to confirm at least annually the independence of the internal audit activity to the

governing body.



Scope of Internal Audit Activities – The charter should include:

o A statement that the scope of the internal audit activities encompasses, but is not limited to, objective

examinations of evidence for the purpose of providing independent assessments on the adequacy and

effectiveness of governance, risk management, and control processes.

o A statement that the CAE will report periodically to senior management and the governing body on the results

of its department and the work the activity performs.



Responsibility – The charter should include:

o Statements as to the responsibility for:

 Submitting at least annually a risk-based internal audit plan.

 Communicating with senior management and the governing body the impact of resource

limitations on the plan.

 Ensuring the internal audit activity has access to appropriate resources with regard to

competency and skill.

 Managing the activity appropriately for it to fulfill its mandate.

 Ensuring conformance with IIA Standards.

 Communicating the results of its work and following up on agreed-to corrective actions.

 Coordination with other assurance providers.



Quality Assurance and Improvement Program – The charter should include:

o A statement that the internal audit activity will maintain a quality assurance and improvement program that

covers all aspects of the internal audit activity including its evaluation of conformance to IIA Standards.

o A requirement for the CAE to report periodically the results of its quality assurance and improvement program

to senior management and the governing body and to obtain and external assessment of the activity at least

once every five years.

Conclusion

The internal audit charter should be viewed by senior management and the

governing body as an important board policy document that enables the CAE and

internal audit activity to effectively carry out their roles in the organization. It

establishes clarity among risk managers within the organization and among

stakeholders of internal audit’s role in the risk management process, and helps

stakeholders to enable and measure internal audit’s value to the organization.

A charter provides a

blueprint for how internal

audit will operate and

allows the governing

body to clearly signal the

value it places on internal

audit’s independence.

About Position Papers

The IIA promulgates Position Papers on key issues of interest to stakeholders and practitioners

with the aim of advocating for sound governance and educating

those involved in it. The positions outlined offer insights into various aspects of the governance process and internal audit

’s vital role in improving governance at all

levels and adding value

to the organization. Position Papers are developed and reviewed through a rigorous process that solicits input and critique from practicing

internal audit professionals and other

IIA volunteers who serve on The IIA’s Global Advocacy Committee, IIA Standards Board, and The IIA’s Professional

Respon

sibility and Ethics Committee.

About The IIA

The IIA is the internal audit profession’s most widely recognized advocate, educator, and provider of standards, guidance, an

d certifications. Established in 1941,

The

IIA today serves more than 190,000 members from more than 170 countries and territories. The IIA’s global headquarters are in Lake Mary, Fla. For more

information, visit www.theiia.org.

Disclaimer

The IIA publishes this document for informational and educa

tional purposes. This material is not intended to provide definitive answers to specific individual

circumstances and as such is only intended to be used as a guide. The IIA recommends seek

ing independent expert advice relating directly to any specific

sit

uation. The IIA accepts no responsibility for anyone placing sole reliance on this material.

January 201

Global Headquarters

The Institute of Internal Auditors

1035 Greenwood Blvd., Suite 401

Lake Mary, FL 32746, USA

Phone: +1-407-937-1111

Fax: +1-407-937-1101