The Institute of Internal Auditors (IIA) published a new position paper on September 19, 2019 about the importance of an Internal Audit Charter and how it enhances the effectiveness of the Internal Audit function.
What is an Audit Charter?
Internal audit functions play a vital role in providing assurance of an organization’s risk management practices and protecting and enhancing organizational value. The internal audit charter is a formal document that clearly defines and articulates “marching orders” for the internal audit function from the governing body (typically the audit committee) and management. It should be reviewed and approved by the governing body on an annual basis. The charter must define, at minimum, the following items:
- Internal audit’s purpose within the organization
- Internal audit’s authority
- Internal audit’s responsibility
- Internal audit’s position within the organization
The charter provides a blueprint for how internal audit will operate and allows the governing body to emphasize the value it places on the independence of the internal audit function. The charter establishes this independence by defining reporting lines from the Chief Audit Executive (CAE) to the governing body and, administratively, to executive management. It also provides internal audit the authority to achieve its tasks by allowing unrestricted access to records, personnel etc. for the purpose of performing its duties.
Vital Components of an Audit Charter
In its position paper, the IIA identified seven vital components that support the overall strength and effectiveness of the internal audit function and should be included in the internal audit charter:
- Mission and Purpose – The charter should define both the mission and the purpose of the internal audit function. The mission should be to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. Internal audit’s independent and objective assurance and consulting services should be designed to add value and improve the organization’s operations.
- Adherence to the International Standards for the Professional Practice of Internal Auditing – The charter should include details about how the internal audit function governs itself and how it adheres to the IIA’s International Professional Practices Framework (IPPF), including:
- Core principles for the professional practice of internal auditing
- Definition of internal auditing
- Code of ethics
- Authority – The charter should define the CAE’s functional and administrative reporting relationship in the organization as noted above. In addition, a statement should be included affirming that the governing body will establish, maintain, and assure that the internal audit function has sufficient authority to fulfill its duties.
- Independence and Objectivity - The charter should state that the CAE will ensure independence and objectivity of the internal audit function to carry out its duties in an unbiased manner. Furthermore, internal audit should have no direct operational responsibility or authority over any of the activities audited.
- Scope of Internal Audit Activities – The charter should define the scope of the internal audit function. The scope should include providing independent assessments of the adequacy and effectiveness of governance, risk management, and control processes.
- Responsibility – The responsibility of the internal audit function should also be described in the charter and the following should be performed at least annually:
- Creation of a risk-based internal audit plan
- Confirmation that the internal audit activity has access to appropriate, competent, and skilled resources
- Verification that the internal audit function is fulfilling its mandate
- Assurance of compliance with IIA standards
- Communication of the results of its work and follow up of agreed corrective actions
- Quality Assurance and Improvement Program - The charter should define the internal audit’s Quality Assurance and Improvement Program (QAIP), which covers all aspects of the internal audit function including:
- Evaluation of conformance to IIA Standards and requirement to report the results of its QAIP periodically to senior management and the governing body
- An external assessment of the activity at least once every five years
Financial Institutions should confirm they have an Internal Audit Charter and that it includes the seven vital components listed above.
Note: The Institute of Internal Auditors (IIA) has produced model charters available to IIA members in eight languages. You can find them here: https://global.theiia.org/standards-guidance/recommended-guidance/Pages/Model-Internal-Audit-Activity-Charter.aspx