The Institute of Internal Auditors (IIA) published a new position paper on September 19, 2019 about the importance of an Internal Audit Charter and how it enhances the effectiveness of the Internal Audit function.
What is an Audit Charter?
Internal audit functions play a vital role in providing assurance of an organization’s risk management practices and protecting and enhancing organizational value. The internal audit charter is a formal document that clearly defines and articulates “marching orders” for the internal audit function from the governing body (typically the audit committee) and management. It should be reviewed and approved by the governing body on an annual basis. The charter must define, at minimum, the following items:
- Internal audit’s purpose within the organization
- Internal audit’s authority
- Internal audit’s responsibility
- Internal audit’s position within the organization
The charter provides a blueprint for how internal audit will operate and allows the governing body to emphasize the value it places on the independence of the internal audit function. The charter establishes this independence by defining reporting lines from the Chief Audit Executive (CAE) to the governing body and, administratively, to executive management. It also provides internal audit the authority to achieve its tasks by allowing unrestricted access to records, personnel etc. for the purpose of performing its duties.
Vital Components of an Audit Charter
In its position paper, the IIA identified seven vital components that support the overall strength and effectiveness of the internal audit function and should be included in the internal audit charter:
- Mission and Purpose – The charter should define both the mission and the purpose of the internal audit function. The mission should be to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. Internal audit’s independent and objective assurance and consulting services should be designed to add value and improve the organization’s operations.
- Adherence to the International Standards for the Professional Practice of Internal Auditing – The charter should include details about how the internal audit function governs itself and how it adheres to the IIA’s International Professional Practices Framework (IPPF), including:
- Core principles for the professional practice of internal auditing
- Definition of internal auditing
- Code of ethics
- Authority – The charter should define the CAE’s functional and administrative reporting relationship in the organization as noted above. In addition, a statement should be included affirming that the governing body will establish, maintain, and assure that the internal audit function has sufficient authority to fulfill its duties.
- Independence and Objectivity - The charter should state that the CAE will ensure independence and objectivity of the internal audit function to carry out its duties in an unbiased manner. Furthermore, internal audit should have no direct operational responsibility or authority over any of the activities audited.
- Scope of Internal Audit Activities – The charter should define the scope of the internal audit function. The scope should include providing independent assessments of the adequacy and effectiveness of governance, risk management, and control processes.
- Responsibility – The responsibility of the internal audit function should also be described in the charter and the following should be performed at least annually:
- Creation of a risk-based internal audit plan
- Confirmation that the internal audit activity has access to appropriate, competent, and skilled resources
- Verification that the internal audit function is fulfilling its mandate
- Assurance of compliance with IIA standards
- Communication of the results of its work and follow up of agreed corrective actions
- Quality Assurance and Improvement Program - The charter should define the internal audit’s Quality Assurance and Improvement Program (QAIP), which covers all aspects of the internal audit function including:
- Evaluation of conformance to IIA Standards and requirement to report the results of its QAIP periodically to senior management and the governing body
- An external assessment of the activity at least once every five years
Financial Institutions should confirm they have an Internal Audit Charter and that it includes the seven vital components listed above.
Note: The Institute of Internal Auditors (IIA) has produced model charters available to IIA members in eight languages. You can find them here: https://global.theiia.org/standards-guidance/recommended-guidance/Pages/Model-Internal-Audit-Activity-Charter.aspx
How ACA Telavance Can Help
ACA Telavance offers a unique blend of banking, risk management, regulatory compliance, and technology expertise. We provide the following services to assist with your institutions Internal Audit needs:
- Fully outsourced or co-sourced internal audit
- Internal audit training & internal audit quality assurance review
- Targeted internal audits /risk and controls testing assessments
- AML regulatory audits and remediation • FIDICIA audits
- IT governance general and security controls assessments
- Identity and access management solutions
- Policy, procedures design, implementation and testing support
- Targeted risk assessments – BSA/AML/OFAC, regulatory compliance risk assessments
- Internal Audit Analytics
For more information about our Internal Audit services, click here to submit an inquiry.
About the Authors
Uday Gulvadi has over twenty years’ experience in internal audit, risk, and compliance advisory services and a unique blend of finance, corporate governance, risk, compliance, and information technology skills. He leads ACA Telavance’s Internal Audit, Risk, and Compliance Advisory services. Prior to joining ACA Telavance, Uday gained extensive international business experience managing projects with international clients and held partner and director positions within the internal audit and risk management practices at leading, nationally recognized accounting and advisory firms. Uday earned his Bachelor of Commerce degree from the University of Mumbai (India). He is also a Certified Anti Money Laundering Specialist (CAMS), a Certified Public Accountant, a Certified Internal Auditor, a Certified Information Systems Auditor (CISA), and a Chartered Accountant (India).
Orest Mysiak is a Senior Associate at ACA Telavance. He works with various financial institutions to assist with internal audit, independent testing, compliance assessments, researching and identifying money laundering behaviors, economic sanctions filtering and monitoring, model validation and optimization, defining data mapping and interfaces between compliance systems and other banking systems, and performing data analysis and writing system documentation. In addition to Orest’s strong compliance and data analytics background, he is a certified Tableau Desktop Qualified Associate. He has been instrumental in developing multiple analytics dashboards and reports utilizing Tableau to help financial institutions fill voids in many AML systems, and provide clients with enhanced management reporting and controls. Orest completed coursework towards Business Data Analyst training in National Aviation University, Kyiv, Ukraine.