Sample internal audit charter
Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of [your organisation].
It assists [your organisation] in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organisation's risk management, control, and governance processes.
The internal audit activity is established by the Board of Directors or oversight body (hereafter referred to as the Board). The internal audit activity's responsibilities are defined by the Board as part of their oversight role.
The internal audit activity will govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity's performance.
The IIA's Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, the internal audit activity will adhere to <organisation> relevant policies and procedures and the internal audit activity's standard operating procedures manual.
The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorised full, free, and unrestricted access to any and all of the organisation's records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. The internal audit activity will also have free and unrestricted access to the Board.
The Head of Internal Audit will report functionally to the Board and administratively to the Chief Executive Officer.
The Board will approve all decisions regarding the performance evaluation, appointment, or removal of the Head of Internal Audit as well as the Chief Audit Executive's annual compensation and salary adjustment.
The Head of Internal Audit will communicate and interact directly with the Board, including in executive sessions and between Board meetings as appropriate.
Independence and objectivity
The internal audit activity will remain free from interference by any element in the organisation, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair internal auditor's judgment.
Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Head of Internal Audit will confirm to the board, at least annually, the organisational independence of the internal audit activity.
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organisation's governance, risk management, and internal control processes in relation to the organisation's defined goals and objectives. Internal control objectives considered by internal audit include:
- Consistency of operations or programs with established objectives and goals and effective performance.
- Effectiveness and efficiency of operations and employment of resources.
- Compliance with significant policies, plans, procedures, laws, and regulations.
- Reliability and integrity of management and financial information processes, including the means to identify, measure, classify, and report such information.
- Safeguarding of assets.
Internal Audit is responsible for evaluating all processes ('audit universe') of the entity including governance processes and risk management processes. It also assists the Audit Committee in evaluating the quality of performance of external auditors and maintains proper degree of coordination with internal audit.
Internal audit may perform consulting and advisory services related to governance, risk management and control as appropriate for the organisation. It may also evaluate specific operations at the request of the Board or management, as appropriate.
Based on its activity, Internal audit is responsible for reporting significant risk exposures and control issues identified to the Board and to Senior Management, including fraud risks, governance issues, and other matters needed or requested by the Board.
Internal audit plan
At least annually, the Head of Internal Audit will submit to the Board an internal audit plan for review and approval, including risk assessment criteria. The internal audit plan will include timing as well as budget and resource requirements for the next fiscal/calendar year. The Head of Internal Audit will communicate the impact of resource limitations and significant interim changes to senior management and the Board.
The internal audit plan will be developed based on a prioritisation of the audit universe using a risk-based methodology, including input of senior management and the board. Prior to submission to the Board for approval, the plan may be discussed with appropriate senior management. Any significant deviation from the approved internal audit plan will be communicated through the periodic activity reporting process.
Reporting and monitoring
A written report will be prepared and issued by the Head of Internal Audit or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the Board.
The internal audit report may include management's response and corrective action taken or to be taken in regard to the specific findings and recommendations. Management's response, whether included within the original audit report or provided thereafter (i.e. within thirty days) by management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented.
The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.
The Head of Internal Audit is responsible also for providing periodically a self-assessment on the internal audit activity as regards its consistency with the Audit Charter (purpose, authority, responsibility) and performance relative to its Plan.
In addition, the Head of Internal Audit will communicate to senior management and the Board on the internal audit activity's quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years.
Chief Audit Executive Chief Executive Officer
Chairman of the Board of Directors Chairman of the Audit Committee