Why is it that the internal audit function is the only function employed or invested in by an entity that needs a charter for its service delivery? Is it because its value addition is not well understood, or because it aims to be the only function that’s professionally driven in furtherance of its objectives?
Well, the correct answer is BOTH!
And we’ll get to that in a while. But let’s first see what it is, what are its aims, what is its composition, how do we go about making one, when is the time to get going on making it and how is it finalized and executed?
A typical charter documents rights and privileges for a body or people it represents. The Internal Audit Charter is a significant value addition to that meaning of a charter, like everything internal audit is!
The Institute of Internal Auditors defines the Internal Audit Charter as “a formal document that defines the internal audit function’s mandate and other requirements”.
And these “other requirements” is a massive understatement of the minimum requirements given for inclusion in an internal audit charter under the Global Internal Audit Standard (GIAS) 9.3. Such requirements include everything beginning right from Internal Auditing’s Purpose to its commitment to quality assurance and improvement!
What is a Charter?
The Internal Audit Charter is a document that essentially establishes the Internal Audit function within an entity by providing it governance, guidance, position and authority and recognition.
What are the aims of a Charter?
An Internal Audit Charter aims to:
- Define Internal Audit
- Delineate the purpose of Internal Audit and explain how internal auditing helps the business accomplish its objectives.
- Align the Business Objectives with Internal Audit’s Objectives by mapping the entity’s Risk Universe with the Audit Universe
- Provide criteria for self-governing and guiding the Internal Audit Function in all its activities.
- Identify the audit services and methodologies.
- Make the stakeholders understand what Internal Audit does and how it does that.
- Specify Internal Audit’s quality assurance and improvement mechanisms.
Composition of Internal Audit Charter
The GIAS Standard 9.3 stipulates that an Internal Audit Charter should minimally comprise of:
- Purpose of Internal Auditing.
- Commitment to adhere to the Global Internal Audit Standards.
- Mandate and board’s responsibilities to support the internal audit function.
- Organizational position and reporting relationships.
- Responsibilities of the internal audit function, including scope and types of services to be provided.
- Commitment to quality assurance and improvement
All these requirements will carry extensive elaborations for the charter to be meaningful in its aims and the last 3 would be specific to each entity.
How do we make one?
Whilst you may feel intrigued to harness the power of AI for this significant content writing, I would instead advise entities to invest in a good quality senior resource who could help draft a custom Internal Audit Charter alongside seeding the internal audit function.
The pre-requisites of making a charter include:
- A good knowledge and understanding of the GIAS.
- Knowledge of the entity’s operating environment and risk universe.
- Grasping the entity’s understanding of its investment in internal audit.
- A draft of the audit universe
- A draft of the internal audit service methodologies expected to fully encompass the entity’s risk universe.
Let’s now have a closer look on what each requirement of GIAS 9.3 entails and how best to achieve those:
Requirements |
Entail |
May Also Include |
Purpose of Internal Auditing |
First Domain of GIAS; a brief on what internal auditing aims to achieve |
Definition of Internal Auditing, Elaboration of the key terms in the definition, What an IA Charter is? Purpose of the Internal Audit Charter |
Commitment to adhere to the Global Internal Audit Standards |
Second Domain of GIAS; ethics and professionalism |
Required exceptions to any standards, How IA is distinct in its professionalism? How emphasis on ethics could be substantiated? Any disclaimers in understanding IA work? |
Mandate and board’s responsibilities to support the internal audit function |
Third Domain of GIAS; authority, roles and responsibilities of Internal Audit, Board’s responsibilities w.r.t IA |
Rights & Responsibilities of the Management when dealing with Internal Audit
|
Organizational position and reporting relationships |
Third Domain of GIAS; functional independence of IA and its reporting relationship |
Hierarchical structure of the IA, Reporting Line of the IA, IA Organizational Model; In-House / Co-sourced / Outsourced, How IA assures its independence through inbuilt safeguards? IA’s performance evaluation responsibility |
Responsibilities of the internal audit function, including scope and types of services to be provided |
Fourth Domain of GIAS; overall management of internal audit function and its services, governing policies and procedures |
Audit Universe; determination & alignment with entity’s risk universe, Service engagement types and elaborate methodologies (nature & extent), IA and engagement planning & execution protocols, Deliverables, Working papers, Reporting & follow up mechanisms, Job roles, responsibilities and descriptions of IA team |
Commitment to quality assurance and improvement |
Fourth Domain of GIAS; Quality of IA services and improvement |
IA Performance metrics and evaluation criteria
|
When to start working on IA Charter?
Well, right after the Know Your Client (KYC) stage, efforts for preparing the Internal Audit Charter should be initiated, since the Charter builds on the understanding acquired after an in-depth review of the answers to KYC. More on KYC here.
Charter Finalization & Execution
It’s the Board and Management of an entity that we intend to serve when the entity invests in the Internal Audit. And since the functional independence of internal audit achieved through its reporting to the Board is pivotal in its service delivery and objectives accomplishment, the Charter remains draft unless it is reviewed, improved and endorsed by Management and reviewed and approved by the Board.
It is to be noted that management endorsement is not needed at the cost of undermining a professionally written IA Charter. The Management’s endorsement here serves to improve the charter and helps develop its understanding and thus acceptability.
Once approved by the Board, the Charter is put to execution through substantiation of each of its components.
Thus, it’s not just owing to the lack of understanding over what internal auditing has to offer but also because internal audit aims to distinct itself on account of its professionalism that formulation of a Charter isn’t just a best practice but is mandated by the GIAS.
The requirements that make up the charter do not leave any ambiguity! The charter is yet another Unique Selling Proposition of Internal Auditing when it comes to improving Governance, Risk Management and Control (GRC). Thinking GRC be assured through Internal Audit!