Internal audit should be suitably positioned, resourced and have the authority within the organisation to enable it to fulfil its role effectively and deliver robust assurance which feeds up through the management and governance frameworks.  

The establishment and approval of the internal audit charter and associated policies and procedures assists in achieving this. The charter should be widely published providing clarity over the purpose and responsibilities of the internal audit function ensuring there is a clear official mandate.

Internal audit charter

The charter establishes the purpose, authority and responsibilities for the internal audit service - it is a requirement of professional and sector audit standards.

The charter is usually approved by the audit committee on behalf of the board and should be updated annually. The charter typically includes:

  • introduction and purpose
  • independence and objectivity
  • authority and responsibilities including rights of access
  • limits to authority and responsibilities
  • CAE contact details
  • working protocol and performance monitoring
  • audit reporting and reporting lines
  • assurance framework
  • duty of care including data protection and fraud

Reporting lines will be established as part of the charter. These should reinforce independence, objectivity, and allow direct interaction between the chief audit executive (CAE) and the board - usually via the audit committee.

Performance monitoring of internal audit is typically associated with delivery of the audit plan, resource management, and compliance with working protocol - particularly surrounding target timeframes for the issue of core audit documentation to auditees and management.

Compliance with the above should be incorporated within the CAE annual internal audit report.

Audit policies and procedures

Policies and procedures establish formalised working practices, provide team members with a point of reference and improve the resilience of internal audit as a function of the business. Sometimes such documentation will be in the form of an audit manual.  

A common set of professional standards has been established - the IIA's International Professional Practices Framework (IPPF). For those operating within the standards, these policies and procedures can simply supplement the standards with local practice.  

All team members should be made suitably aware of policies and procedures as part of their induction and training programme.

Policies and procedures should outline departmental boundaries and views to guide the audit activity. Suggested areas of coverage include:

  • professional education and mandatory training
  • assignment delivery (planning and fieldwork)
  • audit documentation requirements (working papers)
  • quality and improvement programme
  • audit reporting
  • follow up
  • management information and performance monitoring
  • handling conflicts of interest (actual and perceived)
  • handling conflict in the audit process and escalation
  • retention of audit documentation
  • information security
  • travel/flexible working
  • business continuity
  • resource planning and management (including specialists, IT and co-sourced)
  • departmental risk management

The audit management process should ensure the professional standards of the department as detailed in the above policies and procedures are complied with, that audit work delivered is of sufficient quality, and delivery is managed in accordance with budgets.  

Effective arrangements are core to the successful management of internal audit risks, protecting the department’s reputation and demonstrating value to the business.

IIA IPPF Standard 1000 – purpose, authority, and responsibility

IIA IPPF Standard 2040 – policies and procedures