Internal Audit Charter for [name of organization]

Purpose
The purpose of the internal audit function is to strengthen [name of organization]’s ability to
create, protect, and sustain value by providing the board and management with independent,
risk-based, and objective assurance, advice, insight, and foresight.
The internal audit function enhances [name of organization]’s:

 Successful achievement of its objectives.

 Governance, risk management, and control processes.

 Decision-making and oversight.

 Reputation and credibility with its stakeholders.

 Ability to serve the public interest.

[name of organization]’s internal audit function is most effective when:

 Internal auditing is performed by competent professionals in conformance with The IIA’s

Global Internal Audit StandardsTM, which are set in the public interest.

 The internal audit function is independently positioned with direct accountability to the
board.

 Internal auditors are free from undue influence and committed to making objective
assessments.
Commitment to Adhering to the Global Internal Audit Standards
The [name of organization]’s internal audit function will adhere to the mandatory elements of
The Institute of Internal Auditors' International Professional Practices Framework, which are the
Global Internal Audit Standards and Topical Requirements. The chief audit executive will report
[periodically] to the board and senior management regarding the internal audit function’s
conformance with the Standards, which will be assessed through a quality assurance and
improvement program.

Mandate
[USER’S NOTE: In those jurisdictions and industries where the internal audit function’s mandate
is prescribed wholly or partially in laws or regulations, the internal audit charter must include the
legal requirements of the mandate. See user’s guide for more information.]
Authority
The [name of organization]’s board grants the internal audit function the mandate to provide the
board and senior management with objective assurance, advice, insight, and foresight.
The internal audit function’s authority is created by its direct reporting relationship to the board.
Such authority allows for unrestricted access to the board.
The board authorizes the internal audit function to:

 Have full and unrestricted access to all functions, data, records, information, physical
property, and personnel pertinent to carrying out internal audit responsibilities. Internal
auditors are accountable for confidentiality and safeguarding records and information.

 Allocate resources, set frequencies, select subjects, determine scopes of work, apply
techniques, and issue communications to accomplish the function’s objectives.

 Obtain assistance from the necessary personnel of [name of organization] and other
specialized services from within or outside [name of organization] to complete internal
audit services.

Independence, Organizational Position, and Reporting Relationships

The chief audit executive will be positioned at a level in the organization that enables internal
audit services and responsibilities to be performed without interference from management,
thereby establishing the independence of the internal audit function. (See “Mandate” section.)
The chief audit executive will report functionally to the board and administratively (for example,
day-to-day operations) to the [chief executive officer or equivalent senior officer]. This
positioning provides the organizational authority and status to bring matters directly to senior
management and escalate matters to the board, when necessary, without interference and
supports the internal auditors’ ability to maintain objectivity.
The chief audit executive will confirm to the board, at least annually, the organizational
independence of the internal audit function. If the governance structure does not support
organizational independence, the chief audit executive will document the characteristics of the
governance structure limiting independence and any safeguards employed to achieve the
principle of independence. The chief audit executive will disclose to the board any interference
internal auditors encounter related to the scope, performance, or communication of internal
audit work and results. The disclosure will include communicating the implications of such
interference on the internal audit function’s effectiveness and ability to fulfill its mandate.
Changes to the Mandate and Charter
Circumstances may justify a follow-up discussion between the chief audit executive, board, and
senior management on the internal audit mandate or other aspects of the internal audit charter.
Such circumstances may include but are not limited to:

 A significant change in the Global Internal Audit Standards.

 A significant acquisition or reorganization within the organization.

 Significant changes in the chief audit executive, board, and/or senior management.

 Significant changes to the organization’s strategies, objectives, risk profile, or the

environment in which the organization operates.

 New laws or regulations that may affect the nature and/or scope of internal audit
services.
Board Oversight
[USER’S NOTE: Due to the Global Internal Audit Standards’ “essential conditions,” board
responsibilities should be included in the internal audit charter. However, if an audit committee
charter that outlines its responsibilities is already in place, it is not necessary to repeat the
information in this charter.]
To establish, maintain, and ensure that [name of organization]’s internal audit function has
sufficient authority to fulfill its duties, the board will:

 Discuss with the chief audit executive and senior management the appropriate authority,
role, responsibilities, scope, and services (assurance and/or advisory) of the internal
audit function.

 Ensure the chief audit executive has unrestricted access to and communicates and
interacts directly with the board, including in private meetings without senior
management present.

 Discuss with the chief audit executive and senior management other topics that should
be included in the internal audit charter.

 Participate in discussions with the chief audit executive and senior management about
the “essential conditions,” described in the Global Internal Audit Standards, which
establish the foundation that enables an effective internal audit function.

 Approve the internal audit function’s charter, which includes the internal audit mandate
and the scope and types of internal audit services.

 Review the internal audit charter [periodically] with the chief audit executive to consider
changes affecting the organization, such as the employment of a new chief audit
executive or changes in the type, severity, and interdependencies of risks to the
organization; and approve the internal audit charter [periodically (typically annually)].

 Approve the risk-based internal audit plan.

 Approve the internal audit function’s human resources administration and budgets.

 Approve the internal audit function’s expenses.

 Collaborate with senior management to determine the qualifications and competencies

the organization expects in a chief audit executive, as described in the Global Internal
Audit Standards.

 Authorize the appointment and removal of the chief audit executive.

 Approve the remuneration of the chief audit executive.

 Review the chief audit executive’s performance.

 Receive communications from the chief audit executive about the internal audit function
including its performance relative to its plan.
  Ensure a quality assurance and improvement program has been established and review
the results annually.

 Make appropriate inquiries of senior management and the chief audit executive to
determine whether scope or resource limitations are inappropriate.

Chief Audit Executive Roles and Responsibilities

Ethics and Professionalism
The chief audit executive will ensure that internal auditors:

 Conform with the Global Internal Audit Standards, including the principles of Ethics and
Professionalism: integrity, objectivity, competency, due professional care, and
confidentiality.

 Understand, respect, meet, and contribute to the legitimate and ethical expectations of
the organization and be able to recognize conduct that is contrary to those expectations.

 Encourage and promote an ethics-based culture in the organization.

 Report organizational behavior that is inconsistent with the organization’s ethical

expectations, as described in applicable policies and procedures.
Objectivity
The chief audit executive will ensure that the internal audit function remains free from all
conditions that threaten the ability of internal auditors to carry out their responsibilities in an
unbiased manner, including matters of engagement selection, scope, procedures, frequency,
timing, and communication. If the chief audit executive determines that objectivity may be
impaired in fact or appearance, the details of the impairment will be disclosed to appropriate
parties.
Internal auditors will maintain an unbiased mental attitude that allows them to perform
engagements objectively such that they believe in their work product, do not compromise
quality, and do not subordinate their judgment on audit matters to others, either in fact or
appearance.
Internal auditors will have no direct operational responsibility or authority over any of the
activities they review. Accordingly, internal auditors will not implement internal controls, develop
procedures, install systems, or engage in other activities that may impair their judgment,
including:

 Assessing specific operations for which they had responsibility within the previous year.

 Performing operational duties for [name of organization] or its affiliates.

 Initiating or approving transactions external to the internal audit function.

  Directing the activities of any [name of organization] employee that is not employed by
the internal audit function, except to the extent that such employees have been
appropriately assigned to internal audit teams or to assist internal auditors.
Internal auditors will:

 Disclose impairments of independence or objectivity, in fact or appearance, to

appropriate parties and at least annually, such as the chief audit executive, board,
management, or others.

 Exhibit professional objectivity in gathering, evaluating, and communicating information.

 Make balanced assessments of all available and relevant facts and circumstances.

 Take necessary precautions to avoid conflicts of interest, bias, and undue influence.
Managing the Internal Audit Function
The chief audit executive has the responsibility to:

 At least annually, develop a risk-based internal audit plan that considers the input of the
board and senior management. Discuss the plan with the board and senior management
and submit the plan to the board for review and approval.

 Communicate the impact of resource limitations on the internal audit plan to the board
and senior management.

 Review and adjust the internal audit plan, as necessary, in response to changes in
[name of organization]’s business, risks, operations, programs, systems, and controls.

 Communicate with the board and senior management if there are significant interim
changes to the internal audit plan.

 Ensure internal audit engagements are performed, documented, and communicated in

accordance with the Global Internal Audit Standards.

 Follow up on engagement findings and confirm the implementation of recommendations

or action plans and communicate the results of internal audit services to the board and
senior management [periodically] and for each engagement as appropriate.

 Ensure the internal audit function collectively possesses or obtains the knowledge, skills,
and other competencies and qualifications needed to meet the requirements of the
Global Internal Audit Standards and fulfill the internal audit mandate.

 Identify and consider trends and emerging issues that could impact [name of
organization] and communicate to the board and senior management as appropriate.

 Consider emerging trends and successful practices in internal auditing.

 Establish and ensure adherence to methodologies designed to guide the internal audit
function.

 Ensure adherence to [name of organization]’s relevant policies and procedures unless

such policies and procedures conflict with the internal audit charter or the Global Internal
 Audit Standards. Any such conflicts will be resolved or documented and communicated
to the board and senior management.

 Coordinate activities and consider relying upon the work of other internal and external
providers of assurance and advisory services. If the chief audit executive cannot achieve
an appropriate level of coordination, the issue must be communicated to senior
management and if necessary escalated to the board.
Communication with the Board and Senior Management
The chief audit executive will report [periodically] to the board and senior management
regarding:

 The internal audit function’s mandate.

 The internal audit plan and performance relative to its plan.

 Internal audit budget.

 Significant revisions to the internal audit plan and budget.

 Potential impairments to independence, including relevant disclosures as applicable.

 Results from the quality assurance and improvement program, which include the internal
audit function’s conformance with The IIA’s Global Internal Audit Standards and action
plans to address the internal audit function’s deficiencies and opportunities for
improvement.

 Significant risk exposures and control issues, including fraud risks, governance issues,
and other areas of focus for the board.

 Results of assurance and advisory services.

 Resource requirements.

 Management’s responses to risk that the internal audit function determines may be
unacceptable or acceptance of a risk that is beyond [name of organization]’s risk
appetite.
Quality Assurance and Improvement Program
The chief audit executive will develop, implement, and maintain a quality assurance and
improvement program that covers all aspects of the internal audit function. The program will
include external and internal assessments of the internal audit function’s conformance with the
Global Internal Audit Standards, as well as performance measurement to assess the internal
audit function’s progress toward the achievement of its objectives and promotion of continuous
improvement. The program also will assess, if applicable, compliance with laws and/or
regulations relevant to internal auditing. Also, if applicable, the assessment will include plans to
address the internal audit function’s deficiencies and opportunities for improvement.
Annually, the chief audit executive will communicate with the board and senior management
about the internal audit function’s quality assurance and improvement program, including the
results of internal assessments (ongoing monitoring and periodic self-assessments) and
external assessments. External assessments will be conducted at least once every five years by
a qualified, independent assessor or assessment team from outside [name of organization];
qualifications must include at least one assessor holding an active Certified Internal Auditor®
credential.

Scope and Types of Internal Audit Services

The scope of internal audit services covers the entire breadth of the organization, including all
[name of organization]’s activities, assets, and personnel. [USER’S NOTE: if the internal audit
function has an audit universe, it could be referenced here.] The scope of internal audit activities
also encompasses but is not limited to objective examinations of evidence to provide
independent assurance and advisory services to the board and management on the adequacy
and effectiveness of governance, risk management, and control processes for [name of
organization].
The nature and scope of advisory services may be agreed with the party requesting the service,
provided the internal audit function does not assume management responsibility. Opportunities
for improving the efficiency of governance, risk management, and control processes may be
identified during advisory engagements. These opportunities will be communicated to the
appropriate level of management.
[USER’S NOTE: The list of examples below should be customized to the scope of services
agreed upon with the organization’s board and senior management. See Guide to Customizing
the Model Internal Audit Charter for more information.]
Internal audit engagements may include evaluating whether:

 Risks relating to the achievement of [name of organization]’s strategic objectives are

appropriately identified and managed.

 The actions of [name of organization]’s officers, directors, management, employees, and

contractors or other relevant parties comply with [name of organization]’s policies,
procedures, and applicable laws, regulations, and governance standards.

 The results of operations and programs are consistent with established goals and
objectives.

 Operations and programs are being carried out effectively and efficiently.

 Established processes and systems enable compliance with the policies, procedures,
laws, and regulations that could significantly impact [name of organization].

 The integrity of information and the means used to identify, measure, analyze, classify,
and report such information is reliable.

 Resources and assets are acquired economically, used efficiently and sustainably, and
protected adequately.
Approved by the board at its meeting on [date].

Acknowledgments/Signatures

_________________________________ _________________
Chief Audit Executive Date

_________________________________ _________________
Board Chair Date

_________________________________ _________________
Chief Executive Officer [optional] Date