Professional Documents
Culture Documents
The purpose, authority, and responsibility of internal auditing should be adequate to enable the
internal audit activity to accomplish its objectives. For that reason, the purpose, authority, and
responsibility should be stated in a written charter and periodically reassessed.
Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organization’s operations. Accordingly, the Standards require the internal audit
activity to be independent and the internal auditors to be objective in performing their work. Thus,
independence is an attribute of an organizational unit, and objectivity is an attribute of individuals. In
this context, independence means that internal auditors can carry out their duties freely and objectively,
and objectivity is an independence in mental attitude.
*The term “board” here and elsewhere in pronouncements of The IIA includes “an
organization’s governing body, such as a board of directors, supervisory board, head
of an agency or legislative body, board of governors or trustees of a non-profit
organization, or any other designated body of the organization, including the audit
committee, to whom the chief audit executive may functionally report.”
Practice Advisory 1000-1: Internal Audit Charter
1. The purpose, authority, and responsibility of the internal audit activity should be defined
in a charter. The chief audit executive should seek approval of the charter by senior
management as well as acceptance by the board, audit committee, or appropriate
governing authority. The charter should (a) establish the internal audit activity’s
position within the organization; (b) authorize access to records, personnel, and
physical properties relevant to the performance of engagements; and (c) define the
scope of internal audit activities.
2. The internal audit activity’s charter should be in writing. A written statement provides
formal communication for review and approval by management and for acceptance by
the board. It also facilitates a periodic assessment of the adequacy of the internal audit
activity’s purpose, authority, and responsibility. Providing a formal, written document
containing the charter of the internal audit activity is critical in managing the auditing
function within the organization. The purpose, authority, and responsibility should be
defined and communicated to establish the role of the internal audit activity and to
provide a basis for management and the board to use in evaluating the operations of
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
2 SU 2: Charter, Independence, and Objectivity
the function. If a question should arise, the charter also provides a formal, written
agreement with management and the board about the role and responsibilities of the
internal audit activity within the organization.
3. The chief audit executive should periodically assess whether the purpose, authority,
and responsibility, as defined in the charter, continue to be adequate to enable the
internal audit activity to accomplish its objectives. The result of this periodic
assessment should be communicated to senior management and the board.
1. Value Proposition – The value proposition of the internal audit activity is realized
within every organization that employs internal auditors in a manner that suits the
culture and resources of that organization. That value proposition is captured in the
definition of internal auditing and includes assurance and consulting activities designed
to add value to the organization by bringing a systematic, disciplined approach to the
areas of governance, risk, and control.
2. Consistency with Internal Audit Definition – A disciplined, systematic evaluation
methodology is incorporated in each internal audit activity. The list of services can
generally be incorporated into the broad categories of assurance and consulting.
However, the services may also include evolving forms of value-adding services that
are consistent with the broad definition of internal auditing.
3. Audit Activities Beyond Assurance and Consulting – There are multiple internal
auditing services. Assurance and consulting are not mutually exclusive and do not
preclude other auditing services such as investigations and nonauditing roles. Many
audit services will have both an assurance and consultative (advising) role.
4. Interrelationship between Assurance and Consulting – Internal audit consulting
enriches value-adding internal auditing. While consulting is often the direct result of
assurance services, it should also be recognized that assurance could also be
generated from consulting engagements.
5. Empower Consulting Through the Internal Audit Charter – Internal auditors have
traditionally performed many types of consulting services, including the analysis of
controls built into developing systems, analysis of security products, serving on task
forces to analyze operations and make recommendations, and so forth. The board (or
audit committee) should empower the internal audit activity to perform additional
services if they do not represent a conflict of interest or detract from its obligations to
the committee. That empowerment should be reflected in the internal audit charter.
6. Objectivity – Consulting services may enhance the auditor’s understanding of
business processes or issues related to an assurance engagement and do not
necessarily impair the auditor’s or the internal audit activity’s objectivity. Internal
auditing is not a management decision-making function. Decisions to adopt or
implement recommendations made as a result of an internal auditing advisory service
should be made by management. Therefore, internal auditing objectivity should not be
impaired by the decisions made by management.
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 2: Charter, Independence, and Objectivity 3
1. The Glossary in the Standards defines “consulting services” as follows: “Advisory and
related client service activities, the nature and scope of which are agreed with the client
and which are intended to add value and improve an organization’s governance, risk
management, and control processes without the internal auditor assuming
management responsibility. Examples include counsel, advice, facilitation, and
training.”
2. The chief audit executive should determine the methodology to use for classifying
engagements within the organization. In some circumstances, it may be appropriate to
conduct a “blended” engagement that incorporates elements of both consulting and
assurance activities into one consolidated approach. In other cases, it may be
appropriate to distinguish between the assurance and consulting components of the
engagement.
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
4 SU 2: Charter, Independence, and Objectivity
3. Internal auditors may conduct consulting services as part of their normal or routine
activities as well as in response to requests by management. Each organization
should consider the type of consulting activities to be offered and determine if specific
policies or procedures should be developed for each type of activity. Possible
categories could include:
● Formal consulting engagements – planned and subject to written
agreement.
● Informal consulting engagements – routine activities, such as, participation
on standing committees, limited-life projects, ad-hoc meetings, and routine
information exchange.
● Special consulting engagements – participation on a merger and
acquisition team or system conversion team.
● Emergency consulting engagements – participation on a team established
for recovery or maintenance of operations after a disaster or other
extraordinary business event or a team assembled to supply temporary
help to meet a special request or unusual deadline.
4. Auditors generally should not agree to conduct a consulting engagement simply to
circumvent, or to allow others to circumvent, requirements that would normally apply to
an assurance engagement if the service in question is more appropriately conducted
as an assurance engagement. This does not preclude adjusting methodologies where
services once conducted as assurance engagements are deemed more suitable to
being performed as a consulting engagement.
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 2: Charter, Independence, and Objectivity 5
ACCOUNTABILITY
The chief audit executive, in the discharge of his/her duties, shall be accountable to
management and the audit committee to:
● Provide annually an assessment on the adequacy and effectiveness of the
organization’s processes for controlling its activities and managing its risks in the
areas set forth under the mission and scope of work.
● Report significant issues related to the processes for controlling the activities of the
organization and its affiliates, including potential improvements to those processes,
and provide information concerning such issues through resolution.
● Periodically provide information on the status and results of the annual audit plan and
the sufficiency of department resources.
● Coordinate with and provide oversight of other control and monitoring functions (risk
management, compliance, security, legal, ethics, environmental, external audit).
INDEPENDENCE
To provide for the independence of the internal auditing department, its personnel report to
the chief audit executive, who reports functionally to the audit committee and
administratively to the chief executive officer in a manner outlined in the above section on
Accountability. It will include as part of its reports to the audit committee a regular report on
internal audit personnel.
RESPONSIBILITY
The chief audit executive and staff of the internal audit department have responsibility to:
● Develop a flexible annual audit plan using an appropriate risk-based methodology,
including any risks or control concerns identified by management, and submit that
plan to the audit committee for review and approval as well as periodic updates.
● Implement the annual audit plan, as approved, including as appropriate any special
tasks or projects requested by management and the audit committee.
● Maintain a professional audit staff with sufficient knowledge, skills, experience, and
professional certifications to meet the requirements of this Charter.
● Evaluate and assess significant merging/consolidating functions and new or changing
services, processes, operations, and control processes coincident with their
development, implementation, and/or expansion.
● Issue periodic reports to the audit committee and management summarizing results
of audit activities.
● Keep the audit committee informed of emerging trends and successful practices in
internal auditing.
● Provide a list of significant measurement goals and results to the audit committee.
● Assist in the investigation of significant suspected fraudulent activities within the
organization and notify management and the audit committee of the results.
● Consider the scope of work of the external auditors and regulators, as appropriate,
for the purpose of providing optimal audit coverage to the organization at a
reasonable overall cost.
AUTHORITY
The chief audit executive and staff of the internal audit department are authorized to:
● Have unrestricted access to all functions, records, property, and personnel.
● Have full and free access to the audit committee.
● Allocate resources, set frequencies, select subjects, determine scopes of work, and
apply the techniques required to accomplish audit objectives.
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
6 SU 2: Charter, Independence, and Objectivity
● Obtain the necessary assistance of personnel in units of the organization where they
perform audits, as well as other specialized services from within or outside the
organization.
The chief audit executive and staff of the internal audit department are not authorized to:
● Perform any operational duties for the organization or its affiliates.
● Initiate or approve accounting transactions external to the internal auditing
department.
● Direct the activities of any organization employee not employed by the internal
auditing department, except to the extent such employees have been appropriately
assigned to auditing teams or to otherwise assist the internal auditors.
Dated
3. The charter helps to establish the organizational status of the internal audit activity by
defining its purpose, authority, and responsibility.
a. The reporting level of the internal audit activity should be sufficient to enable the
internal audit activity to fulfill its responsibilities.
b. In some organizations, that reporting level is the board of directors. Many internal
audit activities currently report to lower levels, but the trend is toward reporting to
upper levels.
c. The CAE should also have regular communication with the board, audit committee, or
other appropriate governing authority.
1) Regular communication with the board helps assure independence and promote
broad engagement coverage, adequate consideration of engagement
communications, and appropriate action on engagement recommendations.
2) The audit committee should be composed only of external members of the board
or its equivalent in order to enhance the independence of both the internal and
external auditing functions.
d. In some organizations, the CAE is present at executive committee meetings in an
advisory capacity similar to that of the organization’s counsel.
e. The status of the internal audit activity is enhanced by a conscious effort to promote its
services within the organization through
1) Providing an excellent product conveyed through professionally prepared
engagement communications
2) Avoiding preoccupation with matters of little significance
3) Extending the internal audit function to all the sectors of the organization
4) Emphasizing internal auditors’ proficiency and professionalism
a) Internal auditors should engage only in those services for which they have
the necessary knowledge, skills, and other competencies.
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 2: Charter, Independence, and Objectivity 7
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
8 SU 2: Charter, Independence, and Objectivity
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 2: Charter, Independence, and Objectivity 9
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
10 SU 2: Charter, Independence, and Objectivity
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
12 SU 2: Charter, Independence, and Objectivity
1. Internal auditors should report to the chief audit executive any situations in which
a conflict of interest or bias is present or may reasonably be inferred. The chief
audit executive should then reassign such auditors.
2. A scope limitation is a restriction placed upon the internal audit activity that
precludes the audit activity from accomplishing its objectives and plans. Among
other things, a scope limitation may restrict the:
● Scope defined in the charter.
● Internal audit activity’s access to records, personnel, and physical
properties relevant to the performance of engagements.
● Approved engagement work schedule.
● Performance of necessary engagement procedures.
● Approved staffing plan and financial budget.
3. A scope limitation along with its potential effect should be communicated,
preferably in writing, to the board, audit committee, or other appropriate
governing authority.
4. The chief audit executive should consider whether it is appropriate to inform the
board, audit committee, or other appropriate governing authority regarding scope
limitations that were previously communicated to and accepted by the board,
audit committee, or other appropriate governing authority. This may be
necessary, particularly when there have been organization, board, senior
management, or other changes.
1130.A1 – Internal auditors should refrain from assessing specific operations for
which they were previously responsible. Objectivity is presumed to
be impaired if an internal auditor provides assurance services for an
activity for which the internal auditor had responsibility within the
previous year.
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 2: Charter, Independence, and Objectivity 13
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
14 SU 2: Charter, Independence, and Objectivity
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
SU 2: Charter, Independence, and Objectivity 15
1130.A2 – Assurance engagements for functions over which the chief audit
executive has responsibility should be overseen by a party outside
the internal audit activity.
The following is the portion of this omnibus Practice Advisory relevant to Standards
1130.C1 and 1130.C2:
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com
16 SU 2: Charter, Independence, and Objectivity
6. Internal auditors should maintain their objectivity when drawing conclusions and
offering advice to management. If impairments to independence or objectivity
exist prior to commencement of the consulting engagement, or subsequently
develop during the engagement, disclosure should be made immediately to
management.
7. Independence and objectivity may be impaired if assurance services are provided
within one year after a formal consulting engagement. Steps can be taken to
minimize the effects of impairment by assigning different auditors to perform each
of the services, establishing independent management and supervision, defining
separate accountability for the results of the projects, and disclosing the
presumed impairment. Management should be responsible for accepting and
implementing recommendations.
8. Care should be taken, particularly involving consulting engagements that are
ongoing or continuous in nature, so that internal auditors do not inappropriately or
unintentionally assume management responsibilities that were not intended in the
original objectives and scope of the engagement.
Copyright © 2004 Gleim Publications, Inc. and/or Gleim Internet, Inc. All rights reserved. Duplication prohibited. www.gleim.com