Giving Internal Audit An Effective Mandate

Internal auditing’s unique position within a company provides management and audit committee members with valuable assistance, by giving objective assurance on governance, risk management and control processes. For internal audit to be effective, however, the mandate of the internal audit function must be clearly defined, agreed to by all stakeholders, and approved by the board.

Executive management and members of the audit committee are the two key stakeholders in most organizations, so involving them is critical to ensure the internal audit mandate is balanced and meets the needs of everyone in the company. Also, remember that resourcing is driven by the mandate; that is, an incomplete mandate will lead to inappropriate allocation of resources.

The Mandate: A Critical Success Factor

The authority of the internal audit department is documented in its internal audit charter. An important area to explore first is the role the internal audit department should have: What services should it provide? What should its priorities be? Discussions with members of the audit committee and management should be held to determine what assurance and consulting services are needed. Exploring what internal audit departments at peer companies are doing can also be useful, and helps ensure that the approved internal audit mandate is current with best audit practice.

The internal audit department must support the audit committee’s responsibilities, so the committee’s charter should be reviewed when defining internal auditing’s roles and responsibilities. In fact, an annual “alignment review” of the two charters—audit committee and internal audit—is strongly recommended. While the NYSE listing rules require an annual review of the audit committee’s mandate, it is silent regarding internal audit. In my view, reviewing both charters every year makes good business sense, and the internal audit charter and the audit committee charter should be mutually supportive and reinforce their critical relationship.

Tackling The Internal Audit Charter

Establishing or updating an internal audit charter isn’t always easy. A variety of components need to be developed, and usually a company must go through several iterations of the charter’s actual content before striking the right tone. Participation by the entire internal audit department staff—at least the management team of internal audit—is crucial; without involvement, after all, there’s no commitment.

The overall mission and scope of work should be defined first; one good place to start is an accountability statement for the chief audit executive. Companies should also discuss issues of independence; for example, who sets the scope of internal audit projects, and to whom should the chief auditing executive report? (Another quick tip: Including a statement in the charter about the auditor’s open and free access to all information across the organization can save your auditors a lot of grief.)

The responsibilities of the department—what the function is and is not accountable for—comprise the majority of an internal audit charter. Including a standard of performance is also common, to delineate what standards should be used by the internal audit function in the performance of its work. The most common standard is the International Standards for the Professional Practice of Internal Auditing, as promulgated by the Institute of Internal Auditors.

Once a draft internal audit charter has been developed or updated, it needs to be reviewed by the stakeholder groups, and there are many different ways to get a draft charter approved and published. One common approach is to set aside time during an off-site meeting of internal audit staffers and management—with key executives like the CEO and CFO visiting—for the review and finalization of the audit charter. With Web-based interactive technology, the virtual sharing of the draft charter with all the stakeholders has become very popular, as it enables open-threaded discussions to take their course, and can increase acceptance levels. At smaller companies, a few key executives at a single staff meeting can finish the document in a morning. Development of an effective audit charter generally involves a combination of all of the above methods, plus others.

Revisit The Mandate Annually

The mandate of the internal audit department—defined in the internal audit charter—assists the department in performing its work because management and others are able to understand clearly what internal audit is charged with doing, and what they are accountable for. The audit charter is also a great communication vehicle for internal audit to discuss its services and priorities with clients and stakeholders.

In top-tier organizations that take governance seriously, presenting the approved internal audit mandate to the board or management committee is a common way of presenting the future: the goals of internal audit, the value the function brings to the organization, and its priorities and plans. This is also an excellent way for internal audit to obtain management’s agreement and feedback on the internal audit plans. The Institute of Internal Auditors has made available a great presentation by David Currie (see No. 3 in box above, left) titled “Establishing the Authority of the Internal Audit Activity.”

Directors must satisfy themselves that the mandate of internal audit is appropriate and that the internal audit function will contribute to the organization’s efforts. The dialogue between management, the audit committee, and the leadership of the internal audit function regarding the mandate is one of the keys to an internal auditing department’s long-term success.

An approved and published internal audit charter is not the end of implementing an effective internal audit function; it’s more like the end of the beginning. Really, the audit mandate is revisited with every new audit project as employees ask, “Why are we doing this?” Having a clear, approved charter makes answering that question much easier.