The Internal Audit Charter

Charter language: "The Internal Audit function exists to provide independent, objective assurance and advisory services designed to add value and improve [Organization]'s operations. The function assists the organization in accomplishing its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of governance, risk management, and internal controls."

Why this language matters: This is a direct adaptation of the IIA definition of internal auditing. It establishes both assurance and advisory as within scope from the outset -- which matters later when the function is asked to provide consulting services on a process redesign or a new system implementation. If the charter only authorizes assurance work, advisory services create an ambiguity that management can use to limit the function's involvement.

Charter language: "The Chief Audit Executive and members of the internal audit function are authorized unrestricted access to all functions, records, systems, property, and personnel of [Organization] necessary to accomplish audit objectives. This access includes but is not limited to financial systems, operational systems, enterprise resource planning platforms, data warehouses, human capital management systems, and any AI-driven or automated decision systems. Access is not subject to management approval on an engagement-by-engagement basis."

Why this language matters: "Access as needed" or "access subject to management approval" creates a process through which access can be delayed, narrowed, or denied without formal objection. Unrestricted access language, by contrast, makes any access limitation a charter deviation that must be disclosed to the audit committee. This distinction matters most during ERP transitions, when data structures change and IT teams may informally restrict access during stabilization periods.

In a modernizing organization, this access authority should be understood to extend explicitly to data completeness validation -- including access to migration logs, master data change histories, data quality reporting, and the input data layers feeding AI-driven systems. An access authority that does not cover these domains is materially incomplete for a function operating in a digital transformation environment.

Charter language: "The Chief Audit Executive reports administratively to the Chief Financial Officer. The Chief Audit Executive reports functionally to the Audit Committee of the Board of Directors. The Audit Committee holds authority over the appointment, compensation, performance evaluation, and removal of the Chief Audit Executive. The Chief Audit Executive has direct, unrestricted access to the Audit Committee and the full Board of Directors at any time and without CFO involvement or approval. Any scope limitations, resource constraints, or organizational impediments to audit independence shall be disclosed to the Audit Committee directly by the Chief Audit Executive."

Why this language matters: In an employee-owned company, the independence safeguards that public companies receive from external regulatory requirements must be built explicitly into the charter. Each sentence above addresses a specific failure mode: CFO control over the CAE appointment process, CFO as a gatekeeper to the audit committee, and undisclosed scope limitations. None of these protections can be implied -- they must be stated.

Charter language: "The internal audit function is authorized to perform assurance and advisory services across all organizational processes, functions, and entities, including but not limited to: financial reporting and controls, operational processes, compliance with laws and regulations, information technology and cybersecurity, enterprise systems and automated controls, AI-driven and algorithmic decision processes, ESOP plan administration and fiduciary processes, and strategic and emerging risk areas. Advisory services may be performed where they do not impair the function's independence or objectivity."

Why this language matters: Naming ESOP plan administration and AI-driven processes explicitly closes two gaps that most inherited charters have. ESOP scope language ensures the function has clear authority to review valuation inputs, trustee process integrity, and plan administration controls -- processes directly tied to employee retirement security. AI and automated process language ensures the function is not limited to auditing manual controls in a world where most consequential decisions are increasingly automated.

Charter language: "The Chief Audit Executive shall report audit results, findings, and recommendations to the Audit Committee at each regularly scheduled committee meeting. The Chief Audit Executive shall report to executive management on operational matters as appropriate. The Chief Audit Executive shall immediately report to the Audit Committee any significant risk exposures, control failures, governance concerns, fraud indicators, or instances where management has not accepted audit findings in a manner the CAE believes is prudent."

Why this language matters: The immediate escalation clause is the most important sentence in this section. Without it, the CAE has no chartered obligation to surface unresolved governance concerns until the next scheduled committee meeting -- which may be months away. The clause establishes a direct escalation path that exists independent of the administrative reporting relationship.

Charter language: "The Chief Audit Executive shall establish and maintain a quality assurance and improvement program that covers all aspects of internal audit activity. The program shall include ongoing performance monitoring, periodic internal assessments, and external quality assessments conducted by a qualified independent reviewer at least once every five years. Results of quality assessments shall be reported to the Audit Committee."

Why this language matters: The QAIP requirement is explicit in IIA 2024 Standards. Including it in the charter elevates it from a best practice to a chartered obligation -- and creates accountability to the audit committee for maintaining it. External quality assessments are particularly important in employee-owned companies where there is no public market scrutiny or external regulatory review of the audit function's effectiveness.

Charter language: "This charter shall be reviewed by the Chief Audit Executive and approved by the Audit Committee at least annually. Amendments require Audit Committee approval. The Chief Audit Executive shall present the charter to the Audit Committee at the first meeting of each fiscal year, noting any proposed changes and the basis for them."

Why this language matters: Annual review language transforms the charter from a static document into a living governance tool. It also creates a natural cadence for the CAE to demonstrate current knowledge of IIA Standards, emerging risk areas, and the organization's evolving needs -- which is itself a governance signal about the quality of audit leadership.