An internal audit is an independent activity and it should ideally be reported to a board-level committee. In most organizations, the internal audit function reports to the audit committee of the board. This helps to protect the independence of the audit function.
The independence of the audit function is ensured through a management-approved audit charter.
The following figure shows the features of an audit charter:
The CISA candidate should note the following features of the audit charter:
- An audit charter is a formal document defining the internal audit's objective, authority, and responsibility. The audit charter covers the entire scope of audit activities.
- An audit charter must be approved by top management.
- An audit charter should not be changed too often and hence procedural aspects should not be included in it. Also, it is recommended to not include a detailed annual audit calendar including things such as planning, the allocation of resources, and other details such as audit fees, other expenses for the audit, and so on in an audit charter.
- An audit charter should be reviewed annually to ensure that it is aligned with business objectives.
Essentially, an auditor's activities are impacted by the charter of audit department, which authorizes the accountability and responsibility of the audit department.
An audit charter includes the following:
- The mission, purpose, and objective of the audit function
- The scope of the audit function
- The responsibilities of management
- The responsibilities of internal auditors
- The authorised personnel of the internal audit work
If an audit is outsourced to an audit firm, the objective of the audit, along with its detailed scope, should be incorporated in an audit engagement letter.
An audit charter forms the basis of structured audit planning. Activities relevant to audit planning are discussed in the next topic.
Key aspects from CISA exam perspective
The following table covers important aspects from the CISA exam perspective:
|
CISA questions |
Possible answers |
|
Who should approve the audit charter of an organization? |
Senior management |
|
What should the content of an audit charter be? |
The scope, authority, and responsibilities of the audit function |
|
What is the prime reason for review of an organization chart? |
To understand the authority and responsibility of individuals |
|
The actions of an IS auditor are primarily influenced by |
Audit charter |
|
Which document provides the overall authority for an auditor to perform an audit? |
Audit charter |
|
What is the primary reason for the audit function directly reporting to the audit committee? |
The audit function must be independent of the business function and should have direct access to the audit committee of the board |
Self-evaluation questions
- An audit charter should be approved by:
- Higher management
- The head of audit
- The Information Security department
- The project steering committee
- The audit charter should:
- Be frequently upgraded as per changes in technology and the audit profession
- Incorporate yearly audit planning
- Incorporate business continuity requirements
- Incorporate the scope, authority, and responsibility of the audit department
- The prime objective of an audit charter is to:
- Document the procedural aspect of an audit
- Document system and staff requirements to conduct the audit
- Document the ethics and code of conduct for the audit department
- Document the responsibility and authority of the audit department
- The document that delegates authority to the audit department is:
- The audit planner
- The audit charter
- The IT policy
- The risk assessment and treatment document
- The prime reason for the review of an organization chart is to:
- Get details related to the flow of data
- Analyze the department-wise employee ratio
- Understand the authority and responsibility of individuals
- Analyze department-wise IT assets
- An IS auditor would be primarily influenced by:
- The charter of the audit department
- The representation by management
- The structure of the organization
- The number of outsourcing arrangements
- Which of the following is the result of a risk management process?
- A corporate strategic plan
- A charter incorporating the audit policy
- Decisions regarding the security policy
- Outsourcing arrangements
- Which of the following should be included in an audit charter?
- Annual audit planning
- The audit function's reporting structure
- Guidelines for drafting audit reports
- An annual audit calendar
- The scope, authority, and responsibility of the IS audit function is defined by:
- The approved audit charter
- The head of the IT department
- The operational head of the department
- The head of audit
- Which of the following functions is governed by the audit charter?
- The information technology function
- The external audit function
- The internal audit function
- The information security function
- Which of the following covers the overall authority to perform an IS audit?
- The audit scope with goals and objectives
- Management's request to perform an audit
- The approved audit charter
- The approved audit schedule
- The audit function should be reported to the audit committee of the board because:
- The audit function has few resources
- The audit function must be independent of the business function and should have direct access to the audit committee of the board
- No other function should use the resources of the audit function
- The audit function can use their own authority to complete the audit on a priority basis.
- The best objective for the creation of an audit charter is to:
- Determine the audit resource requirements
- Document the mission and long-term strategy of the audit department
- Determine the code of conduct for the audit team
- Provide the authority and responsibility of the audit function