Internal Audit Charter

Cancer Research UK

Internal Audit Charter

September 2022         

1.  INTRODUCTION

This Charter sets out the principles upon which CRUK’s Internal Audit function is established and by which it operates. The contents of this Charter are aligned with the Institute of Internal Auditors (IIA) professional standards.
 

2.  MISSION

The mission of the CRUK Internal Audit function is to help Council and management protect the assets, reputation and sustainability of the Charity and to improve its operations. It does this by providing an independent, objective assessment of the adequacy and effectiveness of CRUK’s internal control environment. 
 

3.  VISION

CRUK Internal Audit:

  • Serves as the Charity’s trusted adviser on matters relating to risk and internal control.
  • Assists executive management and Trustees in their assessment and management of strategic, operational, financial and compliance risks.
  • Functions as a high-performance team, ensuring its practices remain sector leading and aligned with professional best practice.
     

4.  PURPOSE

Internal Audit’s purpose is to provide independent and objective assurance, advice and insight on the design and operational effectiveness of the Charity’s framework of risk management, internal control and governance to assist the Trustees, Audit Committee, management and employees in the effective discharge of their responsibilities. Internal Audit furnishes its stakeholders with analyses, appraisals, recommendations, and pertinent comments concerning the matters it reviews.  The primary objectives of Internal Audit are to:

  • Deliver a comprehensive programme of internal audit activities which support the Charity in relation to effective corporate governance, risk management and internal control.
  • Examine and evaluate the adequacy and effectiveness of systems of risk management and internal control across the Charity and challenge management to improve risk management where required.
  • Provide reasonable assurance that all significant risks are being identified, reported and managed and that appropriate controls are in place, thereby providing support for Trustees in complying with the requirements of relevant regulations (e.g. via the Charity Commission).
  • Assess the adequacy and effectiveness of internal controls for new and existing business processes.
  • Deliver value added, high quality audits in a timely manner in accordance with IIA Standards.
  • Conduct investigations into cases of alleged financial irregularity, fraud or other complaints.
  • Continually improve the audit function’s efficiency and effectiveness and provide for the development of internal audit staff.
     

5.  AUTHORITY AND INDEPENDENCE

The CRUK Audit Committee establishes the authority and responsibilities of the Internal Audit function. The Head of Internal Audit is a senior appointment and the role reports functionally to the CRUK Audit Committee and administratively to the Chief Operating Officer. The appointment or dismissal of the Head of Internal Audit will be determined by the CRUK Audit Committee and the Audit Committee Chair plays a key role in setting the objectives and renumeration of the Head of Internal Audit and appraising their performance. The Head of Internal Audit has full and free access to the CRUK Audit Committee and has the right to attend all or part of Executive Board meetings and other key management decision making fora.  It is the policy of the Audit Committee to have regularly scheduled private executive sessions with the Head of Internal Audit. This organisational structure is designed to allow Internal Audit to be independent and to effectively support it in fulfilling its purpose. The Audit Committee will evaluate the performance of the Internal Audit function annually and will, at its discretion, commission an independent external quality assurance review of the function.

With stringent regard for safekeeping and confidentiality, Internal Audit will have full, free and unrestricted access to all activities, records (in both paper and electronic format), property and personnel and meetings/decision making fora within CRUK necessary to accomplish its stated purpose.  Internal Audit is also provided unencumbered access to all CRUK subsidiaries, as well as to third parties performing services delegated to them by CRUK.  In the case of third parties, this access will be managed in accordance with related contractual terms. Documents and information given to Internal Audit will be handled in the same prudent manner as they are by those employees normally accountable for them.

To ensure the independence of Internal Audit, its personnel report to the Head of Internal Audit.  Internal Audit will include, as part of its reports to the Audit Committee, a regular report on Internal Audit personnel and their professional experience. In performing its functions, Internal Audit shall have no direct authority over any of the activities it reviews. It shall not design or implement procedures, prepare records or engage in any other activity that it would normally review and appraise and that could reasonably be construed to compromise its independence and objectivity.

Subject to approval by the Audit Committee, Internal Audit has the authority to allocate resources, select audits, determine scopes of work and apply the techniques required to accomplish audit objectives. Internal Audit may obtain necessary assistance from personnel in the Charity where they perform audits, as well as other specialised services from within or outside the Charity, as necessary. Internal Audit must remain free from undue interference by any element of the Charity including in matters relating to audit selection, scope, procedure, frequency, timing and the content, conclusions and opinions of its reports.
 

6.  SCOPE OF WORK

All the Charity’s activities, including those of its subsidiaries, fall within the remit of Internal Audit, including financial and non-financial (‘operational’) systems of internal control and all areas of risk relating to the Charity’s assets, reputation and sustainability.  The work of Internal Audit may also cover third parties performing services delegated to them by CRUK depending upon contractual arrangements.

Internal Audit should have within its scope the design and operating effectiveness of the Charity’s internal governance structures and processes including (but not necessarily be limited to) the following:

  • The process for the setting of risk appetite by the Trustees and management and the process for monitoring adherence to this, as well as the process by which risks are identified, analysed and managed;
  • The risk and control culture of the Charity including ‘tone at the top’ and related behaviours;
  • The controls established by management to manage key business processes. This should cover    both the processes and the quality of the work of the Charity’s first and second lines and key corporate events (process changes, new products and services, outsourcing etc). In interacting with second line functions Internal Audit should assess the adequacy and effectiveness of these functions to support an informed judgement as to the extent to which it is appropriate to take account of their work.
  • The reliability and integrity of management information, including financial and operational information. In particular, this includes information presented to the Board and senior management for strategic/operational decision-making and the related processes and controls supporting strategic and operational decision making;
     
  • The effectiveness and efficiency of operations;
     
  • The safeguarding of assets (both tangible and intangible); and
  • Compliance with CRUK policies, plans and procedures and with relevant legislation and regulations.

Internal Audit may provide consulting and advisory services to add value and improve the Charity’s operations.  Direct responsibility for the design and implementation of new processes and systems is not within the scope of Internal Audit.

It is not the role of the Internal Audit function to prevent or detect fraud; that remains the responsibility of line management.  Internal Audit can assist management in the discharge of their responsibilities for fraud management through the provision of independent assurance on the effectiveness of the processes in place to manage the risk of fraud and, where appropriate, to investigate possible incidents of fraud.

 

7.  INTERNAL AUDIT RESPONSIBILITIES

In delivering this scope, the Internal Audit function will:

  • Conduct its work in accordance with the Standards for the Professional Practice of Internal Auditing and the Code of Ethics promulgated by the IIA as well as other professional auditing standards and regulations that may be applicable.  Internal Audit will maintain up to date policies, procedures and performance measures and will implement a related quality assurance process.
  • Develop an annual audit plan using a risk based methodology that considers risks or internal control concerns identified by the Audit Committee, management or Internal Audit. The plan should focus on higher risk areas and should be submitted to the Audit Committee for review and approval.
  • Review the audit plan and adjust it as appropriate throughout the year (with the agreement of the Chair of the Audit Committee) to reflect any unplanned events or new and emerging risks so that it remains relevant given changes in the Charity’s risk profile or business processes.  All agreed changes to the audit plan should subsequently be brought back to the next Audit Committee for approval.
  • Regularly report on progress against delivery of the plan, highlighting any significant departures from the approved plan to senior management and the Audit Committee.  Also present to, and provide reports to, other Council committees as appropriate.
  • Secure a budget and manage resources to deliver the programme of audits/reviews in the approved plan.
  • Maintain a professional audit staff with sufficient knowledge, skills, experience and professional certifications to meet the requirements of this Charter. In performing their duties, internal auditors must exhibit the highest standards of professional objectivity and must always exercise due professional care. As required, in-house skills will be supplemented by external resources where specific subject matter expertise is required to deliver an audit to the required standard.
  • Consult with management on the specific Terms of Reference for individual audit projects before reviews commence.
  • Identify and report significant issues relating to processes involved in the control of key Charity activities, including improvements required to those processes detailing the related remedial actions, owners and implementation dates. 
  • Discuss draft reports with relevant managers and get agreement to any identified internal control improvement action plans.
  • Issue a final report and provide it, or a summary thereof, to the senior executives accountable for the activity reviewed, the owners of internal control improvement action plans identified in the report, the Audit Committee and External Audit. Regularly communicate and co-ordinate with others providing assurance services, including the external auditors, to ensure the overall assurance effort is managed efficiently and effectively. This will ensure that an integrated approach is taken to the overall assurance effort so that duplication is avoided and any gaps in coverage are identified and managed. As part of this, Internal Audit may audit the work of other CRUK functions providing assurance to assess the adequacy of that work and to enable reliance to be placed on their work as appropriate.
  • Provide a periodic update to senior management and the Audit Committee on the results of the audit work undertaken and any significant internal control weaknesses identified, together with mitigating actions, related owners, accountabilities and timescales. This reporting should include, at least annually, an assessment of overall effectiveness of the governance, risk and control framework of the organisation and the themes and trends arising from internal audit work and their impact on the organisation’s risk profile.
  • Have an open, constructive and co-operative relationship with relevant regulators and ensure regular communication and sharing of information with the external auditors.
  • Regularly follow up and report to the Audit Committee and Executive Board on management’s action plans to determine if internal control improvements have been implemented as agreed. 
  • Provide an independent investigative service to enable allegations of major malpractice or wrongdoing to be dealt with quickly and appropriately.
  • Serve as subject matter experts for internal controls in the development of new processes.
  • Perform special projects requested by the Audit Committee or by management (after approval by the Audit Committee Chair).
     

8.  MANAGEMENT RESPONSIBILITIES

To enable Internal Audit to deliver its responsibilities, CRUK management will:

  • Provide Internal Audit with full support and co-operation at all levels of operations.
  • Provide Internal Audit with complete and timely access to all records, property, personnel, meetings and decision making fora relative to the performance of their duties and responsibilities.
  • Provide accurate, relevant and complete data, information, documentation,  responses and any other pertinent information to Internal Audit in support of internal audit reviews. Management will act co-operatively and will collaborate in assisting Internal Audit with their examinations.
  • Review and comment on audit reports in a timely manner.
  • Provide action plans for all findings in Internal Audit reports and execute these action plans in accordance with agreed implementation dates.

The Internal Audit review and appraisal process does not in any way relieve other persons in the Charity of the responsibilities assigned to them.  Management is responsible for ensuring the adequacy of the design and effectiveness of internal controls. Responsibility for complying with policies and procedures, as well as correcting deficiencies, rests with respective process owners and management.