Internal Audit Charter

Cancer Research UK

Internal Audit Charter

September 2024
 

1. Introduction

This Charter provides the framework for Internal Audit at CRUK, formally documenting the purpose, mandate, scope, and responsibilities upon which the function is established and by which it operates. The contents of this Charter are aligned with the Institute of Internal Auditors (IIA) Global Standards, and it has been approved by the CRUK Chief Executive and the Audit Committee.

2. Mission

The mission of the CRUK Internal Audit function is to help CRUK achieve its overall organisational mission and its strategies, to protect the assets, reputation, and sustainability of the Charity and to optimise its operations.

3. Purpose

Internal Audit’s purpose is to provide independent and objective assurance, advice and insight on the design and operational effectiveness of the Charity’s framework of risk management, internal control, and governance to assist the Trustees and management in the effective discharge of their responsibilities. The Internal Audit function forms part of the overall governance framework within CRUK. CRUK adopts the Three-Lines Model for risk management and internal control in which Internal Audit acts as the third line,¹ reporting directly to the Audit Committee as the governing body of the model.

¹ https://www.iia.org.uk/resources/audit-committees/governance-of-risk-thr...
 

4. Mandate

The CRUK Audit Committee governs the Internal Audit function by establishing its authority and responsibilities. The function carries out its mandate by bringing a systematic, disciplined approach to evaluating and optimising the effectiveness of risk management, internal control, and governance throughout the organisation.

The Head of Internal Audit is a senior appointment, and the functional reporting line is directly to the CRUK Audit Committee and administratively to the Chief Operating Officer (COO). The Head of Internal Audit also has access to the Chief Executive Officer (CEO) as required.

The Head of Internal Audit has full and free access to the CRUK Audit Committee. It is the approach of the Audit Committee to have regularly scheduled private sessions with the Head of Internal Audit.

This organisational structure is designed to allow Internal Audit to be independent and to effectively support it in fulfilling its purpose.

Independence

To allow the Internal Audit function to give unbiased, objective opinions and impartial advice to management, the function will operate within the following framework:

  • The Head of Internal Audit has a direct reporting line to the Audit Committee.
  • Internal Audit will have no responsibility for the delivery of operational activities i.e. which may be subject to review, other than the undertaking of Internal Audit work which may be subject to independent review.
  • Internal Audit will prepare plans in collaboration with but without undue influence or pressure from management.
  • Internal Audit will have sufficient and timely access to key management information and a right of access to all CRUK’s records necessary to discharge its responsibilities.
  • Internal Audit will report in its own name.
  • Internal Audit staff will inform the Head of Internal Audit promptly of any potential conflicts of interest, so that these can be appropriately managed. For example, staff will not review business activities that they have previously managed or been responsible for.

The Head of Internal Audit will confirm to the Audit Committee, at least annually, the independence of the Internal Audit function. The Head of Internal Audit will disclose to the Audit Committee any undue interference related to audit selection, scope, timing and the content, conclusions, and opinions of its reports. The disclosure will include communicating the implications of such interference on the Internal Audit function’s effectiveness and ability to fulfil its mandate

5. Scope of Work

All the CRUK’s activities fall within the scope of Internal Audit’s work, including operations across all Directorates, within the UK and globally, outsourced activities and wholly owned subsidiaries and connected entities. The work of Internal Audit may also cover third parties performing services delegated to them by CRUK depending upon contractual arrangements. Internal Audit work aims to provide a balanced but risk-based approach to covering CRUK activities.

The remit of Internal Audit includes reviewing, appraising, and reporting on CRUK’s activities and procedures including: 

  • the achievement of objectives and whether results of operations or projects are consistent with set goals.
  • the adequacy, efficiency, and effectiveness of the systems of financial and operational control.
  • whether the organisation’s assets and resources are acquired economically, used efficiently, and are safeguarded from losses of all kinds, including theft, fraud, irregularity, and wastage.
  • whether the actions of CRUK’s employees, volunteers and contractors are in compliance with CRUK’s policies, procedures, and applicable laws, regulations, and governance standards.
  • the risk and control culture of the Charity, including ‘tone at the top’ and related behaviours and setting and monitoring adherence of risk appetite.
  • significant risk exposures and control issues, including fraud risks, governance issues and other incidents reported to management.
  • the integrity and reliability of information and data. This includes information presented to the Executive Board and Audit Committee for strategic / operational decision-making.

The scope covers both the processes and the quality of the work of the Charity’s first and second lines of governance. In interacting with second line functions Internal Audit should assess the adequacy and effectiveness of these functions to support an informed judgement as to the extent to which it is appropriate to place reliance on their work.

Internal Audit are unable to cover all CRUK’s areas of activity in a year. The function will adopt a risk-based approach, ensuring that work focuses on those areas of highest risk, namely principal risks, ineffective controls or missed opportunities that have been identified by CRUK as being a potential barrier to the achievement of objectives. Internal Audit may undertake special projects requested by the Audit Committee or by Council, on the approval of the Audit Committee Chair or Chair of Council.

Internal Audit may provide advisory services to add value and improve the Charity’s operations. However, direct responsibility for the design and implementation of new processes and systems is not within the scope of Internal Audit.

It is not the role of the Internal Audit function to prevent or detect fraud; that remains the responsibility of management. Internal Audit can assist management in the discharge of their responsibilities for fraud management through the provision of independent assurance on the effectiveness of the processes in place to manage the risk of fraud and, where appropriate, to investigate possible incidents of fraud.

6. Internal Audit Responsibilities

Internal Audit has the authority to select audit topics, determine scopes of work and apply the techniques required to deliver audit engagements. The primary responsibilities of Internal Audit are to:

  • Deliver a comprehensive programme of high-quality and value-added Internal Audit activities, in a timely manner, which support the Charity in relation to examining and evaluating the adequacy and effectiveness of internal control, risk management and governance and challenge management to improve in these areas where required.
  • Gather, evaluate, and communicate information based on available and relevant facts and circumstances.
  • Follow up on engagement findings and confirm the implementation of actions to ensure improvements identified have been effectively addressed, and report on actions not implemented.
  • Have an open, constructive, and co-operative relationship with stakeholders and ensure regular communication and sharing of information with the external auditors.
  • Maintaining the confidentiality and safeguarding of records and information.
  • Disclose impairments of independence or objectivity, in fact or appearance, at least annually to the Head of Internal Audit

Internal Audit may obtain necessary assistance from personnel in the Charity to fulfil these responsibilities, as well as other specialised services from within or outside the Charity, as necessary.

7. Head of Internal Audit Responsibilities

Ethics and Professionalism

The Head of Internal Audit will ensure that internal auditors:

  • Conform with the Global Internal Audit Standards, including the principles of Ethics and Professionalism; integrity, objectivity, competency, due professional care, and confidentiality.
  • Understand, respect, meet, and contribute to the legitimate and ethical expectations of the organisation.
  • Encourage and promote an ethics-based culture in the organisation.
  • Report organisational behaviour that is inconsistent with the organisation’s ethical expectations, as described in applicable policies and procedures, on an exception basis. Depending on the nature of the behaviour, reporting would be made within Internal Audit report or immediately through internal reporting channels and directly to the CEO if necessary.

Managing the Internal Audit Function

The Head of Internal Audit has the responsibility to:

  • Develop an audit plan using a risk-based methodology that considers risks or internal control concerns identified by the Audit Committee, management, and other stakeholders. The Plan will be submitted to the Audit Committee for review and approval.
  • Review and adjust the Internal Audit Plan, as necessary, in response to changes in CRUK’s activities, risks, operations, systems, and controls. All agreed changes to the Plan should subsequently approved by the Audit Committee Chair.
  • Set an annual budget and manage resources to deliver the programme of audits in the approved plan.
  • Ensure the Internal Audit function collectively possesses or obtains the knowledge, skills, and other competencies and qualifications needed to meet the requirements of the Global Internal Audit Standards.
  • Establish and ensure adherence to methodologies designed to guide the Internal Audit function. Internal Audit will maintain up to date any necessary policies, procedures, and performance measures.
  • Communicate, co-ordinate and consider relying upon the work of other internal and external providers of assurance and advisory services to promote an integrated, efficient yet proportionate framework of assurance. As part of this, Internal Audit may audit the work of other CRUK functions providing assurance to assess the adequacy of that work and to enable reliance to be placed on their work as appropriate.

Communication with the Audit Committee

The Head of Internal Audit will report to the Audit Committee regarding:

  • The Internal Audit Plan and performance relative to its Plan at least three times a year, highlighting any significant departures from the approved Plan.
  • Significant risk exposures and control issues, together with any mitigating actions.
  • Management’s responses to risk that the Internal Audit function determines may be unacceptable or acceptance of a risk that is beyond CRUK’s risk appetite.
  • Report at least annually, an assessment of overall effectiveness of the internal controls, risk and governance framework of the organisation and the themes and trends, emerging issues and successful practices that could impact CRUK, arising from Internal Audit work.
  • At least three times a year, the implementation of actions arising from Internal Audit work to ensure improvements identified have been effectively addressed, highlighting any corrective actions not effectively implemented.
  • Communicate the impact of budget and resource limitations on the Internal Audit Plan to the Board and Audit Committee.
  • Potential impairments to independence.
  • Results from the quality assurance and improvement programme, which include the Internal Audit function’s conformance with The IIA’s Global Internal Audit Standards and action plans to address the Internal Audit function’s deficiencies and opportunities for improvement.
  • Present to, and provide reports to, other Council committees as appropriate.

Quality Assurance and Improvement Programme

CRUK’s Internal Audit function will adhere to the mandatory elements of The IIA’s Global Internal Audit Standards and Topical Requirements and ensure Internal Audit engagements are performed, documented, and communicated in accordance with the Standards.

The Head of Internal Audit will develop, implement, and maintain a quality assurance and improvement programme that covers all aspects of the Internal Audit function. The programme will include internal and external assessments of the Internal Audit function’s conformance with the Global Internal Audit Standards, as well as performance measurement to assess the Internal Audit function’s progress toward the achievement of its objectives and promotion of continuous improvement. External assessments will be conducted at least once every five years by a qualified, independent assessor.

8. Audit Committee’s Responsibilities

To establish, maintain, and assure that CRUK’s Internal Audit function has sufficient authority to fulfill its duties, the Audit Committee will:

  • Review and approve the Internal Audit Charter.
  • Authorise the appointment and removal of the Head of Internal Audit.
  • Participate in discussions about and approving the remuneration of the Head of Internal Audit²
  • Contribute to the setting of objectives and input to the review of the Head of Internal Audit’s performance.
  • Approve the risk-based Internal Audit Plan and consider the budget and resource requirements necessary to deliver the Plan.
  • Receive communications from the Head of Internal Audit on the Internal Audit function’s performance relative to its Plan.
  • Ensure the Head of Internal Audit has unrestricted access to, communicates, and interacts directly with the Audit Committee, including in private meetings without senior management present.
  • Make appropriate inquiries of management and the Head of Internal Audit to determine whether the independence and authority of the function has been maintained, for example, if the function has encountered any inappropriate scope or resource limitations.
  • Monitor the quality of Internal Audit work and ensure a quality assurance and improvement programme has been established and reviewed regularly.
² It is recognised that the remuneration of the Head of Internal Audit is included within the scope of the CRUK pay review process which is approved by Council
 

9. Management Responsibilities

To enable Internal Audit to deliver its responsibilities, CRUK management will:

  • Provide Internal Audit with full support and co-operation at all levels of operations.
  • Provide Internal Audit with complete, unrestricted, and timely access to all records, property, personnel, meetings, and decision-making for a relative to the performance of their duties and responsibilities.
  • Review Internal Audit reports in a timely manner and respond to all findings and execute action plans in accordance with agreed implementation dates.
  • The COO will approve any expenses incurred by the Head of Internal Audit through delivery of their role, in line with CRUK’s expenses procedure.

The existence of the Internal Audit function does not in any way relieve other persons in the Charity of the responsibilities assigned to them. Management is responsible for ensuring the adequacy of the design and effectiveness of internal controls to manage risk effectively. Responsibility for complying with policies and procedures, as well as corrective actions, rests with respective action owners and management.

Approved by the Audit Committee at its meeting in September 2024:

The Charter will be reviewed every two years. Date of next review: September 2026

Circumstances may justify a follow-up discussion between the Head of Internal Audit, Executive Board, and Audit Committee on the Internal Audit mandate or other aspects of the Internal Audit Charter. Such circumstances may include but are not limited to:

  • A significant change in the Global Internal Audit Standards.
  • A significant acquisition or reorganisation within the organisation.
  • Significant changes in the Head of Internal Audit, Executive Board, and/or senior management.
  • Significant changes to the organisation’s strategies, objectives, risk profile, or the environment in which the organisation operates.
  • New laws or regulations that may affect the nature and/or scope of Internal Audit services

 

Download this document as a PDF file