Policy Template for Internal Audit

This policy defines and establishes the responsibilities of the internal audit function.

The scope of the Internal Audit Policy includes all areas of {{organization.name}} and its operations. 

{{organization.name}} is committed to maintaining a risk-based, efficient, effective and economical internal audit function, and will ensure that all internal audit activities remain independent of management whenever possible. 

Internal Audit’s role is to perform and manage Internal Audit activities which include but are not limited to developing an annual audit plan, executing the audits, providing recommendations to the business functions impacted by the audits, reporting the results to management and following up with open items or previous deficiencies. 

The Internal Audit plan should be reviewed annually and communicated to appropriate stakeholders. 

The Senior Management Team is responsible for ensuring that internal controls are operating effectively and that the controls mitigate all existing risks. They are also responsible for deciding whether to accept or implement internal audit findings and recommendations.

Internal Audit Plan shall at a minimum, include the high-level scope and timing of the internal audits and be approved by Management.

Management will make sure that the teams being audited are available and have time to provide the required evidence to the internal audit function. The Internal Audit function will perform the audits with a combination of discussions with staff, review and analysis of relevant documentation and systems in scope. Any potential findings shall be discussed and confirmed with relevant staff prior to being included in the Internal Audit Report. 

The Internal Audit function shall draft an Internal Audit Report. The report should include the functions audited, describe the review process, findings and identified gaps, and recommended mitigations. The draft shall remain open to discussions and comments. The final review of the report shall address the comments and recommendations. Once finalized, the report shall be distributed to relevant staff and management functions. 

Control failures and deficiencies proposed corrective action plans for newly identified issues, and progress reports for the corrective action plans are communicated to Management quarterly. High-risk deficiencies and action items not corrected within the agreed remediation period are communicated to the Board of Directors at least annually.

The Internal Audit function shall follow up on the status of deficiencies and management shall provide relevant information and evidence to demonstrate actions taken to date, outlining actions still to be taken, and a revised implementation date if required.

Any exception to this policy and the audit plan must be approved by the management in advance and have a written record.