Internal audit charters look like procedural documents and are often treated as such. The charter is actually the source document for internal audit's independence, scope, authority, and resourcing. Most mid-sized listed company charters under-specify the provisions that matter, leaving internal audit to negotiate its operating boundary in every difficult conversation. A well-designed charter eliminates those negotiations before they arise.
What the charter is
The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing require that internal audit's purpose, authority, and responsibility be formally defined in an internal audit charter. The charter must be approved by senior management and the board (or its audit committee), and reviewed periodically. The Standards do not prescribe charter content in detail — they specify that certain matters must be addressed. The substantive quality of a charter sits in how those matters are addressed.
For mid-sized listed companies — entities with active securities listings, audit-committee-led oversight, and resource constraints that distinguish them from the largest enterprises — charter design is particularly consequential. Smaller enterprises can sometimes operate without a substantive charter on the strength of personal relationships; the largest enterprises typically have detailed charters as standard practice. Mid-sized listed companies sit in the band where the charter is substantively load-bearing.
The audit-committee relationship
The most consequential charter provisions concern the relationship between internal audit and the audit committee. The substantive questions: does the Chief Audit Executive (CAE) report functionally to the audit committee or administratively to management? Does the audit committee approve the CAE's appointment, performance evaluation, and compensation, or only ratify management proposals? Does the audit committee approve the internal audit plan, or review and discuss management's proposed plan? Does the audit committee have unfiltered private access to the CAE, or does that access pass through management?
The IIA Standards push toward strong audit committee oversight in each of these dimensions. Many mid-sized listed company charters use softer language — “the CAE has access to the audit committee chair” rather than “the CAE meets in executive session with the audit committee at each scheduled meeting”. The softer language is permissible under the Standards but produces an operating environment where management interactions shape internal audit's direction in practice more than the charter implies.
The substantive design question: under what circumstances does internal audit need to communicate with the audit committee in ways that management cannot constrain, and does the charter actually create that channel?
Independence and objectivity provisions
Independence in internal audit is not the absence of relationships — internal audit is part of the organisation. Independence is the structural arrangement that allows the function to perform its work without conditions that threaten its ability to do so objectively. The charter is where independence provisions sit.
The substantive provisions to include: prohibition on internal audit personnel performing operational activities they would later audit; mandatory rotation or cooling-off periods for personnel transferring from operational roles into internal audit; explicit independence of CAE compensation from operational outcomes; charter-anchored protection of internal audit's ability to access records, premises, and personnel; explicit protection against retaliation for personnel performing audit work.
Many mid-sized listed company charters describe independence as a principle without providing the structural provisions that actually create it. The charter language matters: charters that say “internal audit shall be independent” without specifying the structural mechanisms are effectively asking the function to negotiate independence as it goes.
Scope and authority
Scope provisions specify what internal audit may examine. The standard IIA pattern is broad: all activities, records, personnel, and physical premises of the organisation; subsidiaries, joint ventures, and other entities where the organisation has audit rights. Scope provisions also need to address contracted activities — where third parties perform substantive work, internal audit's right of access to the third party's records and personnel needs to be established.
Authority provisions specify the powers internal audit has within that scope: the right to access records on demand; the right to require explanation from personnel; the right to require evidence; the right to engage external expertise where the audit work demands it; the right to communicate findings to senior management and the audit committee without management filtering.
The pattern in many charters: broad scope, limited authority. Internal audit may examine anything but must work through management hierarchies for access. This pattern produces audits that take longer than they should and that surface findings that management has had time to anticipate and contextualise before they reach the audit committee. Substantive charters give internal audit the authority needed to do its work, not just the scope.
Resourcing
Resourcing provisions are often the weakest in mid-sized listed company charters — typically left as a management decision rather than addressed in the charter. The IIA Standards require the CAE to communicate the impact of resource limitations to senior management and the audit committee, but they do not specify the resourcing framework itself.
Substantive charters address resourcing structurally: who proposes the annual budget (CAE); who approves it (audit committee, with management input); under what circumstances can the budget be reduced during the year (typically only with audit committee approval); what mechanism exists for internal audit to engage external resources when in-house capacity is insufficient.
The under-specified pattern: “internal audit will be adequately resourced”. This language commits no-one to anything specific. Charters that specify the budget mechanism, the audit committee's role in budget approval, and the protection against in-year budget reduction produce internal audit functions that can plan their work; charters that do not produce internal audit functions whose annual posture is uncertain until the budget is finalised.
Reporting
Reporting provisions specify how internal audit communicates with management and the audit committee. The substantive questions: what reporting cadence (per engagement and periodic), to whom, in what format; what triggers an immediate communication versus a scheduled one; how does internal audit report on the implementation status of prior recommendations; how does the CAE provide an annual opinion on the overall control environment.
The under-specified pattern: “internal audit will report periodically to the audit committee”. Substantive charters specify the reporting cadence (typically each scheduled audit committee meeting), the content categories that the report addresses, and the requirement for an annual opinion on the overall control environment.
Common charter mistakes
Across the practice the recurring charter design mistakes include: vague language that effectively gives management discretion over internal audit's operating boundary; absence of structural independence provisions; conflation of administrative reporting (which is acceptable to management) with functional reporting (which should be to the audit committee); under-specified resourcing provisions; absence of explicit access and authority provisions; failure to address contracted activities and third parties; charters that have not been substantively updated to reflect changes in IIA Standards or in the organisation's structure.
The charter is also the document that audit committee members read first when a new committee member joins. A well-designed charter accelerates the new member's understanding of internal audit's role and authority; a thin charter leaves the new member to construct that understanding through subsequent meetings and conversations.