An internal audit charter is a formal document that defines the purpose, authority, scope, and responsibilities of an entity’s internal audit function. The Cayman Islands Monetary Authority (CIMA) does not prescribe a charter by name, but having one is governance best practice for regulated entities and directly supports compliance with CIMA’s Corporate Governance Rule, which requires documented governance structures proportionate to each entity’s risk profile.
What does an Internal Audit Charter Cover?
A well-drafted internal audit charter typically sets out: the mission and objectives of the internal audit function; its scope of activities and the areas it is authorised to review; the reporting lines, usually to the board or audit committee; the internal auditor’s right of access to records, personnel, and systems; and the basis on which audit plans are approved and findings reported. In doing so, it establishes the function’s independence in writing and gives it formal authority within the organisation.
Why does it matter for CIMA-regulated entities?
CIMA’s Rule – Corporate Governance for Regulated Entities (2023) – requires regulated entities to maintain governance frameworks that are documented, clear, and proportionate to their risk profile. An internal audit charter is one of the clearest ways to demonstrate that the internal audit function has been properly constituted, with defined authority, independence, and reporting lines. Without a charter, a regulator or reviewer may question whether the function is genuinely independent or merely informal.
Who approves the charter?
The charter should be approved by the board or audit committee, not by management. This matters because internal audit’s independence depends on it being accountable to governance rather than to the executives whose activities it reviews. Board approval of the charter is standard practice and signals that governance takes the function seriously. Some entities also require the charter to be reviewed whenever there is a material change in the entity’s structure, risk profile, or regulatory status.
Should you Review and Update the Charter?
A charter is not a static document. As an entity’s size, risk profile, or regulatory obligations evolve, the charter should be reviewed and updated accordingly. Annual review by the audit committee is a reasonable standard for most regulated entities. Where the internal audit function is outsourced, the charter should also address the terms of the outsourcing arrangement and how the provider’s independence is maintained.
Drafting and maintaining a robust internal audit charter is one of the foundational steps in building a credible governance framework for a CIMA-regulated entity.
Related questions: What is an internal audit function and is one required for a Cayman Islands regulated entity? | How does internal audit interact with CIMA’s Corporate Governance Rule for Cayman Islands funds?
At wb.group we help regulated entities establish internal audit frameworks, including charter development. Contact us to learn more.
FAQs
An internal audit charter is a formal document that defines the purpose, authority, scope, and responsibilities of an entity’s internal audit function. The Cayman Islands Monetary Authority (CIMA) does not prescribe a charter by name, but having one is governance best practice for regulated entities and directly supports compliance with CIMA’s Corporate Governance Rule, which requires documented governance structures proportionate to each entity’s risk profile.
The charter is the governing document that establishes the internal audit function, its authority, independence, and scope. The audit plan is the operational document that sets out the specific reviews to be undertaken in a given period, based on a risk assessment. The charter should be in place first; the audit plan follows from it and operates within the boundaries the charter defines.
CIMA does not prescribe a charter by name. However, the Corporate Governance Rule requires regulated entities to have documented governance structures proportionate to their risk profile. An internal audit charter is the standard mechanism for documenting the authority and independence of the internal audit function, and its absence may attract scrutiny during a CIMA inspection or regulatory review.
The board or audit committee should approve the charter, not senior management. This is essential for maintaining the independence of the internal audit function, since management are typically among the parties whose activities are being reviewed. Board-level approval also signals to CIMA and other reviewers that the internal audit function operates with genuine governance authority.