2.2 The Standards Framework and the Internal Audit Charter

The Mandate and the Charter

Within the Standards framework's Governing the Internal Audit Function domain, Principle 6 — Authorized by the Board establishes the function's authority. It produces two linked artifacts:

• The internal audit mandate (Standard 6.1) — the board's grant of authority, role, and responsibilities to the function. The mandate empowers internal audit to provide independent assurance, advice, insight, and foresight, and it gives the function the right of unrestricted access to records, personnel, and physical property relevant to engagements.
• The internal audit charter (Standard 6.2) — the formal, written document that records the mandate and the relationship between the function, the board, and senior management.

The chief audit executive (CAE) develops and maintains the charter, but the board approves it. Crucially, before approval the CAE must discuss the proposed charter with both the board and senior management to confirm it reflects their shared understanding of the function's purpose and expectations. The charter is reviewed periodically and updated when the function's mandate, position, or services change.

Required elements of the charter

The exam loves to ask which item must appear in the charter. Standard 6.2 specifies, at a minimum, these five elements:

A reliable memory hook is P-C-M-B-O: Purpose, Commitment to the Standards, Mandate, Board responsibilities, Organizational position. If an exam option lists something operational — a staffing roster, a risk-assessment methodology, individual engagement budgets — it is not a charter element; those live in the audit plan or methodology, which are separate, more frequently updated documents.

Positioning the Function Independently

Principle 7 — Positioned Independently protects the function from interference. The mechanism is dual reporting:

Functional reporting to the board is what makes the function independent — it lets the CAE escalate findings without management filtering them. Administrative reporting to the CEO (or equivalent) gives the function organizational standing and access. This combination is the recommended structure, and it provides both independence and organizational alignment. If the CAE reported administratively to a lower officer (for example, the controller whose area is audited), independence would be impaired.

Safeguards for added roles

When a CAE also holds non-audit responsibilities (such as compliance or risk management), Standard 7.1 requires those roles to be documented in the charter together with safeguards that limit impairments to independence and objectivity. The board must understand and accept those arrangements. An undocumented operational role over an area the function audits is a clear impairment.

Standard 7.2 — Chief Audit Executive Qualifications reinforces independence from the top: the board appoints, and where necessary removes, a qualified CAE who reports at a level high enough to perform audit work free of management interference. Independence is therefore not a single event but a set of standing conditions — reporting level, appointment authority, access, and documented safeguards — that the board must protect.

Board vs. Senior Management vs. CAE

Getting the responsibility split right is high-yield because stems often hand a task to the wrong party as a distractor:

• The board / audit committee — establishes and approves the mandate; approves the charter, the audit plan, the budget, and CAE compensation; appoints, evaluates, and removes the CAE; ensures the function has unrestricted access; and discusses the function's effectiveness.
• Senior management — supports the function, provides information and access, and responds to and acts on engagement results, but does not direct what internal audit may or may not audit.
• The CAE — develops and maintains the charter, manages independence safeguards, oversees the audit plan, and communicates results and any nonconformance with the Standards.

Common stem pattern

A frequent item gives a scenario where senior management tries to limit the audit plan, alter a finding, or restrict access. The correct response is almost always that the CAE communicates the impact to the board, because the board — not management — controls the mandate and plan. The board's ownership of the charter and plan is what gives internal audit the standing to push back.

Quick reference

• Mandate = Standard 6.1 (authority, role, responsibilities)
• Charter = Standard 6.2 (five required minimum elements)
• Developed/maintained by the CAE; approved by the board
• Functional reporting → board; administrative reporting → senior management

Why the board owns the mandate

The entire governance design exists to keep internal audit out of management's pocket. Because management is the party most often being audited, letting management approve the charter, set the plan, or pay the CAE based on results would gut the function's value. By vesting these decisions in the board, Principle 6 ensures the people internal audit reports to are not the people whose controls it examines. When you see a stem where a CEO or CFO tries to approve, redirect, or veto an audit matter, the reflex answer is that this authority belongs to the board, and the CAE's duty is to keep the board informed.