HEALTH PROTECTION AGENCY: INTERNAL AUDIT HANDBOOK
CHAPTER 2, SECTION 2: THE INTERNAL AUDIT CHARTER
1
INTRODUCTION
1.1
This Charter sets out the Terms of Reference for Internal Audit within the Health Protection
Agency: its role and functions, scope and purpose, authority to act and organisational
independence, its resources and the manner in which it will operate within the Agency.
1.2
The Charter covers:
a)
Role and functions of Internal Audit
b)
Scope and purpose
c)
Authority
d)
Independence
e)
Audit resources
f)
Other matters relating to the conduct of Internal Audit within the Health Protection Agency
2
ROLE AND FUNCTIONS OF INTERNAL AUDIT
Definition of Internal Audit
2.1
Internal Audit is an independent and objective appraisal service within an organisation:
a)
Internal Audit primarily provides an independent and objective opinion to the Accounting
Officer on risk management, control and governance, by measuring and evaluating their
effectiveness in achieving the organisation’s agreed objectives. In addition, Internal Audit’s
findings and recommendations are beneficial to line management in the audited areas. Risk
management, control and governance comprise the policies, procedures and operations
established to ensure the achievement of objectives, the appropriate assessment of risk, the
reliability of internal and external reporting and accountability processes, compliance with
applicable laws and regulations, and compliance with the behavioural and ethical standards
set for the organisation.
b)
Internal Audit also provides an independent and objective consultancy service specifically to
help line management improve the organisation’s risk management, control and
governance. The service applies the professional skills of internal audit through a
systematic and disciplined evaluation of the policies, procedures and operations that
management put in place to ensure the achievement of the organisation’s objectives, and
through recommendations for improvement. Such consultancy work contributes to the
opinion which Internal Audit provides on risk management, control and governance.
[An “effective” system of risk management, control and governance is one which is both adequate
(fit for purpose) and is being applied consistently.]
Investigation of irregularities
2.2
In addition to its normal assurance and advisory roles, Internal Audit within the Health Protection
Agency is also tasked with the responsibility for reviewing the systems for preventing and
detecting fraud and for investigating all cases of discovered fraud and corruption within, or
operated against, the Agency.
Version: Approved by the Audit Committee, 25 October 2005
Page 1 of 4
HEALTH PROTECTION AGENCY: INTERNAL AUDIT HANDBOOK
CHAPTER 2, SECTION 2: THE INTERNAL AUDIT CHARTER
3
SCOPE & PURPOSE
Purpose
3.1
The primary objective of Internal Audit is to provide the Accounting Officer with an independent
and objective opinion on risk management, control and governance, by measuring and evaluating
their effectiveness in achieving the organisation’s agreed objectives.
3.2
The Head of Internal Audit’s opinion is a key element of the framework of assurance the
Accounting Officer needs to inform their completion of the annual Statement on Internal Control
(SIC) included within the annual Accounts and Report of the Agency.
Scope
3.3
Risk management, control and governance comprise the policies, procedures and operations in
place to:
a)
establish, and monitor the achievement of, the organisation’s objectives
b)
identify, assess and manage the risks to achieving the organisation’s objectives
c)
advise on, formulate, and evaluate policy, within the responsibilities of the Accounting Officer
d)
ensure the economical, effective and efficient use of resources
e)
ensure compliance with established policies (including behavioural and ethical
expectations), procedures, laws and regulations
f)
safeguard the organisation’s assets and interests from losses of all kinds, including those
arising from fraud, irregularity or corruption
g)
ensure the integrity and reliability of information, accounts and data, including internal and
external reporting and accountability processes.
This scope covers
all the policies, procedures and operations of the Agency, of whatever type it
undertakes and in whatever location.
3.4
In the course of Internal Audit reviews, attention will be given to apparently uneconomical or
otherwise unsatisfactory results flowing from management decisions, policy or practice. Internal
Audit will also examine and evaluate systems designed to formulate, implement, monitor and
review matters of policy that result in expenditure for which the Chief Executive is accountable. It
may also review the formulation, implementation and operation of particular matters of policy but
it is not within the scope of Internal Audit to question policy decisions.
3.5
Internal Audit should be consulted about significant changes in internal control systems,
especially where these involve significant new responsibilities and activities involving third parties.
Internal Audit will offer advice and opinion on the adequacy of proposed control arrangements.
3.6
In the course of both its assurance and advisory work, a key objective of Internal Audit will be to
promulgate and promote best practice, encourage beneficial change and facilitate practical
improvements in risk management, control and governance across the Agency. Internal Audit, as
a function that operates in all parts of the Agency, will use its breadth of coverage to encourage
cross-Agency learning and the sharing of best practice internally. This will contribute to the
achievement of the Internal Audit function’s role and responsibility with respect to evaluating the
effectiveness of systems in terms of their adequacy (fitness for purpose).
3.7
Time is set aside to support managers with advice in relation to risk management, governance
and control arrangements or developments. Whilst Internal Audit is able to support managers in
this way, it cannot take decisions appropriate to managers nor take over responsibility for the
area being supported.
Version: Approved by the Audit Committee, 25 October 2005
Page 2 of 4
HEALTH PROTECTION AGENCY: INTERNAL AUDIT HANDBOOK
CHAPTER 2, SECTION 2: THE INTERNAL AUDIT CHARTER
4
AUTHORITY
Authority to Act
4.1
The authority of Internal Audit is derived from the Chief Executive, on whose behalf the Internal
Audit Service acts. Internal Audit is also accountable to the Audit Committee for the delivery and
quality of its audit work.
4.2
Organisationally, the Head of Internal Audit and the Internal Audit Service report, in line
management terms, to the Director of Finance & Resources. However, in matters relating to
Internal Audit and audit opinions, the Head of Internal Audit acts independently and is
accountable to audit customers and the Accounting Officer for the quality of work.
Right of Access
4.3
The Head of Internal Audit has the right of direct access to the Chief Executive on matters relating
to their accountabilities, and to the Chair of the Audit Committee.
4.4
Internal auditors have a right of access to all records, assets, personnel and premises of the
Agency to obtain such information and explanations as they consider necessary to fulfil their
objectives and discharge their responsibilities.
4.5
In order to fulfil its objectives, the Internal Audit Service may also require access to outside
organisations. Such cases will be agreed with the Chair of the Audit Committee and will depend
on the relationship and contractual arrangements in place between the Agency and the external
party.
5
INDEPENDENCE
Responsibility for internal control
5.1
In order to perform its functions, Internal Audit needs to maintain objectivity and independence
from management. Therefore, it has no executive responsibility for internal control. This rests
with managers who should ensure that appropriate and adequate arrangements exist without
reliance on audit activity.
5.2
In the course of their work, Internal Auditors will make recommendations on controls to be
incorporated within systems and procedures to improve risk management and governance within
the Agency. Such advice will be given without prejudice to the right of Internal Audit to evaluate
the operation of those controls and systems at a later date.
Responsibility for the implementation of audit recommendations
5.3
The Internal Audit Service will issue written reports of audit findings with appropriate
recommendations aimed at reducing risks to the achievement of the Agency’s objectives. It is for
management to decide whether to accept these findings and implement the recommendations
made or to accept the risks resulting from not taking action. However, in making decisions,
managers will need to be aware of their own accountabilities to the Chief Executive for propriety,
successful delivery of objectives and value for money.
5.4
The Internal Audit Service reports all significant audit findings to the Chief Executive and provides
an annual audit opinion on the effectiveness of managerial controls throughout the organisation.
The Chief Executive and the Audit Committee also receive information concerning the
acceptance and implementation of recommendations.
6
AUDIT RESOURCES
6.1
The professional skills and experience of Internal Audit staff appointed by the Agency are set out
in the agreed Job Descriptions and Person Specifications for staff within the Internal Audit
function. These are predicated on the expectation that Internal Audit staff will either be working
towards, or will have achieved, accreditation for the Government Internal Audit Certificate (GIAC).
Version: Approved by the Audit Committee, 25 October 2005
Page 3 of 4
HEALTH PROTECTION AGENCY: INTERNAL AUDIT HANDBOOK
CHAPTER 2, SECTION 2: THE INTERNAL AUDIT CHARTER
6.2
It is the responsibility of the Head of Internal Audit to ensure that the function is resourced
appropriately in terms of staff, contractors, skills, qualifications and experience to fulfil its
responsibilities. To this end, each Auditor will receive the necessary training for performance of
the full range of their duties, in accordance with guidance issued by HM Treasury in GIAC. The
Head of Internal Audit will alert the Chief Executive through the Audit Committee, or its Chair, to
shortfalls in resources which have an impact on the scope of Internal Audit activity and hence on
the level of assurance that can be provided.
7
OTHER MATTERS RELATING TO THE CONDUCT OF INTERNAL AUDIT WITHIN THE
HEALTH PROTECTION AGENCY
Ethical behaviour
7.1
Internal Auditors employed by the Health Protection Agency are bound by the Code of Ethics set
out in the Government Internal Audit Standards (GIAS) and should also have regard to the Code
of Ethics issued by the Institute of Internal Auditors. (See Chapter 2 Section 1).
Local audit procedures
7.2
In addition to these Terms of Reference, Internal Auditors and staff of the Agency should have
regard to the Local Audit Procedures drawn up by the Head of Internal Audit as set out in the
Internal Audit Handbook that ensure compliance with GIAS, which address:
a)
Scope
b)
Independence
c)
The Audit Committee
d)
Relationships with management, other auditors and other review bodies
e)
Staffing, training and development
f)
Audit strategy
g)
Management of audit assignments
h)
Due professional care
i)
Reporting
j)
Quality assurance.
Version: Approved by the Audit Committee, 25 October 2005
Page 4 of 4
