Head Office
Head Office
Ngezi
Selous Metallurgical
263 867 700 4612 Mon - Fri 08:00 - 17:00 P O Box 6380, Harare, Zimbabwe
+263 772 131 619-30 Mon - Fri 08:00 - 17:00 P O Box 61, Selous, Zimbabwe
+263 772 513 910-15 Mon - Fri 08:00 - 17:00 P O Box 61 Selous, Zimbabwe
Certified
ISO 9001:2015
Certified
ISO 14001:2015
Certified
ISO 45001:2018
News Alerts Subscription

Internal Audit Charter

1. Introduction 

The internal audit charter defines the role, associated responsibilities and authority of internal audit including addressing its role within the combined assurance and the internal audit standards to be adopted. (King IV Principle 15 Recommended Practice No 49.) 

The internal audit charter must be updated on an annual basis as per the International Standards for the Professional Practice of Internal Auditing (the Standards). 

The board assumes responsibility for internal audit by setting the direction for the internal audit arrangements needed to provide objective and relevant assurance that contributes to the effectiveness of governance, risk management and control processes. The board delegates oversight of internal audit to the audit and risk committee. (King IV Principle 15 Recommended Practice No 48.) Executing this responsibility includes the establishment of an internal audit function. 

Internal controls are the processes implemented by management aimed at achieving set business objectives through the realisation of the following control objectives: 

  • The accomplishment of established objectives and goals for operations and set programmes; 
  • The effective and efficient use of organisational resources; 
  • The reliability and integrity of financial and non-financial information; 
  • Compliance with relevant policies, procedures, laws and regulations; and 
  • The safeguarding of the company’s assets. 

2. Purpose of the Charter 

The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority and responsibility. The internal audit charter establishes the internal audit activity’s positioning within the organisation, including the nature of the Chief Audit Executive’s (being “EY’s Director In Charge’s”) (“the CAE’s”) functional reporting relationship with the board; authorises access to records, personnel, physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the Board. 

The internal audit function will govern itself in accordance with the mandatory elements of the Institute of Internal Auditor’s (“the IIA’s”) ten core principles, the definition of internal auditing, the Standards and IIA’s Code of Ethics. The CAE will report periodically to senior management and the board regarding the internal audit function’s conformance to the Code of Ethics and the Standards. The Code of Ethics and Standards are available on request. The IIA Code of Ethics is signed by all internal audit staff on an annual basis and is reported to the audit and risk committee (King IV Principle 15 Recommended Practices no 61). Zimplats Holdings Limited Internal Audit Charter 

_______________________________________________________________________________________________ 2 

3. Core Principles, Definition of Internal Auditing and the IIA’s Code of Ethics 

The Core Principles for the Professional Practice of Internal Auditing are the foundation for the International Professional Practices Framework and support internal audit effectiveness. 

  • Demonstrates integrity 
  • Demonstrates competence and due professional care 
  • Is objective and free from undue influence (independent) 
  • Aligns with the strategies, objectives and risks of the organisation 
  • Is appropriately positioned and adequately resourced 
  • Demonstrates quality and continuous improvement 
  • Communicates effectively 
  • Provides risk-based assurance 
  • Is insightful, proactive, and future-focused 
  • Promotes organisational improvement. 

Internal auditing is defined as an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. 

The internal audit profession is founded on the trust placed in its objective assurance about governance, risk management and control. As such, the IIA’s Code of Ethics, comprising Principles and Rules of Conduct, is necessary and appropriate. Its purpose is to promote an ethical culture in the profession of internal auditing by describing behavioural norms and providing practical applications to guide the ethical conduct of internal auditors. 

The IIA’s Code of Ethics serves as a mandatory minimum requirement for conduct and behavioural expectations of internal auditors and should not be seen to supersede Zimplats’ Code of Ethics but rather to support it. 

4. Purpose and Mission 

The purpose of the internal audit function (“IA”) is to provide independent, objective assurance and consulting services designed to add value and improve Zimplats’ operations. 

The mission of IA is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight. IA helps Zimplats to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, compliance, risk management and control processes. 

5. Independence and objectivity 

The CAE is independent from management and designs and implements controls that are in place and the position carries the necessary authority to deliver on its mandate and to operate in an independent and objective manner. (King IV Principle 15 Recommended Practices no 51.) Zimplats Holdings Limited Internal Audit Charter 

_______________________________________________________________________________________________ 3 

Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner in areas such as audit selection, scope, procedures, frequency, timing and report content. 

Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others. 

Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records or engage in any other department that may impair their judgment, including: 

  • • Assessing specific operations for which they had responsibility within the previous year; 
  • Performing any operational duties for Zimplats or its affiliates; 
  • Initiating or approving transactions external to the internal audit department; 
  • Directing the activities of any Zimplats employee not employed by the internal audit department, except to the extent that such employees have been appropriately assigned to auditing teams or to otherwise assist internal auditors. • Disclose any impairment of independence or objectivity, in fact or appearance, to appropriate parties; 
  • Exhibit professional objectivity in gathering, evaluating and communicating information about the activity or process being examined; 
  • Make balanced assessments of all available and relevant facts and circumstances; and 
  • Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments. 

To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the CAE has direct and unrestricted access to senior management and the board. 

Threats to independence and objectivity are managed at the individual auditor, engagement, functional and organisational levels. The CAE will ensure that the internal audit department remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the CAE determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties. 

Internal auditors must: 

The CAE will confirm to the audit and risk committee, at least annually, the organizational independence of the internal audit department. 

The CAE will disclose to the audit and risk committee any interference and related implications in determining the scope of internal auditing, performing work and/or communicating results. Zimplats Holdings Limited Internal Audit Charter 

_______________________________________________________________________________________________ 4 

6. Objectives of Internal Audit 

The primary objectives of Internal Audit are to provide the following in an independent and objective manner: 

  1. Support for good corporate governance ethos; 
  2. Requisite credible assurance that the control environment is adequate and effective to manage existing and emerging risks as identified; 
  3. Investigation of all reported allegations of fraud, corruption, unethical behaviour and irregularities; 
  4. Quality reports coupled with value adding, cost effective and practical recommendations; 
  5. Provide a written assessment of internal financial controls to the audit and risk committee (King IV Principle 8 Recommended Practices no 59 (e); and 
  6. Provide a written assessment on the effectiveness of the company’s system of internal controls and risk management to the board (King IV Principle 15 Recommended Practices no 59.) 

In fulfilling its mission, Internal Audit considers: 

  • The risks that may prevent or slow down the realisation of strategic goals (as identified by enterprise-wide risk management practices); 
  • Whether controls are in place and functioning adequately and effectively to mitigate strategic risks; 
  • The opportunities that will promote the realisation of strategic goals if identified in good time, assessed timely, adequately and managed effectively by Zimplats’ management team; 
  • Those risks that may not have been considered, or risks identified but unattended at the time when they need attention by management; 
  • Provide cost efficient recommendations for consideration and implementation by management; and 
  • That the audit and risk committee and the board receive appropriate assurance and reliable information from management. 

7. Scope of internal audit activities 

The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the audit and risk committee, management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for Zimplats. Internal audit assessments include evaluating whether: 

  • Risks relating to the achievement of Zimplats’ strategic objectives are appropriately identified and managed; 
  • The actions of Zimplats’ officers, directors, employees and contractors are in compliance with Zimplats’ policies, procedures and applicable laws, regulations and governance standards; 
  • Operations or programs are carried out effectively and efficiently; 
  • Established processes and systems enable compliance with the policies, procedures, laws and regulations that could significantly impact on the Zimplats; 
  • Information and the means used to identify, measure, analyse, classify and report such information are complete, accurate, reliable, timely and have integrity; 
  • Resources and assets are acquired economically, used efficiently and protected adequately; and 
  • The results of operations or programs are consistent with established goals and objectives. 

Opportunities for improving management control, profitability and Zimplats’ image identified during internal audit reviews will be communicated to the appropriate levels of management, for action and implementation. Zimplats Holdings Limited Internal Audit Charter 

_______________________________________________________________________________________________ 5 

The CAE will report periodically to senior management and the audit and risk committee regarding: 

  • The internal audit department’s purpose, authority and responsibility. 
  • The internal audit department’s plan and performance relative to its plan; 
  • The internal audit department’s conformance with the IIA’s Code of Ethics and Standards and action plans to address any significant conformance issues; 
  • Significant risk exposures and control issues, including fraud risks, governance issues and other matters requiring the attention of, or requested by, the audit and risk committee; 
  • Results of audit engagements or other activities; 
  • Any response to risk by management that may be unacceptable to Zimplats. 

The CAE also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The internal audit department may perform advisory and related client service activities, the nature and scope of which will be agreed with Zimplats, provided the internal audit department does not assume management responsibility. 

Opportunities for improving the efficiency of governance, risk management and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management. 

8. Limitation of scope 

Any attempted scope limitation by management must be reported, preferably in writing, to the Chief Executive Officer and to the audit and risk committee simultaneously. The question of whether an action from management in fact constitutes a scope limitation is at the judgment of the CAE. Except in cases of suspected fraud, the Chief Executive Officer and the audit and risk committee may decide to accept a limitation of scope. In such instances, the CAE should evaluate whether the circumstances surrounding the scope limitation are still valid and whether the scope limitation needs to be reported again to the Chief Executive Officer and the audit and risk committee for their renewed consideration. 

9. Approach 

Internal Audit pursues a risk-based approach to planning. The planning takes the form of an assessment of risks and opportunities facing Zimplats and considers the following: 

  • • Alignment with Zimplats’ risk assessment processes (considering the risk maturity of Zimplats); 
  • • Assessment of Zimplats’ control environment; 
  • • Zimplats’ risks and opportunities identified by management and other key stakeholders; 
  • • Cognisance of industry relevant emerging issues; and 
  • • The adequacy of resources and skills available to the CAE to execute the plan. 

The CAE is ultimately responsible for the work performed by all staff members of Internal Audit (including co-sourced and outsourced work performed). This includes, but is not limited to, the establishment of the scope of activities to be carried out in the different service lines, the tools used and methodologies to be followed, procedures and standards, headcount of the function in the different service lines, required skills, educational levels, experience, etc. for recruitment into the function, decisions on the possible outsourcing or co-sourcing of capacity and related decisions. Zimplats Holdings Limited Internal Audit Charter 

_______________________________________________________________________________________________ 6 

10. Resources 

Internal Audit is supported by the audit and risk committee to obtain the necessary skills and resources to address the complexity and volume of risk faced by the organisation through the use of external independent firms of professional service providers. (King IV Principle 15 Recommended Practices no 50) 

Internal Audit is responsible for the overall preparation and execution of the internal audit plan and for coordinating/monitoring the co-sourced and outsourced internal audit service commissioned to bring the deliverables of Internal Audit to acceptable levels regarding coverage and skills, as may be applicable. 

11. Positioning and reporting 

The CAE has a dual-reporting relationship and reports administratively to the Chief Finance Officer, and functionally to the Chairperson of the audit and risk committee. The CAE must confirm to the board at least annually that the independence and objectivity of the function have not been impaired. This comfort is achieved through direct and unrestricted access to, amongst others, the Chief Executive Officer, the Chief Finance Officer, the Chairperson of the board and the Chairperson of the audit and risk committee and members, as well as free and unfettered access to information as and when it may be required for audit and risk purposes. (King IV Principle 15 Recommended Practices no 53 and 56). 

The approval of the audit and risk committee is required for the removal or replacement of the CAE and this Committee is responsible for his performance appraisal. (King IV Principle 15 Recommended Practices no 52 and 57). Furthermore, the CAE will have access to the Exco packs and related documentation as well as a brief meeting with the Chief Finance Officer after the Exco meetings. (King IV Principle 15 Recommended Practices no 54). 

Internal Audit exercises independence with respect to the divisions it audits and, consequently, is not subject to restriction in the scope of its work by operational or executive management. Furthermore, the Board does not place any restrictions on the scope of the audits, although it is recognised that the audit and risk committee may provide general direction as to the scope of work and the activities to be audited. 

The audit and risk committee ensures that Internal Audit is subjected to an independent quality review as and when the Committee determines it appropriate (at least once every 5 years) as a measure to ensure that the function remains effective and accredited. (King IV Principle 15 Recommended Practices no 60) 

The independence and objectivity of the function is monitored by the audit and risk committee on an on-going basis to ensure that neither is impaired. 

12. Authority 

The audit and risk committee establishes the authority and responsibilities of Internal Audit on behalf of the Board. 

To establish, maintain and assure that Internal Audit has sufficient authority to fulfil its duties, the audit and risk committee must: Zimplats Holdings Limited Internal Audit Charter 

_______________________________________________________________________________________________ 7 

  • Approve the internal audit charter; 
  • Approve the risk-based internal audit plan; 
  • Approve Internal Audit’s budget and resource plan; 
  • Receive communications from the CAE on Internal Audit’s’ performance relative to its plan and other related matters; 
  • Approve decisions regarding the appointment and removal of the CAE; 
  • Approve the remuneration of Internal Audit; and 
  • Make appropriate inquiries of management and the CAE to determine whether there is inappropriate scope or resource limitations. 

The CAE and internal audit staff are authorised to: 

  • Have unrestricted access to all records, properties, functions, personnel (including management) and information necessary to effectively discharge its responsibilities, subject to strict accountability for safekeeping and confidentiality thereof; 
  • Have full and free access to the audit and risk committee and its Chairperson; 
  • Allocate resources, set frequencies, select entities to be audited, determine scopes of work and apply the techniques required to achieve set audit objectives and issue reports; 
  • Obtain assistance from the necessary personnel in service lines of Zimplats where they perform reviews, as well as other specialised services outside Zimplats; and 
  • Perform periodic reviews on all activities of Zimplats, including all its divisions, subsidiaries and joint ventures. Internal Audit will exercise due care and prudence in handling documentation and information provided to the internal auditors. 

The CAE and internal audit staff are NOT authorised to: 

  • Perform any operational duties for Zimplats or its affiliates unless specifically agreed to by the CAE and the audit and risk committee after first considering the impact on the function’s independence; 
  • Initiate or approve accounting transactions external to Internal Audit; 
  • Direct the activities of any service line or employee not employed by Internal Audit, except to the extent that such employees have been appropriately assigned to Internal Audit or to otherwise assist Internal Audit; 
  • Design and/or install procedures, prepare records, or engage in any other activity that it would normally review and appraise and that could reasonably be construed to compromise its independence and objectivity; and 
  • Assess any operations for which they were previously responsible, at least for a period of twelve months. 

13. Responsibilities 

The CAE and staff deliver on these responsibilities by performing the following: 

  • Ensuring that Internal Audit’s reporting meets management and audit and risk committee requirements while still complying with the IIA Standards throughout the audit process; 

Zimplats Holdings Limited Internal Audit Charter 

_______________________________________________________________________________________________ 8 

  • Internal Audit processes that are flexible and dynamic in addressing the emerging business, organisational, operational and assurance needs on an ongoing basis updated to the annual plan; 
  • Ensuring the planning and approach to internal audits is informed by the strategy of Zimplats and attempts to align with business performance thereby contributing to the achievement of strategic objectives; 
  • Using an appropriate risk-based methodology, including any risk or control concerns identified by the Board and/or management and submitting an annual plan to the audit committee (including changes to the audit plan) for review and approval (King IV Principle 15 Recommended Practice no 58); 
  • Implementing the five-year rolling plan through annual plans, as approved, including special tasks or projects requested by management and/or the audit and risk committee; 
  • Maintaining a professional internal audit staff with integrity, sufficient knowledge, skills and experience to meet the requirements of this charter; 
  • Establishing an effective quality assurance and improvement program through which the CAE assures its stakeholders of value adding internal auditing activities; 
  • Performing consulting activities such as facilitation, process design, training and advisory services, from time-to-time beyond Internal Audit’s assurance services aimed at assisting management in meeting its objectives; 
  • Evaluating and assessing significant merging/consolidating functions and new or changing services, processes, operations and controls coincident with their development, implementation and/or expansion; 
  • Issuing periodic reports to the audit committee and management summarising results of audit activities performed; 
  • Keeping the audit and risk committee informed of emerging trends and successful practices in internal auditing; 
  • Reporting on the outcomes of the investigations reported via the whistle blower, direct or suspected irregularities identified during audits. This reporting is managed outside of the IIA standards; 
  • Allegations relating to asset misappropriation and labour related matters are primarily dealt with by Zimplats Loss Control department and/or Human Resources; 
  • Considering the scope of work of the external auditors and other assurance providers to identify and harness synergies thereof, for optimisation of the assurance provided to Zimplats through the combined assurance framework; and 
  • Establishing a follow-up process to monitor and report to ensure that management actions have been adequately and effectively implemented or, if not implemented, that senior management has accepted the risks and that this acceptance is suitable under the circumstances. 

The primary responsibility of management is to: 

  • Specify the elements of a control framework according to which the company’s control environment can be managed; 
  • Maintain a system of internal control, including proper accounting records and other management information suitable for running the business; 
  • Decide on actions to be taken as a result of Internal Audit’s findings and recommendations; and 
  • Ensure that Internal Audit has direct access and freedom to report to senior management, including the audit committee. 

Zimplats Holdings Limited Internal Audit Charter 

_______________________________________________________________________________________________ 9 

14. Quality assurance 

The quality assurance and improvement program covers the internal audit aspects of the Internal Audit activity and evaluates the conformance with the definition of internal auditing, the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics. It is governed in terms of its Quality Assurance Team Charter. The program will also assess the efficiency and effectiveness of Internal Audit and identify opportunities for improvement. 

The program includes both internal and external evaluations which assess the effectiveness and efficiency of Internal Audit’s activity and identifies opportunities for improvement. Internal assessments include the on-going monitoring of the performance of the internal audit activity as well as internally focussed self-assessments and peer reviews. External assessments are required at least once every five years by a qualified, independent review team from outside Zimplats. The option of performing an internal assessment with external validation may be used from time-to- time on approval by the audit and risk committee Chairperson. 

The CAE will communicate to senior management and the audit and risk committee on the Internal Audit quality assurance improvement programme, including results of internal assessments (both ongoing and periodic) and external assessments. 

15. Relationship and coordination with external auditors 

Internal Audit systematically co-ordinates its work with that of the other assurance providers, through the combined assurance model (CAM) (King IV Principle 15 Recommended Practices no 40-43). Consistent and regular communication between the CAE and the External Audit Partner is maintained informally through ad-hoc discussions and emails to minimise duplication of audit effort. Specifically, the co-ordination involves: 

  • Periodic discussions on the planned activities (CAM); 
  • The exchange of audit working papers including systems documentation (during engagements where there is scope overlap); 
  • The exchange of management letters (interim and final audits); 
  • The forming of joint teams where appropriate, e.g. IFC reviews; 
  • Internal Audit carrying out certain (financial) audit work, for Internal Financial Controls (IFCs) 
  • Evaluating the quality of the services rendered to Zimplats by the external auditors; and 
  • Other aspects of the relationship between Zimplats and the external auditors. 

Internal Audit reports on its assessment regarding adequacy of the combined assurance approach adopted by the audit and risk committee. This assessment includes the adequacy of risks covered by the different assurance providers and the reliability of the assurance provided. The CAM is a key input to the written assessment on the system of internal control and risk management (King IV Principle 15 Recommended Practices no 59) Zimplats Holdings Limited Internal Audit Charter 

_______________________________________________________________________________________________ 10 

16. Reporting 

In order to promote the effective operation of this organisational structure, Internal Audit should be supported by a reporting protocol that holds that all reports in terms of factual findings and proposed action are agreed with management of the business unit being audited, before they are submitted to the CFO and CEO. The possible exception is where management fraud is suspected or an investigation is in process. 

Agreement on findings as to whether internal controls are adequate and effective need not be reached with management. Where professional disagreement arises, the CAE records and reports accordingly to responsible management, the CFO, CEO and audit and risk committee Chairperson. The final decision on which findings should be reported to the audit committee rests with the CAE. 

17. Assessment of the effectiveness of Internal Audit 

The audit and risk committee should on an annual basis assess the effectiveness of Internal Audit against the following criteria: 

Independence 

  • Nature / level of the IA activity’s reporting line within the organisation; 
  • Organisational positioning of the CAE for achievement of the internal audit objectives; 
  • Independent Audit reports regarding the risk management and controls in Zimplats; and 
  • Summarised quarterly reports to the audit committee. 

Charter and structure 

  • Annual submission of the Internal Audit charter to the audit committee for discussion and approval; 
  • Content of the Internal Audit activity’s charter and scope of work; 
  • Annual submission of the internal audit plan for discussion and input of the audit and risk committee; 
  • Appropriateness of IA scope of work and the best use of resources; 
  • Credibility and effectiveness of the IA activity; 
  • Attendance of senior management meetings; 
  • Understanding the expectations of the audit and risk committee, the chairperson and accountability; and 
  • Understanding of the organisation’s business and risk environment in relation to key business risks, strategy and audit coverage thereof. 

Skills and experience 

  • Conformance to the IIA Standards; 
  • Appropriate resourcing of the department; 
  • Best practice, international standards and practices; 
  • Team components of the IA activity in terms of knowledge, skills, experience and professionalism; 
  • Level of independence from the activities audited, and confidence of the Audit and Risk Committee; and 
  • Annual plan coverage in terms of the number of projects and relevance. 

Zimplats Holdings Limited Internal Audit Charter 

_______________________________________________________________________________________________ 11 

Performance 

  • Oversight or monitoring functions; 
  • Delivery of value-add audits to the organisation; 
  • Identification, communication, monitoring the status of issues of concern raised, implementation of recommendations as well as communication of repeat findings to the audit and risk committee; 
  • Level of delivery against the audit plan in terms of completeness and timeliness; 
  • Coverage of all priority areas and high-risk areas; 
  • Investigation of all reported allegations; and 
  • Alignment of the IA activity’s priorities to the organisation’s goals, critical business risks / strategic objectives. 

Communication 

  • Availability of the CAE to the audit and risk committee Chairperson and members for consultation and discussions; 
  • Meetings with the audit and risk committee Chairperson and the Board Chairperson; 
  • Response to requests from the audit and risk committee, senior management (e.g. Specials audits, investigations and fraud); 
  • Open communication with the audit and risk committee and the board; 
  • Conflict resolution; 
  • Relevant and clear internal audit reports and papers tabled at the audit and risk committee and the board; 
  • Timeliness of IA reports; 
  • Relevance of reports to the audit and risk committee; and 
  • Effective co-ordination between internal and external audit work performed in line with the overall combined assurance framework 
error: Content is protected !!