1. Introduction
The internal audit charter defines the role, associated responsibilities and authority of internal audit including addressing its role within the combined assurance and the internal audit standards to be adopted. (King IV Principle 15 Recommended Practice No 49.)
The internal audit charter must be updated on an annual basis as per the International Standards for the Professional Practice of Internal Auditing (the Standards).
The board assumes responsibility for internal audit by setting the direction for the internal audit arrangements needed to provide objective and relevant assurance that contributes to the effectiveness of governance, risk management and control processes. The board delegates oversight of internal audit to the audit and risk committee. (King IV Principle 15 Recommended Practice No 48.) Executing this responsibility includes the establishment of an internal audit function.
Internal controls are the processes implemented by management aimed at achieving set business objectives through the realisation of the following control objectives:
2. Purpose of the Charter
The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority and responsibility. The internal audit charter establishes the internal audit activity’s positioning within the organisation, including the nature of the Chief Audit Executive’s (being “EY’s Director In Charge’s”) (“the CAE’s”) functional reporting relationship with the board; authorises access to records, personnel, physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the Board.
The internal audit function will govern itself in accordance with the mandatory elements of the Institute of Internal Auditor’s (“the IIA’s”) ten core principles, the definition of internal auditing, the Standards and IIA’s Code of Ethics. The CAE will report periodically to senior management and the board regarding the internal audit function’s conformance to the Code of Ethics and the Standards. The Code of Ethics and Standards are available on request. The IIA Code of Ethics is signed by all internal audit staff on an annual basis and is reported to the audit and risk committee (King IV Principle 15 Recommended Practices no 61). Zimplats Holdings Limited Internal Audit Charter
_______________________________________________________________________________________________ 2
3. Core Principles, Definition of Internal Auditing and the IIA’s Code of Ethics
The Core Principles for the Professional Practice of Internal Auditing are the foundation for the International Professional Practices Framework and support internal audit effectiveness.
Internal auditing is defined as an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The internal audit profession is founded on the trust placed in its objective assurance about governance, risk management and control. As such, the IIA’s Code of Ethics, comprising Principles and Rules of Conduct, is necessary and appropriate. Its purpose is to promote an ethical culture in the profession of internal auditing by describing behavioural norms and providing practical applications to guide the ethical conduct of internal auditors.
The IIA’s Code of Ethics serves as a mandatory minimum requirement for conduct and behavioural expectations of internal auditors and should not be seen to supersede Zimplats’ Code of Ethics but rather to support it.
4. Purpose and Mission
The purpose of the internal audit function (“IA”) is to provide independent, objective assurance and consulting services designed to add value and improve Zimplats’ operations.
The mission of IA is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight. IA helps Zimplats to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, compliance, risk management and control processes.
5. Independence and objectivity
The CAE is independent from management and designs and implements controls that are in place and the position carries the necessary authority to deliver on its mandate and to operate in an independent and objective manner. (King IV Principle 15 Recommended Practices no 51.) Zimplats Holdings Limited Internal Audit Charter
_______________________________________________________________________________________________ 3
Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner in areas such as audit selection, scope, procedures, frequency, timing and report content.
Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, internal auditors will not implement internal controls, develop procedures, install systems, prepare records or engage in any other department that may impair their judgment, including:
To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the CAE has direct and unrestricted access to senior management and the board.
Threats to independence and objectivity are managed at the individual auditor, engagement, functional and organisational levels. The CAE will ensure that the internal audit department remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the CAE determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to appropriate parties.
Internal auditors must:
The CAE will confirm to the audit and risk committee, at least annually, the organizational independence of the internal audit department.
The CAE will disclose to the audit and risk committee any interference and related implications in determining the scope of internal auditing, performing work and/or communicating results. Zimplats Holdings Limited Internal Audit Charter
_______________________________________________________________________________________________ 4
6. Objectives of Internal Audit
The primary objectives of Internal Audit are to provide the following in an independent and objective manner:
In fulfilling its mission, Internal Audit considers:
7. Scope of internal audit activities
The scope of internal audit activities encompasses, but is not limited to, objective examinations of evidence for the purpose of providing independent assessments to the audit and risk committee, management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for Zimplats. Internal audit assessments include evaluating whether:
Opportunities for improving management control, profitability and Zimplats’ image identified during internal audit reviews will be communicated to the appropriate levels of management, for action and implementation. Zimplats Holdings Limited Internal Audit Charter
_______________________________________________________________________________________________ 5
The CAE will report periodically to senior management and the audit and risk committee regarding:
The CAE also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The internal audit department may perform advisory and related client service activities, the nature and scope of which will be agreed with Zimplats, provided the internal audit department does not assume management responsibility.
Opportunities for improving the efficiency of governance, risk management and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.
8. Limitation of scope
Any attempted scope limitation by management must be reported, preferably in writing, to the Chief Executive Officer and to the audit and risk committee simultaneously. The question of whether an action from management in fact constitutes a scope limitation is at the judgment of the CAE. Except in cases of suspected fraud, the Chief Executive Officer and the audit and risk committee may decide to accept a limitation of scope. In such instances, the CAE should evaluate whether the circumstances surrounding the scope limitation are still valid and whether the scope limitation needs to be reported again to the Chief Executive Officer and the audit and risk committee for their renewed consideration.
9. Approach
Internal Audit pursues a risk-based approach to planning. The planning takes the form of an assessment of risks and opportunities facing Zimplats and considers the following:
The CAE is ultimately responsible for the work performed by all staff members of Internal Audit (including co-sourced and outsourced work performed). This includes, but is not limited to, the establishment of the scope of activities to be carried out in the different service lines, the tools used and methodologies to be followed, procedures and standards, headcount of the function in the different service lines, required skills, educational levels, experience, etc. for recruitment into the function, decisions on the possible outsourcing or co-sourcing of capacity and related decisions. Zimplats Holdings Limited Internal Audit Charter
_______________________________________________________________________________________________ 6
10. Resources
Internal Audit is supported by the audit and risk committee to obtain the necessary skills and resources to address the complexity and volume of risk faced by the organisation through the use of external independent firms of professional service providers. (King IV Principle 15 Recommended Practices no 50)
Internal Audit is responsible for the overall preparation and execution of the internal audit plan and for coordinating/monitoring the co-sourced and outsourced internal audit service commissioned to bring the deliverables of Internal Audit to acceptable levels regarding coverage and skills, as may be applicable.
11. Positioning and reporting
The CAE has a dual-reporting relationship and reports administratively to the Chief Finance Officer, and functionally to the Chairperson of the audit and risk committee. The CAE must confirm to the board at least annually that the independence and objectivity of the function have not been impaired. This comfort is achieved through direct and unrestricted access to, amongst others, the Chief Executive Officer, the Chief Finance Officer, the Chairperson of the board and the Chairperson of the audit and risk committee and members, as well as free and unfettered access to information as and when it may be required for audit and risk purposes. (King IV Principle 15 Recommended Practices no 53 and 56).
The approval of the audit and risk committee is required for the removal or replacement of the CAE and this Committee is responsible for his performance appraisal. (King IV Principle 15 Recommended Practices no 52 and 57). Furthermore, the CAE will have access to the Exco packs and related documentation as well as a brief meeting with the Chief Finance Officer after the Exco meetings. (King IV Principle 15 Recommended Practices no 54).
Internal Audit exercises independence with respect to the divisions it audits and, consequently, is not subject to restriction in the scope of its work by operational or executive management. Furthermore, the Board does not place any restrictions on the scope of the audits, although it is recognised that the audit and risk committee may provide general direction as to the scope of work and the activities to be audited.
The audit and risk committee ensures that Internal Audit is subjected to an independent quality review as and when the Committee determines it appropriate (at least once every 5 years) as a measure to ensure that the function remains effective and accredited. (King IV Principle 15 Recommended Practices no 60)
The independence and objectivity of the function is monitored by the audit and risk committee on an on-going basis to ensure that neither is impaired.
12. Authority
The audit and risk committee establishes the authority and responsibilities of Internal Audit on behalf of the Board.
To establish, maintain and assure that Internal Audit has sufficient authority to fulfil its duties, the audit and risk committee must: Zimplats Holdings Limited Internal Audit Charter
_______________________________________________________________________________________________ 7
The CAE and internal audit staff are authorised to:
The CAE and internal audit staff are NOT authorised to:
13. Responsibilities
The CAE and staff deliver on these responsibilities by performing the following:
Zimplats Holdings Limited Internal Audit Charter
_______________________________________________________________________________________________ 8
The primary responsibility of management is to:
Zimplats Holdings Limited Internal Audit Charter
_______________________________________________________________________________________________ 9
14. Quality assurance
The quality assurance and improvement program covers the internal audit aspects of the Internal Audit activity and evaluates the conformance with the definition of internal auditing, the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics. It is governed in terms of its Quality Assurance Team Charter. The program will also assess the efficiency and effectiveness of Internal Audit and identify opportunities for improvement.
The program includes both internal and external evaluations which assess the effectiveness and efficiency of Internal Audit’s activity and identifies opportunities for improvement. Internal assessments include the on-going monitoring of the performance of the internal audit activity as well as internally focussed self-assessments and peer reviews. External assessments are required at least once every five years by a qualified, independent review team from outside Zimplats. The option of performing an internal assessment with external validation may be used from time-to- time on approval by the audit and risk committee Chairperson.
The CAE will communicate to senior management and the audit and risk committee on the Internal Audit quality assurance improvement programme, including results of internal assessments (both ongoing and periodic) and external assessments.
15. Relationship and coordination with external auditors
Internal Audit systematically co-ordinates its work with that of the other assurance providers, through the combined assurance model (CAM) (King IV Principle 15 Recommended Practices no 40-43). Consistent and regular communication between the CAE and the External Audit Partner is maintained informally through ad-hoc discussions and emails to minimise duplication of audit effort. Specifically, the co-ordination involves:
Internal Audit reports on its assessment regarding adequacy of the combined assurance approach adopted by the audit and risk committee. This assessment includes the adequacy of risks covered by the different assurance providers and the reliability of the assurance provided. The CAM is a key input to the written assessment on the system of internal control and risk management (King IV Principle 15 Recommended Practices no 59) Zimplats Holdings Limited Internal Audit Charter
_______________________________________________________________________________________________ 10
16. Reporting
In order to promote the effective operation of this organisational structure, Internal Audit should be supported by a reporting protocol that holds that all reports in terms of factual findings and proposed action are agreed with management of the business unit being audited, before they are submitted to the CFO and CEO. The possible exception is where management fraud is suspected or an investigation is in process.
Agreement on findings as to whether internal controls are adequate and effective need not be reached with management. Where professional disagreement arises, the CAE records and reports accordingly to responsible management, the CFO, CEO and audit and risk committee Chairperson. The final decision on which findings should be reported to the audit committee rests with the CAE.
17. Assessment of the effectiveness of Internal Audit
The audit and risk committee should on an annual basis assess the effectiveness of Internal Audit against the following criteria:
Independence
Charter and structure
Skills and experience
Zimplats Holdings Limited Internal Audit Charter
_______________________________________________________________________________________________ 11
Performance
Communication