Magerwa Internal Audit Charter

« Quality – Fast – Efficiency»

1. Introduction:

CHARTER FOR INTERNAL AUDIT

October 2008

Charter for Internal Audit

1.Introduction:

This Proposed Corporate Charter intends to spell out the Corporate Policy, Mission , Scope, Procedures, Relations with External Audit Bodies, Authority and Professional Standards of Corporate Internal Audit department, which is in accordance with Ministerial order n° 002/07 of 15th February 2007, setting out Government Financial Regulations in Government Semi-and Autonomous Budget agencies specifically the devolution of internal control responsibilities.It is also a requirement by law relating to commercial companies in Rwanda to appoint auditors (internal and external) once the share capital exceeds 5 Million Rwanda Francs.

As if this is not enough, this charter may suggest how best the department can be fully integrated and supported to achieve its overall objectives, (Coherent Audit function).

2. Background:

Following the external/independent auditor’s findings and recommendations for the financial year ending 31st Dec.2007 regarding corporate governance and business issues referring to lack of Internal audit function, Audit committee and Risk management process, which were ranked with high priority and subsequent management representations confirming the findings of the report.

As the head of the department, I find it my duty to carry out a study on how best Magerwa can address the raised issues in the External/Independent auditor’s report concerning this department.

3. Policy:

Internal Audit is a vital component of the management of the company. It helps the company by providing independent assurances and by identifying how the company can be made more efficient.

Therefore, it is the company policy to and should be seen to maintain an internal audit function, which is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps management accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management and internal control.

To this end, Internal Audit department furnishes (supplies) all levels of the company’s management with assurances, analyses, agreed action plans or recommendations, counsel and information concerning the activities reviewed.

It is a best practice and also a requirement of good corporate governance practice for the Head of Internal Audit to report to the Audit committee of the Board of Directors which oversees the effective running of the company on behalf of shareholders and other stakeholders; therefore it is an assurance for the corporate governance on the side of management.

Internal Audit is placed under the functional responsibility of the chairperson of the Audit Committee of the B.O.D.

2


The audit committee of the B.O.D should be independent of any other committee or subcommittee of the same B.O.D to avoid impairing the independence of the audit committee.

4. Mission

The general objective of Internal Audit department is to provide to management a reasonable assurance that the company is operating properly and efficiently. To that end it examines for those areas described in subheading 5 (Scope) that:

The company's resources and assets are properly accounted for and safeguarded; Financial, Operating, Accounting and other data generated within the company and/or

used for management purposes is accurate and reliable; The integrity, reliability, confidentiality and continuous availability of Information

systems is secured; The application of risk management procedures and methodologies and the

functioning of internal control are effective. Company's policies, procedures and manuals in relation to the above are

adequate/appropriate and complied with; The governance, operations and various functions and activities of the company in

those areas described in Subheading 5 are performed efficiently and effectively.

5. Scope

Areas covered by Internal Audit include:

5.1 Financial audit The financial audit entails verification of the correctness, entirety, legitimacy, provability and regularity of financial statements, transactions and account balances of revenue, expenditure, assets and liabilities, including physical verification of tangible fixed assets. As part of the procedures for financial audit, the internal auditors carry out an evaluation of strengths and weaknesses in internal financial controls, assess the extent of risk and verify the integrity of accounting books and records.On completion of the financial audit, the internal auditor provides an “audit assurance”, effectively confirming the correctness, entirety, legitimacy, and regularity of financial reports and transactions as well as the soundness of underlying internal controls and accounting records. On the other hand, the internal auditor provides a critical commentary of any weaknesses and deficiency noted, and offer achievable remedial “advice”/ recommendations.

5.2 Compliance audit Compliance audit involves verification of “adherence” to laws, regulations, policies, standards, and prescribed procedures in planning, organization, coordination, budgeting, accounting, financial management and reporting, and thus closely related to financial audit. The major differences may be seen in the approach to the audit and the sources of required information. For example, the financial auditor will usually focus on financial numbers and records and depend heavily on the accounting personnel for the audit information. On the other hand, the compliance auditor will usually extend beyond financial records into administrative and other records in operational departments thus cross cutting the entire entity (Company).

3


Usually, the compliance audit results in identification of the aspects of “non-adherence”, causes of the deviation and implications. The implications may be potential risks or loss and punitive measures.

5.3. Performance audit.The primary objective of a performance audit is the assessment of the degree of economy, efficiency and effectiveness of the audited entity’s human, financial and other resources.

Economy refers to minimizing operating cost without compromising quantity and quality of operations while efficiency is an assessment of whether the achieved result is commensurate with the cost incurred – “value for money”.

On the other hand, effectiveness audit assesses the degree of accomplishment of goals with results measured against objectives. Performance audit will also involve assessment of an entity’s capacity in terms of resources, systems, organization etc versus the requirements of the entity’s operations.

The performance auditor will need good understanding of the entity’s nature of activities, operational processes and organization, to be able to offer the expected high degree of skill, judgment and interpretation.

Usually, a performance audit should highlight aspects of deficiency, waste and weaknesses with suggested remedies.

5.4. Risk assessment This type of audit will involve identification of the different types and sources of risk to the audited area /department, an assessment of risk likelihood and its impact.

Risk assessment goes beyond financial risks usually assessed as part of the routine financial audit, and may include risk of fraud, inefficiency or apathy due to poor practice of delegating authority or seemingly “indispensable” personnel, risk of missing operational goals or organization’s objectives for various reasons including capacity and skills gaps, risk of cash flow shortage, stoppage of service due to undue delays to settle supplier invoices, risk of litigation due to neglect or breaches of contractual obligations or unethical practices etc.

The internal auditor should usually offer recommendations for mitigating the risks – the aim is to provide assistance and advisory towards preventative measures.

5.5 Systems auditSystems audit involves evaluation of the appropriateness, of integrity and reliability of a company’s systems including internal control system, management information system, IT/computer applications systems. This type of audit requires specialized knowledge and skills which all department staffs don’t possess right now, it is a basic requirement to first have the skills and knowledge required prior to performance.

The systems audit may be performed as part of a financial audit or separately on its own. Usually, the internal auditor should provide a positive “assurance” of the systems performance or identify areas of weaknesses and offer recommendations for improvement.

4


5.6 Forensic auditThis audit is usually directed at specific cases of suspected or actual irregularities such as fraud, theft, embezzlement, mismanagement of funds. This type of audit requires specialized knowledge and skills which all department staffs don’t possess right now; it is a basic requirement to first have the skills and knowledge required prior to performance.

6. Procedures

6.1 At the beginning of the year, the Head of Internal Audit prepares an annual audit plan which is approved by the audit committee and reports quarterly on the execution thereof. The plan is based on a risk-assessment methodology.

The final annual audit plan is approved by the audit Committee, which takes into account the resources available and who may, after consultation with the Head of Internal Audit, add and delete items or decide on timing priorities.

Each and every engagement shall be preceded by an audit plan and shall be subject to review depending upon the nature and type of audit with regard to the magnitude of risk associated (business & audit risk as well as test of control), they shall be extracted from the annual audit plan, the annual audit plan shall provide road map for the department.

Investigations regarding fraud and fraudulent behaviour shall be assigned to internal audit department by either the audit committee or the managing director and will take a special assignment form, the only reason for this is the annual audit plan is prepared in a standard form, refer to the audit plan in it’s separate charter.

6.2 In carrying out its tasks, Internal Audit:

bases itself essentially on the relevant decisions taken by the Management Committee and the supporting documentation, obtaining advise when legal issues may arise;

tests the efficiency and effectiveness of existing internal control systems, using, where relevant, a systems-based or Internal Control Framework approach;

reports on its findings including all significant weaknesses, shortcomings and inefficiencies and includes agreed action plans or recommendations to improve control and working procedures;

maintains a centralized record on the implementation of agreed action plans and recommendations that have been agreed to by the management concerned and accepted by the President who may consult with the Management Committee thereon;

reports to the President and the Management Committee on actions taken on major recommendations.

Regarding fraud and fraudulent behaviour investigations, internal auditors shall require confirmation of incidence occurrence in writing from the concerned / responsible party and assertions made thereafter.

5


The procedures shall require submissions/ representations from audited Directorates and Services on raised queries consultations where deemed necessary shall be concluded with the Director General, before a final report is submitted to the Audit Committee.

6.3. Release of an audit report: Audit report shall be submitted on a quarterly basis. The Directorates involved /under review have the opportunity to comment on the

factual accuracy, the conclusions and the proposals in the report within a given period of usually not more than 10 working days. Any disagreement with the audit should be explicitly stated. Failure to comply with the stipulated time framework it shall be considered silence where there is silence it shall confirm acceptance.

Agreed actions plans should be formulated wherever feasible and normally within a period of 10 working days following the issuance of the final report that incorporates the Directorates comments on the factual accuracy.

The audit report with agreed action plans is issued to the functional chairman of the audit committee, and a copy to the Director General for implementation follow up.

The Management Committee (company senior management) members automatically receive the summary (the full report is available on request).

Audit reports are discussed by the Audit Committee in the presence of the Head of Internal Audit and the staff of the directorate concerned.

6.4. Internal Audit may on a decision of the Director General carry out an ad-hoc evaluations on specific issues and report back to him.

6.5. The Director General may ask the Head of Internal Audit to take on additional tasks, which are compatible with the provisions of this Charter.

7. Relations with external audit bodies

7.1 The Head of Internal Audit consults with the Audit Committee during the preparation of the annual audit plan and presents the approved annual audit plan to it. He is heard regularly by, the Audit Committee on issues related to the annual audit plan and audit reports. The Director General is present at these discussions.

7.2 Internal Audit liaises with the external auditors appointed by the company in order to avoid duplication of effort and to provide maximum coverage of activities.

7.3 Where relevant Internal Audit may co-ordinate its work with other oversight bodies for example Institute of Certified Public Accountants of Rwanda which is mandated to organize and regulate the accountancy and audit profession in Rwanda. It is also responsible for setting National Accounting and Auditing Standards, enforcement of those standards, issue professional examinations and qualifications in Accountancy, Registration of Professional Accountants in the country, issuing and enforcing Professional Ethics, and Licensing and Supervision of Accountants in Public practice.

8. Authority

6


Internal Audit department is authorized unrestricted access to all relevant company's functions, policy statements, procedures, records and personnel as necessary for the accomplishment of its mission. Internal Audit is a staff function and the internal auditors have neither authority nor responsibility over any of the activities reviewed or the personnel involved.

9. Professional standards The Internal Auditors are expected to comply with the policy statements issued by the company, including the Codes of Conduct, professional and ethical standards and the standards for the Professional Practices of Internal Auditing and Accounting published by the Institute of Certified Public Accountants Of Rwanda.

10. Staffing and training

10.1. Considering the company size (branches and financial turnover), it’s business (environmental) risk, the audit and internal control scope, the need for a coherent audit function assurance to achieve corporate objectives, the current audit staff in the department, there is a dysfunctional behaviour existing between the parameters elaborated above, hence requiring deployment of sufficient and skilled staff enabling the company to have close control and monitoring of company activities.Management shall determine the actual number of staff to deploy in the department considering the above functions/ parameters based on a cost–benefit analysis.

10.2. A coherent audit function assurance can only be achieved by having sufficient and skilled staff who can deliver and acquire required skills and knowledge through internships,coaching, mentoring and specialised continuous professional development.

10.3 All staffs deployed in the department should be registered at a minimal level and hold membership to the Institute Of Certified Public Accountants Of Rwanda or any other Accountancy and Auditing body recognised by IFAC.

11. Safeguarding / protecting whistleblowers against threats.

11.1. In exercising their duties and responsibilities, the internal auditors and controllers take on the whistleblower’s role in the football playing field.They are and should be seen to be guided by the following fundamental principles namely:

Integrity. This means being honest, straight forward and truthfulness in any business dealings as well as non association of reports, returns and communications or other information where they believe that the information contains materially false or misleading statements, contains information supplied recklessly or contains omissions.

Objectivity. They should not allow bias, conflict of interest or undue influence of others to override their professional judgment. This is intellectual honesty.

Professional competence and due care. Meaning that their work and advice should reflect where possible current developments in practice, legislation, applications, techniques and professional standards. They should acquire and maintain relevant knowledge and skills to ensure delivery of sound professional and competent service

7


levels. They should act diligently (with care) in accordance to applicable technical and professional standards, considering the impacts of their judgments to the best promotion and protection of the profession.

Confidentiality. This means that the information acquired during the course of their business (Professional and business relationships) should be kept secret and not disclosed to any third party during the entire period of their employment unless there is a legal, professional right, or duty to disclosure.

Professional behavior. Meaning that they should comply with all relevant laws and regulations and avoid any action that might discredit or disrepute the profession.

All the above fundamental principles should not be impaired at any moment and by any body.

11.2. Compliance with these Fundamental Principles may be threatened by the following threats, and therefore Internal Auditors should be safeguarded from these threats.

Self Interest: This can be seen in any kind of concern over employment security. Self review: This arises when a previous decision needs to be re-evaluated by internal

auditors who played a role in that particular decision. Therefore is seen as if they are evaluating themselves.

Advocacy: This occurs when the internal Auditor promotes a particular position or opinion and his objectivity is subsequently compromised e g stating a given opinion on a future position and then has to audit that position at a later date when it has changed, therefore there is a potential pressure to ignore the change.

Familiarity: This occurs when the internal Auditors become too sympathetic to the interests of others due to very close relationship.

Intimidation: This occurs when the internal Auditors are deterred from acting objectively by threats, actual or perceived, direct or indirect e g. threats of dismissal or litigations over a disagreement about the application of an accounting principle or the way (attempt to influence) in which financial and performance information is to be reported.

12. Conclusion

Once this charter is approved by the Board of Directors, it will serve as a guide to the internal audit function and provide a basis for corporate governance practice.

8

Documents

Magerwa Internal Audit Charter