« Quality – Fast – Efficiency»

1. Introduction:
CHARTER FOR INTERNAL AUDIT

October 2008
 Charter for Internal Audit

1.Introduction:

This Proposed Corporate Charter intends to spell out the Corporate Policy, Mission , Scope,
Procedures, Relations with External Audit Bodies, Authority and Professional Standards of
Corporate Internal Audit department, which is in accordance with Ministerial order n° 002/07
of 15th February 2007, setting out Government Financial Regulations in Government Semi-and
Autonomous Budget agencies specifically the devolution of internal control responsibilities.
It is also a requirement by law relating to commercial companies in Rwanda to appoint auditors
(internal and external) once the share capital exceeds 5 Million Rwanda Francs.

As if this is not enough, this charter may suggest how best the department can be fully
integrated and supported to achieve its overall objectives, (Coherent Audit function).

2. Background:
Following the external/independent auditor’s findings and recommendations for the financial
year ending 31st Dec.2007 regarding corporate governance and business issues referring to
lack of Internal audit function, Audit committee and Risk management process, which
were ranked with high priority and subsequent management representations confirming the
findings of the report.

As the head of the department, I find it my duty to carry out a study on how best Magerwa can
address the raised issues in the External/Independent auditor’s report concerning this
department.

3. Policy:
Internal Audit is a vital component of the management of the company. It helps the company
by providing independent assurances and by identifying how the company can be made more
efficient.

Therefore, it is the company policy to and should be seen to maintain an internal audit
function, which is an independent, objective assurance and consulting activity designed to add
value and improve an organization’s operations. It helps management accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of
risk management and internal control.

To this end, Internal Audit department furnishes (supplies) all levels of the company’s
management with assurances, analyses, agreed action plans or recommendations, counsel and
information concerning the activities reviewed.

It is a best practice and also a requirement of good corporate governance practice for the Head
of Internal Audit to report to the Audit committee of the Board of Directors which oversees the
effective running of the company on behalf of shareholders and other stakeholders; therefore it
is an assurance for the corporate governance on the side of management.

2
 Charter for Internal Audit

Internal Audit is placed under the functional responsibility of the chairperson of the Audit
Committee of the B.O.D.

The audit committee of the B.O.D should be independent of any other committee or
subcommittee of the same B.O.D to avoid impairing the independence of the audit committee.

4. Mission
The general objective of Internal Audit department is to provide to management a reasonable
assurance that the company is operating properly and efficiently. To that end it examines for
those areas described in subheading 5 (Scope) that:
• The company's resources and assets are properly accounted for and safeguarded;
• Financial, Operating, Accounting and other data generated within the company and/or
used for management purposes is accurate and reliable;
• The integrity, reliability, confidentiality and continuous availability of Information
systems is secured;
• The application of risk management procedures and methodologies and the
functioning of internal control are effective.
• Company's policies, procedures and manuals in relation to the above are
adequate/appropriate and complied with;
• The governance, operations and various functions and activities of the company in
those areas described in Subheading 5 are performed efficiently and effectively.

5. Scope
Areas covered by Internal Audit include:

5.1 Financial audit

The financial audit entails verification of the correctness, entirety, legitimacy, provability and
regularity of financial statements, transactions and account balances of revenue, expenditure,
assets and liabilities, including physical verification of tangible fixed assets. As part of the
procedures for financial audit, the internal auditors carry out an evaluation of strengths and
weaknesses in internal financial controls, assess the extent of risk and verify the integrity of
accounting books and records.
On completion of the financial audit, the internal auditor provides an “audit assurance”,
effectively confirming the correctness, entirety, legitimacy, and regularity of financial reports
and transactions as well as the soundness of underlying internal controls and accounting
records. On the other hand, the internal auditor provides a critical commentary of any
weaknesses and deficiency noted, and offer achievable remedial “advice”/ recommendations.

5.2 Compliance audit

Compliance audit involves verification of “adherence” to laws, regulations, policies, standards,
and prescribed procedures in planning, organization, coordination, budgeting, accounting,
financial management and reporting, and thus closely related to financial audit. The major
differences may be seen in the approach to the audit and the sources of required information.
For example, the financial auditor will usually focus on financial numbers and records and
depend heavily on the accounting personnel for the audit information. On the other hand, the

3
 Charter for Internal Audit

compliance auditor will usually extend beyond financial records into administrative and other
records in operational departments thus cross cutting the entire entity (Company).
Usually, the compliance audit results in identification of the aspects of “non-adherence”,
causes of the deviation and implications. The implications may be potential risks or loss and
punitive measures.

5.3. Performance audit.

The primary objective of a performance audit is the assessment of the degree of economy,
efficiency and effectiveness of the audited entity’s human, financial and other resources.

Economy refers to minimizing operating cost without compromising quantity and quality of
operations while efficiency is an assessment of whether the achieved result is commensurate
with the cost incurred – “value for money”.

On the other hand, effectiveness audit assesses the degree of accomplishment of goals with
results measured against objectives. Performance audit will also involve assessment of an
entity’s capacity in terms of resources, systems, organization etc versus the requirements of the
entity’s operations.

The performance auditor will need good understanding of the entity’s nature of activities,
operational processes and organization, to be able to offer the expected high degree of skill,
judgment and interpretation.

Usually, a performance audit should highlight aspects of deficiency, waste and weaknesses
with suggested remedies.

5.4. Risk assessment

This type of audit will involve identification of the different types and sources of risk to the
audited area /department, an assessment of risk likelihood and its impact.

Risk assessment goes beyond financial risks usually assessed as part of the routine financial
audit, and may include risk of fraud, inefficiency or apathy due to poor practice of delegating
authority or seemingly “indispensable” personnel, risk of missing operational goals or
organization’s objectives for various reasons including capacity and skills gaps, risk of cash
flow shortage, stoppage of service due to undue delays to settle supplier invoices, risk of
litigation due to neglect or breaches of contractual obligations or unethical practices etc.

The internal auditor should usually offer recommendations for mitigating the risks – the aim is
to provide assistance and advisory towards preventative measures.

5.5 Systems audit

Systems audit involves evaluation of the appropriateness, of integrity and reliability of a
company’s systems including internal control system, management information system,
IT/computer applications systems. This type of audit requires specialized knowledge and skills
which all department staffs don’t possess right now, it is a basic requirement to first have the
skills and knowledge required prior to performance.

4
 Charter for Internal Audit

The systems audit may be performed as part of a financial audit or separately on its own.
Usually, the internal auditor should provide a positive “assurance” of the systems performance
or identify areas of weaknesses and offer recommendations for improvement.

5.6 Forensic audit

This audit is usually directed at specific cases of suspected or actual irregularities such as
fraud, theft, embezzlement, mismanagement of funds. This type of audit requires specialized
knowledge and skills which all department staffs don’t possess right now; it is a basic
requirement to first have the skills and knowledge required prior to performance.

6. Procedures
6.1 At the beginning of the year, the Head of Internal Audit prepares an annual audit plan
which is approved by the audit committee and reports quarterly on the execution thereof. The
plan is based on a risk-assessment methodology.

The final annual audit plan is approved by the audit Committee, which takes into account the
resources available and who may, after consultation with the Head of Internal Audit, add and
delete items or decide on timing priorities.

Each and every engagement shall be preceded by an audit plan and shall be subject to review
depending upon the nature and type of audit with regard to the magnitude of risk associated
(business & audit risk as well as test of control), they shall be extracted from the annual
audit plan, the annual audit plan shall provide road map for the department.

Investigations regarding fraud and fraudulent behaviour shall be assigned to internal audit
department by either the audit committee or the managing director and will take a special
assignment form, the only reason for this is the annual audit plan is prepared in a standard
form, refer to the audit plan in it’s separate charter.

6.2 In carrying out its tasks, Internal Audit:

• bases itself essentially on the relevant decisions taken by the Management Committee
and the supporting documentation, obtaining advise when legal issues may arise;
• tests the efficiency and effectiveness of existing internal control systems, using, where
relevant, a systems-based or Internal Control Framework approach;
• reports on its findings including all significant weaknesses, shortcomings and
inefficiencies and includes agreed action plans or recommendations to improve control and
working procedures;
• maintains a centralized record on the implementation of agreed action plans and
recommendations that have been agreed to by the management concerned and accepted by
the President who may consult with the Management Committee thereon;
• reports to the President and the Management Committee on actions taken on major
recommendations.

5
 Charter for Internal Audit

• Regarding fraud and fraudulent behaviour investigations, internal auditors shall require
confirmation of incidence occurrence in writing from the concerned / responsible party and
assertions made thereafter.
• The procedures shall require submissions/ representations from audited Directorates
and Services on raised queries consultations where deemed necessary shall be concluded
with the Director General, before a final report is submitted to the Audit Committee.
6.3. Release of an audit report:
• Audit report shall be submitted on a quarterly basis.
• The Directorates involved /under review have the opportunity to comment on the
factual accuracy, the conclusions and the proposals in the report within a given period of
usually not more than 10 working days. Any disagreement with the audit should be explicitly
stated. Failure to comply with the stipulated time framework it shall be considered silence
where there is silence it shall confirm acceptance.
• Agreed actions plans should be formulated wherever feasible and normally within a
period of 10 working days following the issuance of the final report that incorporates the
Directorates comments on the factual accuracy.
• The audit report with agreed action plans is issued to the functional chairman of the
audit committee, and a copy to the Director General for implementation follow up.
• The Management Committee (company senior management) members automatically
receive the summary (the full report is available on request).
• Audit reports are discussed by the Audit Committee in the presence of the Head of
Internal Audit and the staff of the directorate concerned.

6.4. Internal Audit may on a decision of the Director General carry out an ad-hoc evaluations
on specific issues and report back to him.

6.5. The Director General may ask the Head of Internal Audit to take on additional tasks,
which are compatible with the provisions of this Charter.

7. Relations with external audit bodies

7.1 The Head of Internal Audit consults with the Audit Committee during the preparation of
the annual audit plan and presents the approved annual audit plan to it. He is heard regularly
by, the Audit Committee on issues related to the annual audit plan and audit reports. The
Director General is present at these discussions.

7.2 Internal Audit liaises with the external auditors appointed by the company in order to avoid
duplication of effort and to provide maximum coverage of activities.

7.3 Where relevant Internal Audit may co-ordinate its work with other oversight bodies for
example Institute of Certified Public Accountants of Rwanda which is mandated to
organize and regulate the accountancy and audit profession in Rwanda. It is also responsible
for setting National Accounting and Auditing Standards, enforcement of those standards, issue
professional examinations and qualifications in Accountancy, Registration of Professional
Accountants in the country, issuing and enforcing Professional Ethics, and Licensing and
Supervision of Accountants in Public practice.

6
 Charter for Internal Audit

8. Authority
Internal Audit department is authorized unrestricted access to all relevant company's functions,
policy statements, procedures, records and personnel as necessary for the accomplishment of
its mission.
Internal Audit is a staff function and the internal auditors have neither authority nor
responsibility over any of the activities reviewed or the personnel involved.

9. Professional standards

The Internal Auditors are expected to comply with the policy statements issued by the
company, including the Codes of Conduct, professional and ethical standards and the standards
for the Professional Practices of Internal Auditing and Accounting published by the Institute of
Certified Public Accountants Of Rwanda.

10. Staffing and training

10.1. Considering the company size (branches and financial turnover), it’s business
(environmental) risk, the audit and internal control scope, the need for a coherent audit
function assurance to achieve corporate objectives, the current audit staff in the department,
there is a dysfunctional behaviour existing between the parameters elaborated above, hence
requiring deployment of sufficient and skilled staff enabling the company to have close control
and monitoring of company activities.
Management shall determine the actual number of staff to deploy in the department
considering the above functions/ parameters based on a cost–benefit analysis.

10.2. A coherent audit function assurance can only be achieved by having sufficient and skilled
staff who can deliver and acquire required skills and knowledge through internships,coaching,
mentoring and specialised continuous professional development.

10.3 All staffs deployed in the department should be registered at a minimal level and hold
membership to the Institute Of Certified Public Accountants Of Rwanda or any other
Accountancy and Auditing body recognised by IFAC.

11. Safeguarding / protecting whistleblowers against threats.

11.1. In exercising their duties and responsibilities, the internal auditors and controllers take on
the whistleblower’s role in the football playing field.
They are and should be seen to be guided by the following fundamental principles namely:
• Integrity. This means being honest, straight forward and truthfulness in any business
dealings as well as non association of reports, returns and communications or other
information where they believe that the information contains materially false or misleading
statements, contains information supplied recklessly or contains omissions.
• Objectivity. They should not allow bias, conflict of interest or undue influence of
others to override their professional judgment. This is intellectual honesty.

7
 Charter for Internal Audit

• Professional competence and due care. Meaning that their work and advice should
reflect where possible current developments in practice, legislation, applications, techniques
and professional standards. They should acquire and maintain relevant knowledge and skills
to ensure delivery of sound professional and competent service levels. They should act
diligently (with care) in accordance to applicable technical and professional standards,
considering the impacts of their judgments to the best promotion and protection of the
profession.
• Confidentiality. This means that the information acquired during the course of their
business (Professional and business relationships) should be kept secret and not disclosed to
any third party during the entire period of their employment unless there is a legal,
professional right, or duty to disclosure.
• Professional behavior. Meaning that they should comply with all relevant laws and
regulations and avoid any action that might discredit or disrepute the profession.
All the above fundamental principles should not be impaired at any moment and by any body.

11.2. Compliance with these Fundamental Principles may be threatened by the following
threats, and therefore Internal Auditors should be safeguarded from these threats.
• Self Interest: This can be seen in any kind of concern over employment security.
• Self review: This arises when a previous decision needs to be re-evaluated by internal
auditors who played a role in that particular decision. Therefore is seen as if they are
evaluating themselves.
• Advocacy: This occurs when the internal Auditor promotes a particular position or
opinion and his objectivity is subsequently compromised e g stating a given opinion on a
future position and then has to audit that position at a later date when it has changed,
therefore there is a potential pressure to ignore the change.
• Familiarity: This occurs when the internal Auditors become too sympathetic to the
interests of others due to very close relationship.
• Intimidation: This occurs when the internal Auditors are deterred from acting
objectively by threats, actual or perceived, direct or indirect e g. threats of dismissal or
litigations over a disagreement about the application of an accounting principle or the way
(attempt to influence) in which financial and performance information is to be reported.

12. Conclusion
Once this charter is approved by the Board of Directors, it will serve as a guide to the internal
audit function and provide a basis for corporate governance practice.