IPPF in practice: why 80% of internal-audit charters don’t hold up
Opening — the charter that wasn’t worth the paper
Karim, newly-appointed Chief Audit Executive of a listed industrial group (12 sites, 4,800 staff), meets his audit committee in two weeks. On his desk: the internal-audit charter signed six years ago by his predecessor. Three pages, around twenty sentences. He re-reads it. Something is off, but what?
He runs the IIA test: he compares it line-by-line with Standard 1000 — Purpose, Authority and Responsibility of the International Professional Practices Framework (IPPF). Verdict: the charter claims independence, but does not specify the reporting line (to the CEO? to the audit committee?), nor the unrestricted access to records, personnel and physical property, nor the periodic-review process. Without these clauses, the function is contestable.
The framework on one page
The IPPF has two blocks: Mandatory Guidance (binding on every CIA) and Recommended Guidance.
| Block | Components | Status |
|---|---|---|
| Mandatory | Mission · Core Principles · Code of Ethics · Standards | Binding |
| Recommended | Implementation Guidance · Supplemental Guidance | Advisory |
The audit charter — the cornerstone
Standard 1000 requires four clauses in the charter:
- Mission of internal audit — role, purpose, scope.
- Authority — access to records, property, personnel, without restriction.
- Responsibility — limits, independence, duty to communicate.
- Approval — by the audit committee, with formal periodic review.
A charter missing any of these four pillars is technically non-compliant with the IPPF. A CAE signing engagements on such a charter exposes their certification.
IIA Code of Ethics — four principles
IIA ethics rests on four principles (not to be confused with the seven ISACA provisions — a recurring transfer trap):
- Integrity — the foundation of trust
- Objectivity — avoid any conflict of interest
- Confidentiality — no unauthorised disclosure
- Competency — knowledge, skills and experience
How Karim rewrote the charter in two weeks
Karim applied the IIA "charter gap analysis" in four steps:
- Align on the Mission statement published by the IIA (drafted to be lifted verbatim into the charter).
- Map Standards 1000-1130 against existing clauses to identify gaps.
- Present the diff to the audit committee with operational impact per clause.
- Obtain approval of the revised version + define an annual mandatory review.
Result: a compliant charter, unanimous sign-off, and — bonus — extended access to audit Board-level M&A decisions.
Key takeaways
- The IPPF splits into mandatory (Mission, Core Principles, Code, Standards) and recommended (Implementation, Supplemental).
- The charter is mandatory (Standard 1000) and must contain the four clauses above.
- The IIA Code of Ethics rests on four principles: integrity, objectivity, confidentiality, competency.
- Independence is proven by reporting line and access — not by declaration.
Preview of one chapter. Each cert includes 100+ narrative chapters with callouts, comparison tables and inline AuditBot.