NIAO Internal Charter 2025/2026

Purpose

GIAS requires that the Chief Audit Executive (CAE) must develop and maintain an Internal Audit Charter.

This Charter establishes the purpose, authority, and responsibilities for the internal audit service for the Northern Ireland Audit Office (NIAO).

The Charter should be viewed as flexible and evolving, the CAE welcomes any further input from the Audit and Risk Assurance Committee (the Committee) and senior management to ensure that the Charter continues to reflect stakeholder and organisational need.

The Committee, acting under its delegated powers, must approve the Charter on behalf of the NIAO.

Reflecting good practice, the CAE will formally review, update and seek reapproval of the Charter each year.

 

Mission of Internal Audit

“Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.” - Institute of Internal Auditors

Internal audit is a key part of the assurance cycle for your organisation and, if used appropriately, can assist in informing and updating the risk profile of the organisation.

The internal audit service will plan and perform its work with a view to reviewing and evaluating the risk management, control, and governance arrangements that the organisation has in place, focusing on how these arrangements help you to achieve your objectives.

 

Compliance

We are committed to, and conform with, GIAS in the UK Public Sector. 

To comply with GIAS in the UK Public Sector your CAE will continue to provide an annual report and conclusion in respect of the effectiveness of governance, risk management and internal control.

When providing the annual opinion, we will also report upon conformance with GIAS and the results of our Internal Quality Assessment (IQA), progress to address any action points arising, and when appropriate the results of our External Quality Assessment (EQA). An EQA is undertaken every five years.

We will also provide confirmation of our continued independence and communicate any incidents where independence may have been impacted, and the actions or safeguards employed to address the impairment.

 

Chief Audit Executive (CAE)

Your CAE is:

Name:   Lee Glover FCCA

Email:    lee.glover@validera.co.uk

Lee is FCCA qualified, has over 25 years internal audit experience gained across a range of sectors, including 20 years in education, and is Chair of the ACCA Internal Audit Panel, therefore meeting the GIAS expectation that the CAE is suitably qualified and experienced.

 

Independence and Ethics

As an outsourced provider Validera and our team members demonstrate and exercise independence, we have controls in place to ensure that this independence is maintained throughout the life of our contracts.

To provide for the independence of the internal audit team, our personnel report directly to Lee Glover, Director, acting as your CAE.

The independence of Validera as your provider is assured by reporting to Dorinnia Carville, Comptroller and Auditor General, with day-to-day responsibility for the management of our relationship handled by Brian O'Neill, Director of Corporate Services supported by Anu Kane, Corporate Services Manager, and with Lee Glover having direct unrestricted access to Dean Sullivan, Audit, Risk and Assurance Committee (ARAC) Chairman, to whom any immediate concerns can be escalated should it be required.

Conflicts of interest may arise where Validera provides services other than internal audit or key suppliers, customers, and stakeholders. Validera provides access to a wide range of expertise that may be beneficial to our clients, and it is therefore important to facilitate this support whilst ensuring we demonstrate independence.

Where there is potential for perceived conflict, measures will be taken to avoid or manage such situations in an open and transparent manner, so that there is no real threat or impairment to our independence in providing the internal audit service.

 

Authority and Responsibilities

In providing the internal audit service, Validera is authorised to:

  • Have unrestricted access to all functions, records, property, and personnel which it considers necessary to fulfil its function.
  • Have full and free access to the Committee.
  • Allocate resources, set timeframes, define review areas, develop scopes of work, and apply techniques to accomplish the overall internal audit objectives.
  • Obtain the required assistance from personnel within the organisation where audits will be performed, including other specialised services from within or outside the organisation.

In providing the internal audit service, Validera is not authorised to:

  • Perform any operational duties associated with the organisation.
  • Initiate or approve accounting transactions on behalf of the organisation.
  • Direct the activities of any employee not employed by Validera unless specifically seconded to internal audit.

 

In providing the internal audit service, Validera has responsibility to:

  • Undertake an Audit Needs Assessment in conjunction with management and Committee to develop a flexible and risk based Internal Audit Strategy and Annual Audit Plan for Committee consideration and approval prior to commencement.
  • Implement the Annual Audit Plan as approved, including additional tasks requested by management and Committee.
  • Provide a professional team of sufficient knowledge, skills, and experience.
  • Establish a Quality Assurance & Improvement Program to ensure the quality and effective operation of internal audit.
  • Bring a systematic disciplined approach to evaluate and report on the effectiveness of risk management, governance and internal control processes.
  • Highlight weaknesses, discuss solutions and recommend corrective actions.
  • Review actions taken by management (follow up) to ensure implementation of agreed actions.
  • Provide regular performance information concerning our service.
  • Liaise as appropriate with the external auditor.

 

Protocol and Performance

We have discussed client care, standards and protocol and propose the following:

  • Timing of audit work to be agreed with management and any key issues discussed immediately.
  • We will contact the lead auditee to confirm logistical arrangements at least two weeks before the planned audit date.
  • Draft Audit Briefs (terms of reference) to be issued by Validera two weeks in advance of audit work.
  • We will provide regular feedback on the audit to both the auditee and nominated client contact for the co-ordination of internal audit.
  • We will facilitate a feedback meeting to discuss findings at end of each audit with the auditee and nominated client contact within a reasonable time frame.
  • Draft Reports will be issued by Validera within two weeks following formal feedback meeting(s) or receipt of final evidence to agreed distribution list.
  • Management responses to Draft Reports will be provided within two weeks; these will be agreed through executive team before being provided to us.
  • Final Reports will be issued by Validera within five working days of agreed management responses to agreed distribution list.
  • We will respond to general enquiries for assistance within two working days.
  • We will respond to emergencies such as concerns of potential fraud with one working day.

 

To deliver our services to the right quality and standard we require full cooperation from key stakeholders and relevant business areas to ensure a smooth delivery of the plan.

We will implement and regularly report to Committee against Key Performance Indicators (KPIs) which monitor the delivery of our service; these will be included within our Progress Reports.

 

Reporting

Assignment reports will be issued in draft for comment by management and subsequently issued as final to both management and Committee. Final reports will contain an action plan to address weaknesses of significance identified by the audit.

After the financial year end, we will provide our annual opinion on the adequacy and effectiveness of governance, risk management and internal control arrangements. In giving our opinion, it should be noted that assurance can never be absolute. The most that the internal audit service can provide is reasonable assurance that there are no major weaknesses in risk management, governance, and internal control processes.

The reports and opinions of internal audit are part of the framework of assurance that assist Board in taking decisions, managing risk and should inform your annual governance statements.

 

Data Protection

The NIAO authorises Validera to have access to all necessary documentation needed to carry out our duties.

Validera has a Data Protection Policy and suitable suite of Information Governance procedures in place which all staff are required to comply with; non-compliance is treated as gross misconduct.

Internal audit files need to include sufficient, reliable, and relevant evidence in order to support our findings and conclusions. Personal data is not shared with unauthorised persons unless there is a valid and lawful requirement to do so.

The NIAO agrees that Validera may share information from our files with their external auditors to ensure the optimal use of audit resources. The external auditor is solely responsible for any conclusions they may reach based upon the review of internal audit work. It is also acknowledged by the NIAO that Validera may have a legal or ethical obligation to share information.

 

Fraud

The NIAO recognises that management is responsible for controls to reasonably prevent and detect fraud. Furthermore, the NIAO recognises that internal audit is not responsible for identifying fraud; however internal audit will assess the risk of fraud and be aware of the risk of fraud when planning and undertaking its work.