Sagar Mahatara
Sagar Mahatara

Corporate Lawyer

FDI Lawyer

IP Lawyer

Sagar Mahatara
Sagar Mahatara

Corporate Lawyer

FDI Lawyer

IP Lawyer

Menu
#Blog

Internal Audit Function in Nepal: Structure, Reporting Lines & Internal Audit Charter Guide

November 4, 2025 Uncategorized by admin_lawsagar
Internal Audit Function in Nepal: Structure, Reporting Lines & Internal Audit Charter Guide

Introduction

Short summary: This article explains the purpose and legal context of internal audit in Nepal, proposes practical structures and reporting lines for different types of companies (non-financial corporates, banks & financial institutions, insurers, and listed companies), offers a complete internal audit charter template and drafting tips, and summarizes regulator expectations and good practice for internal audit charters and reporting lines in Nepal.

Why internal audit matters for Nepal companies

Internal audit is a cornerstone of modern corporate governance, internal control and enterprise risk management. In Nepal, regulators and professional bodies expect companies — especially banks, financial institutions, insurers and listed companies — to maintain a robust internal audit function that is independent, adequately resourced, and formally chartered. Internal audit helps boards and audit committees obtain independent assurance about the design and operating effectiveness of internal controls, compliance with laws and policies, risk management, fraud detection and governance processes.

Key regulator guidance and professional workstreams in Nepal — including the Institute of Chartered Accountants of Nepal (ICAN) internal audit guidance, Securities Board of Nepal (SEBON) corporate governance directives, and sectoral regulators (Nepal Rastra Bank for banks, Insurance Board / directives for insurers) — converge on three practical requirements: (1) establish an internal audit function, (2) define clear reporting lines to the Board/Audit Committee, and (3) document the Internal Audit Charter to define mandate, authority and responsibilities.

Legal & regulatory landscape (concise, Nepal-specific)

  • ICAN & professional guidance. The Institute of Chartered Accountants of Nepal (ICAN) has recently published internal audit manuals and is developing standard internal audit guidelines intended to align Nepal practice with international internal audit standards. These are important reference points for internal audit charters and methodology.
  • Securities Board of Nepal (SEBON). SEBON’s corporate governance directives require listed bodies to “make necessary arrangements” for internal audit and set responsibilities for the audit committee to review internal audit findings. This elevates the internal audit role in listed companies’ governance frameworks.
  • Nepal Rastra Bank (NRB). NRB supervision and risk guidance expect banks and financial institutions to maintain an independent internal audit department, with the internal audit report reviewed by the Audit Committee and escalated to the Board for material issues. NRB provides specific internal audit and IS-audit guidance for financial institutions.
  • Insurance sector. Insurance regulators in Nepal have issued directives requiring insurers to establish internal audit functions with minimum organization structures and reporting lines.

These regulator expectations mean that for many Nepal entities, an internal audit is not merely good practice — it is effectively a regulatorially expected governance element.

Core functions of internal audit (what the audit charter should mandate)

An internal audit charter and work program should clearly capture the internal audit function’s core responsibilities:

  1. Assurance on internal control systems — assess design and operating effectiveness of financial and operational controls.
  2. Risk-based audits & enterprise risk alignment — plan audits based on risk assessments and the company’s risk appetite.
  3. Compliance testing — verify compliance with laws, regulations, internal policies and regulator directives (NRB/SEBON/Insurance Board requirements where applicable).
  4. IT & IS audit coverage — assess information systems, automated controls and data integrity (with specific IS auditors or third-party specialists when needed).
  5. Fraud risk and forensics liaison — evaluate fraud risk; investigate or co-ordinate with management/forensics where necessary.
  6. Advisory & consulting — provide process improvement recommendations while preserving independence.
  7. Follow-up & closure — track remediation of audit findings and report status to the Audit Committee/Board.

These duties should be spelled out in the audit charter and linked to specific deliverables and KPIs for the CAE (Chief Audit Executive).

Designing the internal audit structure: practical models for Nepal companies

Internal audit structure depends on company size, complexity and regulatory status. Below are practical models you can adopt or adapt:

1. Small / medium non-financial companies (SME / Private companies)

  • Structure: 1–2 internal auditors reporting administratively to the CFO/CEO but with a documented functional reporting line to the Audit Committee/Board.
  • When to co-source: Use co-sourced arrangements with local chartered accountants for technical assignments (IT, tax, compliance).
  • Why: SMEs often lack scale for a full internal audit team but still benefit from regular risk-based review cycles.

2. Large corporates and listed companies

  • Structure: A departmental internal audit headed by a CAE with teams for finance, operations, IT and compliance.
  • Reporting: Direct functional reporting to the Audit Committee and administrative reporting to the CEO or COO. The CAE should have unfettered access to the Board/Audit Committee and to all records and employees. SEBON guidance reinforces audit committee oversight for listed bodies.

3. Banks and financial institutions

  • Structure: A robust Internal Audit Department independent from operations; separate IS audit, credit audit and compliance testing sub-units as needed.
  • Reporting: Internal Audit reports to the Audit Committee; CAE has a dotted/functional relationship with the Board and direct access for material issues. NRB requires internal audit reports to be submitted to the Audit Committee and Board.

4. Insurers

  • Structure: Internal audit with an in-charge and required staff levels stipulated by insurance directives; independent reporting to Audit Committee/Board is mandatory.

Reporting lines and independence — best practice

Independence is the single most important attribute of a credible internal audit function:

  • Functional independence: The internal audit function must have functional reporting to the Board through the Audit Committee. The CAE should confirm independence annually to the Audit Committee. (This is both global best practice and reflected in local manuals and ICAN guidance.)
  • Administrative reporting: For practicality, the CAE may report administratively to the CEO/COO for budget, HR and logistics — but must not report administratively to the CFO or head of the function the internal audit reviews frequently (to avoid conflicts of interest).
  • Access & authority: The charter should grant internal audit unrestricted access to records, personnel, properties and the right to obtain any information and explanations. Audit staff should have authority to engage external specialists.
  • Audit Committee relationship: The Audit Committee should approve the annual internal audit plan, review major findings (and management action plans), and be involved in CAE appointment/compensation decisions when necessary. Regulators (NRB, SEBON) place emphasis on this committee interaction.

Internal Audit Charter — what to include

Below is a concise but legally defensible structure for an internal audit charter that fits Nepal companies. (After the article I provide a downloadable template snippet you can paste into Word/WordPress.)

1. Purpose / Mission
State the mission: independent, objective assurance and consulting activity that adds value and improves the company’s operations.

2. Authority

  • CAE and internal audit staff have unrestricted access to all functions, records, personnel and physical properties.
  • Authority to obtain external specialist services where necessary.
  • Right to report directly to the Audit Committee/Board.

3. Organizational status & reporting lines

  • Administrative reporting line (e.g., CEO) and functional reporting line (Audit Committee / Board).
  • Statement that internal audit is independent from the activities it audits.

4. Scope of work

  • Financial, operational, compliance, IT & system audits, fraud-related reviews, follow-up and advisory services.
  • Right to review any activity within the company or group subsidiaries (specify scope across affiliates).

5. Responsibilities

  • Develop risk-based audit plan, perform engagements, report results, follow up remediation.
  • Implement quality assurance program, maintain professional development and standards compliance.
  • CAE to present annual report to Audit Committee.

6. Standards of practice / Professionalism

  • Conformance with The IIA’s Global Internal Audit Standards and ICAN guidance (or locally adopted equivalent).

7. Independence & objectivity safeguards

  • Restrictions on audit staff duties outside internal audit, mandatory rotation for key audit staff where feasible, disclosure of conflicts.

8. Reporting & escalation

  • Reporting templates, thresholds for escalation to Audit Committee and Board, timelines for management responses and remediation follow-up.

9. Quality assurance & improvement program

  • Internal periodic reviews and plan for external quality assessment every 3–5 years.

10. Charter review

  • CAE to review annually and submit revisions to Audit Committee/Board for approval.

Include annexes: audit plan approval log, sample reporting templates, key performance indicators (KPIs).

(See ICAN internal audit manual for further methodology points and audit documentation expectations.)

Draft wording: short Internal Audit Charter clause (copy-paste friendly)

Internal Audit Charter — Sample Clause (short)
The Internal Audit Function is established by the Board of Directors to provide independent, objective assurance and consulting services designed to add value and improve the company’s operations. The Chief Audit Executive (CAE) reports functionally to the Audit Committee of the Board and administratively to the Chief Executive Officer. Internal Audit has unrestricted access to all company records, systems, personnel, and physical properties and is authorized to obtain assistance from within or outside the company as necessary. Internal Audit will perform its work in accordance with applicable professional standards and will submit an annual internal audit plan to the Audit Committee for approval.

Practical tips for drafting & implementing your audit charter in Nepal

  1. Tailor regulatory paragraphs: If you are a bank, insurer or listed company, add a clause explicitly stating compliance with NRB/Insurance Board/SEBON directives. Cite the specific regulation/directive date/version in a schedule.
  2. Link to board minutes: When Board approves the charter, record the resolution, and attach the signed charter to Board minutes to strengthen governance evidence.
  3. Define KPIs: frequency of audits completed, percentage of high-risk areas covered, closure rate of recommendations, time to close critical issues.
  4. Resource plan: Include provisions for co-sourcing / external specialists for IT, valuation, forensic engagements. This is commonly used in Nepal.
  5. Training & qualification: Require internal auditors to maintain professional certification or continuous professional education; align training with ICAN/IIA or international standards.

Reporting

  • Monthly: Executive summary for senior management (top 5 issues).
  • Quarterly: Detailed report to Audit Committee — findings, risk rating, management action plans, remediation status.
  • Annually: Internal Audit Annual Report to Board/Audit Committee — summary of assurance coverage, key trends, observations, independence confirmation, QA results.

Include templates for (a) audit engagement report, (b) management action plan (owner, timeline), (c) remediation tracker — these operationalize the charter.

Enforcement & accountability — what to do when management resists

When internal audit findings are resisted or management delays remediation:

  1. Escalate to the Audit Committee with documented evidence and a recommended remediation deadline.
  2. If unresolved, the CAE should escalate to the Board. Charter should allow direct Board contact for unresolved, high-risk findings.
  3. Regulatory escalation: For banks/insurers/ listed companies, unresolved serious issues may need to be reported to NRB, Insurance Board or SEBON depending on applicable laws and the severity of compliance/regulatory violations.

FAQs

Q1: Is internal audit mandatory for all Nepal companies?
A: Not universally mandatory for every private company, but sectoral regulators and SEBON expect internal audit for banks, financial institutions, listed companies and insurers; ICAN guidance and corporate governance codes guide broader adoption. For listed companies and regulated entities internal audit is effectively required.

Q2: Who appoints the Chief Audit Executive (CAE)?
A: CAE is typically appointed by the Board on recommendation of the Audit Committee; the appointment and removal process should involve the Audit Committee to protect independence.

Q3: Can internal audit report to CFO?
A: Administrative reporting to the CFO is discouraged for independence reasons. If administrative reporting exists, the charter must ensure functional reporting and unrestricted access to the Audit Committee and Board.

Q4: What professional standards should Nepal internal audit follow?
A: Internal auditors in Nepal should follow The IIA’s Global Internal Audit Standards or ICAN guidance and local manuals (ICAN’s Internal Audit Manual).

Q5: How often should the charter be reviewed?
A: At least annually, or earlier if regulatory or organizational changes occur.

Related Posts
Write a comment