Internal Audit Function in Nepal: Structure, Reporting Lines & Internal Audit Charter (Guide for Boards & Audit Committees)

Introduction

The internal audit function is a key pillar of corporate governance and risk management for Nepal companies. It provides independent assurance over governance, risk management, internal control and compliance. This article explains the structure of an effective internal audit function, the appropriate reporting lines, and the essential content and legal context for an internal audit charter in Nepal. It draws on the Companies Act, regulator directives (SEBON, Nepal Rastra Bank), and professional guidance such as the Institute of Chartered Accountants of Nepal (ICAN) manuals and international internal auditing standards.

---

1. Why the internal audit function matters in Nepal

Internal audit delivers independent, objective assurance and consulting designed to add value and improve an organization’s operations. For Nepalese companies — especially public, financial-sector and listed companies — internal audit supports:

• Compliance with statutory and regulator requirements (Companies Act and sectoral directives).
• Oversight by the board and audit committee of the company’s internal financial control and risk management systems.
• Identification and remediation of control weaknesses, fraud risk, governance gaps, and IS/IT vulnerabilities (growing importance as businesses digitize).

Regulators in Nepal increasingly emphasize internal audit and audit committee effectiveness — for example SEBON’s good governance directives and NRB’s long-standing internal audit requirements for financial institutions. Compliance with these expectations reduces regulatory risk and strengthens investor confidence.

---

2. Legal & regulatory framework in Nepal

Key references companies and audit committees should know:

• Companies Act, 2063 (2006) — creates duties for audit committees including review of internal financial control and supervision of internal audit activities for companies where such committee is required. The Act sets minimum composition and qualification requirements for audit committees.
• Securities Board of Nepal (SEBON) directives — “Directives on Good Corporate Governance” require listed companies to arrange internal audit activities and to maintain an effective audit committee and internal control mechanisms.
• Nepal Rastra Bank (NRB) directives / Unified Directives — for banks and financial institutions the NRB has detailed long-form audit and internal audit reporting requirements and expects internal audit to report major observations to the audit committee and board.
• Institute of Chartered Accountants of Nepal (ICAN) — issues Internal Audit Manual and guidance (2025 manual) aligning local practice with international internal auditing standards. Professional guidance is useful when drafting charters and developing audit methodology.
• International Standards (IIA) — The Institute of Internal Auditors’ International Professional Practices Framework (IPPF) remains the global benchmark for internal audit charters, independence, and quality assurance. Use internationally recognized standards as normative guidance when local law is silent.

(When building or revising internal audit frameworks, cross-map local law + regulator directives + ICAN/IIA standards.)

---

3. Core elements of an internal audit function structure

A practical internal audit structure for Nepal companies should reflect size, risk profile and regulatory status. Typical models:

1. Small companies / low complexity
   • One or two in-house internal auditors reporting to the CFO for administrative matters but with direct access to the audit committee and board for assurance independence.
   • Use external specialists for IT or forensic audits.
2. Medium companies
   • Internal Audit Department (IAD) with a Head of Internal Audit (Chief Audit Executive — CAE), 2–6 auditors.
   • Functional units: financial audits, operational audits, compliance audits, IT/IS audits, and special investigations.
   • An annual audit plan approved by the audit committee.
3. Large companies / listed companies / financial institutions
   • Full-scale Internal Audit Division led by CAE (senior management grade) with specialized teams (IT audit, forensic, regulatory/compliance, operational, SOX-type control testing where applicable).
   • A quality assurance and improvement program (QAIP) aligned with IIA standards.
   • Internal audit reporting directly to the audit committee for independence (administrative reporting to CEO/MD for HR/payroll only).

Span of control & resourcing: The internal audit head should have the authority to determine resource needs, including external hire/contract specialists, and to escalate unresolved control failures to the audit committee.

---

4. Recommended reporting lines and independence safeguards

Best practice reporting relationships (Nepal context):

• Primary reporting line (functional independence): CAE → Chair of Audit Committee (and audit committee). This gives independence for assurance work and direct escalation to the board.
• Administrative reporting (management/HR matters): CAE → CEO/Managing Director or CFO for budgetary and HR administration only (not for audit assignment or results). Document this split in the internal audit charter.
• Direct access: CAE must have unfettered access to the board, audit committee and company records. The charter should guarantee this access and protection from retaliation.

Audit Committee duties re internal audit (Companies Act / good practice): review internal audit scope and effectiveness, oversee appointment/termination of CAE, approve audit plan, review audit findings and management’s remediation plans. These legal/regulatory duties are required or strongly recommended depending on company type.

Independence safeguards to codify:

• No line management responsibility over operational activities that are audited.
• Audit assignments are approved by the audit committee.
• Internal auditors must disclose conflicts of interest; rotation policies for senior audit staff on particularly sensitive audits.
• Protection clause against dismissal for reporting audit findings to audit committee.

---

5. Draft outline: Internal Audit Charter

An internal audit charter is the foundational governance document setting purpose, authority, responsibilities and reporting lines. Below is a recommended, lawyer-friendly outline tailored for Nepal companies:

1. Preamble / Purpose
   • Statement of purpose: to provide independent, objective assurance and consulting to add value and improve the organization’s operations. Reference to Companies Act, SEBON/NRB/stakeholder obligations as applicable.
2. Authority
   • Internal audit is authorized to have full, free and unrestricted access to all company records, physical properties and personnel relevant to audit operations.
   • Authority to obtain assistance of personnel in units as needed and to engage external advisors.
3. Independence & Organizational Status
   • Functional reporting to the audit committee; administrative reporting to CEO/MD for HR/budget.
   • CAE’s appointment/termination process (audit committee recommendation/board approval).
4. Scope of Work
   • Financial, operational, compliance, IT/IS, fraud risk, ESG/compliance reviews, special investigations, follow-up audits.
   • Right to conduct audit work on subsidiaries and affiliates (explain scope/limitations).
5. Duties & Responsibilities
   • Develop annual risk-based audit plan for audit committee approval.
   • Report significant findings and recommended corrective actions to the audit committee and management.
   • Monitor and report the status of corrective actions (follow up).
   • Coordinate with external auditors and regulators as necessary.
6. Standards of Audit Practice & Quality Assurance
   • Conformance with IIA Standards and local standards/ICAN manuals. Establish a QAIP, periodic external assessment at least every five years.
7. Professional Competence & Staffing
   • Minimum qualifications for the CAE and audit staff; continuous professional development; use of external specialists as necessary.
8. Confidentiality & Ethics
   • Internal auditors must maintain confidentiality and follow a code of ethics (IIA Code of Ethics).
9. Reporting Protocols
   • Frequency and format of reporting to the audit committee, board, and management; immediate reporting for critical incidents; content requirements for audit reports.
10. Review & Amendment of Charter

• Charter review cycle (e.g., annually) and approval procedure (audit committee).

Tip for Nepal boards: Make sure the charter references local regulator expectations (SEBON, NRB) and the Companies Act where the audit committee duties are derived — this helps when regulators or external auditors ask for documentary proof of governance arrangements.

---

6. Practical steps to implement or upgrade your internal audit function

1. Gap analysis — map current practices to Companies Act, SEBON/NRB directives and IIA/ICAN guidance. Document gaps and prioritize remediation.
2. Draft/refresh the internal audit charter — include reporting lines, scope, QAIP, CAE appointment process and direct access clause.
3. Resourcing — ensure the CAE has sufficient staff and budget; hire specialists (IT/information security, forensic accounting) when needed.
4. Risk-based audit plan — develop with management inputs but approve at the audit committee level. Focus on high-risk processes, compliance hotspots and IT controls.
5. Quality assurance & training — implement internal and external QA reviews; invest in staff training (ICAN, IIA certifications).
6. Coordination with regulators & external auditors — define liaison protocols and reporting paths, especially for financial institutions where NRB requires certain reporting.

---

7. Typical internal audit report content & escalation pathways

A robust internal audit reporting format helps boards act quickly:

• Executive summary (risk, impact, recommendation)
• Background and audit scope
• Findings with root cause analysis and risk rating (high, medium, low)
• Recommendations and management responses (owner, target date)
• Action plan follow-up status (in later reports)
• For critical issues, immediate escalation to audit committee and board is recommended.

Financial institutions should align reporting with NRB long-form audit report requirements and share major observations via the audit committee to the board.

---

8. Common pitfalls and legal traps in Nepal

• Blurring reporting lines — when CAE reports functionally to management rather than the audit committee, independence is compromised. Ensure formal charter.
• Under-resourcing — boards must provide sufficient budget otherwise internal audit becomes a “paper exercise.”
• Ignoring regulator directives — SEBON, NRB and other sectoral regulators often require explicit arrangements; non-compliance can lead to sanctions.
• No QAIP — absence of quality assurance and external assessment undermines credibility; adopt IIA QAIP standards.

---

9. Case examples

• Listed manufacturing company: introduced a risk-based internal audit plan and IT audit team, formalized a CAE appointment through audit committee and improved investor disclosures on internal control remediation — improved regulator feedback during annual review. (Pattern aligns with SEBON directives.)
• Commercial bank: NRB requires long-form audit reporting. The bank’s internal audit reports major control failures directly to the audit committee which mandates immediate management action and periodic status updates to NRB.

---

10. Sample clauses

Authority clause (sample): “The internal audit department, under the authority of the Board acting through the Audit Committee, is authorized to have unrestricted access to all functions, records, property and personnel of the Company and to obtain assistance from management for audit purposes. The Chief Audit Executive (CAE) has direct and unrestricted access to the Chair of the Audit Committee.”

Independence clause (sample): “The CAE shall report functionally to the Audit Committee and administratively to the Chief Executive for resource and HR matters only. The CAE will have authority to communicate directly with the Board and the Audit Committee.”

---

11. FAQs

Q1: Is internal audit mandatory for all Nepal companies?
A: The Companies Act requires audit committees for certain companies and empowers them to supervise internal auditing activities; SEBON and NRB add explicit internal audit expectations for listed companies and financial institutions. While small private companies may not be legally required to maintain a full internal audit department, they should still implement appropriate internal controls and consider outsourced/internal assurance depending on risk.

Q2: Who appoints the Chief Audit Executive (CAE)?
A: Best practice is for the audit committee to recommend the CAE appointment to the Board. The charter should state the appointment and removal process to protect independence.

Q3: How often should the internal audit charter be reviewed?
A: Annually or whenever there is a material change in business, regulation or governance structure. The audit committee should approve any amendments.

Q4: Should internal audit follow international standards?
A: Yes. Internal audit in Nepal commonly aligns practice with the IIA’s IPPF and ICAN guidance to ensure quality and comparability.

Q5: Can the internal audit function be outsourced?
A: Yes — fully or partially — especially for small companies or for specialized audits (IT, forensic). Ensure the charter documents the use of external providers and maintains independence and oversight by the audit committee.

---

12. Conclusion

Boards should (a) adopt or update an internal audit charter that explicitly sets the CAE’s reporting to the audit committee; (b) ensure internal audit has a quality assurance program; (c) ensure the audit committee approves the annual risk-based audit plan; (d) confirm alignment with SEBON/NRB and ICAN guidance; and (e) fund the function appropriately. Taking these steps will materially strengthen governance and reduce regulatory and operational risk.