XYZ (TANZANIA) LIMITED

INTERNAL AUDIT CHARTER

1. Purpose and Scope

At Watu Credit (Tanzania) Limited “XYZ or the Company” Internal Audit (IA) assists the
Board Audit, Risk and Compliance (BARC) Committee and Senior Management in discharging
their duties within the Company through an independent, objective assurance and consulting
services designed to add value and improve the Company’s operations.

The function assists the Company in accomplishing its objectives by applying a systematic,
disciplined approach to evaluate and recommend improvements to increase the effectiveness of
internal controls, risk management and governance processes.

The role responsible include assurance over the implementation of improvements. Internal
auditing is a catalyst for improvement in a Company’s effectiveness and efficiency by providing
insight and recommendations based on analyses and assessments of data and business processes.
With a commitment to integrity and accountability, internal auditing provides value to governing
bodies and senior management as an objective source of independent advice.

2. Mission

The mission of Internal Audit is to enhance and protect organizational value by providing risk-
based and objective assurance, advice, and insight.

3. Authority and Independence

a) Status
The organizational status of the internal audit function should be sufficient to permit
objectivity and to ensure accomplishment of its audit responsibilities. The function is
established, and its responsibilities are defined by the XYZ BARC Committee.

XYZ BARC Committee has oversight of the appointment and removal of the Internal Auditor
and his/her performance reviews as well as setting the remuneration for the role.

The Internal Auditor reports functionally to the XYZ BARC Committee and administratively
to the Head of Growth and has unfettered access to all officers of the organization including
the Chairperson of the XYZ Board and Members of the BARC Committee, if required, and
subject to appropriate judgement being applied.

Watu Tz - Internal Audit Charter Version 2 (October 2023)

Page 1 of 8
 XYZ BARC Committee is responsible for the approval of the Internal Audit budget.

b) Organizational structure and authority

The organizational structure should promote the independence of the internal audit
function to support objective opinions.

At the discretion of the Internal Auditor, the function has:

 Full, free and unrestricted access to management, employees, financial and operational
activities, records (manual and electronic), physical locations and all information
considered necessary to properly execute its work, but subject to strict accountability for
safekeeping and confidentiality thereof.
 Full and free access to the XYZ BARC Committee and subsidiary/associate BARC
Committees;
 Authority to allocate resources, set frequencies, select subjects, determine scopes of
reviews and apply the techniques required to accomplish audit objectives.

The Internal Auditor and staff of the internal audit function are NOT AUTHORIZED to:
 Perform any operational duties for the organization or its affiliates.
 Initiate or approve any transactions external to the internal audit function; and
 Direct the activities of any employee in the organization not employed by the internal
audit function, except to the extent such employees have been appropriately assigned to
auditing teams or to otherwise assist internal audit.

Although Internal Audit staff may act in an advisory capacity in the design, implementation,
and operation of controls; decisions, sign-off and approvals may not be made by the Internal
Auditor. IA staff members that have been transferred/employed from the business into the
internal audit function should not review any aspects of their previous department’s work or
related activities’ work until at least one year has passed.

The Internal Auditor is ultimately accountable for the work performed by all staff in the
internal audit function with day-to-day responsibilities delegated to direct reports. This
includes, but is not limited to, the establishment of the scope of activities to be carried out,
the tools and methodologies to be followed, procedures and standards, size of the team per
project, required skills, educational levels, experience for recruitment purposes as well as
decisions with regards to possible outsourcing or co-sourcing where this may be required.

4. Limitation of scope
Any attempted scope limitation by management must be reported, preferably in writing, to the
XYZ BARC Committee. The question of whether an action from management in fact constitutes
a scope limitation is at the judgement of the Internal Auditor for discussion with the XYZ BARC
Committee. Except where fraud is suspected, XYZ BARC Committee may decide to accept a
limitation of scope.

Watu Tz - Internal Audit Charter Version 2 (October 2023)

Page 2 of 8
 In such instances, the Internal Auditor should evaluate from time-to-time whether the
circumstances surrounding the scope limitation are still valid and whether the scope
limitation needs to be reported again to the XYZ BARC Committee for their renewed
consideration.

5. Responsibilities
The key responsibility of Internal Auditor is to the XYZ Board, its committees, or both, in
discharging its governance responsibilities and as a minimum to perform the following
functions:
 Systematically analyzing and evaluating business processes and associated controls.
 Providing a source of information, as appropriate, regarding instances of fraud, corruption,
unethical behavior and irregularities.
 Evaluation of the organization’s governance processes including ethics, especially the “tone
at the top”;
 Evaluate the organization’s internal control framework; and
 Perform an objective assessment of the governance and the internal control framework.
 Supporting the setup and design of the risk management methodology.

Internal Audit roles with respect to governance, risk management and compliance (GRC);-
Type of Role GRC Role Description Example
Facilitate risk Facilitate business risk Assist management with risk
assessments assessments. awareness and risk
identification sessions.
Initiate GRC Initiate GRC initiatives Initiate projects to improve the
initiatives to improve governance governance and monitoring of
and assessment of risks risks and controls, supported by
and controls. issue and task management
tools to monitor the status of
follow-up actions.
Project/process Coordinate project Coordinate a project to
coordinator activities regarding risk implement CSAs so
Participation roles methodology and management can assess the
– legitimate roles Control Self level of compliance with
with safeguards Assessments (CSAs). company rules themselves.
Documentation Support in the Support management in
of controls documentation of documenting controls using a
controls. predefined format as part of a
business process redesign
project.
Proactive Quality QA partner that not Support management by
Assurance (QA) only identifies risks but proactively providing
partner – also translates them recommendations on how to
facilitating role into real business issues mitigate identified risks.
and makes
recommendations.

Roles that will not be undertaken by the internal auditor with respect to GRC activities:-
Type of Role Description of roles not to be undertaken by the internal auditor
No role Internal Setting the risk appetite.
audit Imposing the GRC process.
Taking managerial decisions regarding the proposed solutions.
Implementing solutions on behalf of management.
Watu Tz - Internal Audit Charter Version 2 (October 2023)
Page 3 of 8
 Being accountable for project deliverables.
Being accountable for embedding project deliverables in the organization.

Processes followed by IA should be flexible and dynamic in addressing emerging business,

organizational, operational and assurance needs throughout the organization.

Impact of combination of Internal Audit Function with GRC function: -

The following dilemmas are noted with respect to combining internal audit with other
assurance-related activities i.e., GRC: -
 How to provide an independent opinion on the effectiveness of the second line of
defense.
 How to provide assurance on GRC activities that are provided by professionals in the
same department.
 How to deal with the potential perception that the objectivity of activities of the second
line of defense in which the audit function is involved has been compromised.

Possible activities (not exhaustive) that IA should perform are:

 Verifying implementation and maintenance of the appropriate internal controls by the
management
 Reviewing the reliability and integrity of financial and operational information and the
means used to identify, measure, classify and report such information.
 Reviewing the systems established by management to ensure compliance with policies,
plans, procedures, laws, and regulations that could have a significant impact on operations
and management reports and determining compliance.
 Reviewing the means of safeguarding information assets and intellectual property assets
and, where required, other assets as well as the existence thereof.
 Appraising the economic and efficient use of resources.
 Monitoring the risk management infrastructure, culture, and practices.
 Reviewing operations or programs to ascertain whether results are consistent with established
objectives and goals as well as whether the operations or programs are being carried out as
planned.
 Evaluating and assessing significant merging or consolidation of functions and new or
changing services, processes, operations, and control processes.
 Providing an annual written assessment regarding the effectiveness of the system of internal
controls, risk management and governance to the XYZ BARC Committee – this will enable
the Board to report on the effectiveness of the system of internal controls, where applicable.
 Conducting a review of key financial reporting controls in identified financial systems and
processes and providing a written assessment to the XYZ BARC Committee.
 Assessing the adequacy of the combined assurance approach adopted by the organization,
which includes the adequacy of risks covered by the different assurance providers and the
reliability of the assurance provided. This requires continued constructive collaboration with
other assurance providers.
 Monitoring and reporting on the implementation of agreed management action plans per
previously issued audit reports.
 Conducting ad hoc and special assignments as and when the need arises after formal
consent has been obtained considering the approved annual audit plan; and
 Rendering consulting and advisory services if there is no possibility that
independence and objectivity may be jeopardized in future audits – such services will
only be considered if provision is negotiated and approved per the audit plan and if
the IA resources possess the necessary specialist knowledge/skills.

Management retains the responsibility for establishing and maintaining the organization’s
Watu Tz - Internal Audit Charter Version 2 (October 2023)
Page 4 of 8
 internal control environment. Effective internal controls reduce the likelihood that risks will
occur, and that errors, fraud and illegal acts will remain undetected; however, it does not
eliminate the possibility. Similarly, whilst internal audit cannot guarantee that audit work will
detect errors, fraud and illegal acts, the audits are designed to provide reasonable assurance of
such material instances being detected.

Management also has the responsibility and accountability for addressing weaknesses and
inefficiencies and for taking the necessary corrective action. Other management responsibilities
include:
 The establishment and maintenance of a documented control framework, including the
prioritization of a documented financial control framework; and
 Informing the Internal Auditor and appropriate Senior Management of any significant
control issues, thefts, fraud, unauthorized transactions, accounting breakdowns and/or
compliance issues with significant matters reported to the XYZ BARC Committee.

6. Relationships with other assurance providers, including the external auditors

Internal Audit coordinates its work with that of the other assurance providers. These providers
are consulted in determining the activities of internal audit in order to minimize duplication of
audit effort. This may involve:
 Periodic meetings to discuss planned activities.
 The exchange of audit working papers, including system documentation.
 The exchange of reports and management letters, where applicable.
 The forming of joint teams, where appropriate.
 Internal audit carrying out certain audit work with reliance-based outcome objectives.
 Evaluating and aligning with the services rendered by the assurance providers; and
 Other aspects of the relationships between the organization and the external auditors.

7. Operational planning
Parameters for internal audit’s operational functioning are set as follows:
 Staffing (requirements based on the structure of the function; written job descriptions;
recruiting and selection methods; training and continuing professional educational
opportunities; performance evaluation and counseling);
 Budgeting processes.
 Tools and methodologies.
 Principles and process of internal audit planning (including the drafting of risk-based audit
plans consistent with the company’s strategy and objectives that should be maintained and
reviewed each year and an annual audit plan with priorities, timing and resource
requirements that is reassessed on a quarterly basis based on risk input sources; unless the
XYZ BARC Committee agree an increased support role to be played by Internal Audit);
 Key performance indicators.
 Quality assurance through independent quality reviews as deemed appropriate, as well as
internal quality assurance and improvement programs as required by the Institute of
Internal Auditors’ International Standards.
 Communication strategy (all relevant entities and staff should be aware of the purpose,
organizational status and added value of the internal audit function to enhance the
effectiveness of internal audit); and
 Reporting protocols that involve the issuance of clear and concise detailed and executive
summary audit reports to line management, the BARC Committee and Senior Management
of the audited entity as well as summarized and consolidated reports to XYZ Senior
Management and XYZ BARC Committee after formal sign-off for release has been obtained
from the responsible designee, as agreed per entity. For purposes of reporting, definitions of
reportable issues as determined by the XYZ BARC Committee from time-to-time shall
apply.
Watu Tz - Internal Audit Charter Version 2 (October 2023)
Page 5 of 8
8. Assessment of effectiveness of the internal audit function
IA should be assessed annually for effectiveness by the XYZ BARC Committee based on the
suggested following criteria:
 Performance in terms of the annual internal audit plan (as adjusted and agreed by the
Committee);
 Compliance with the Institute of Internal Auditors’ International Standards inclusive of
quality assurance and assessments on the level of compliance achieved.
 Achievement of reporting protocols through management to the XYZ BARC Committee.
 Timeous of reporting of findings and activities.
 Responsiveness to changing operational environments.
 Management’s acceptance of the internal audit findings.
 Quality and relevance of the annual assessment reports.
 Level of cooperation and interaction with other assurance providers within the agreed
combined assurance approach.
 Maintenance of adequate staffing/resourcing levels to meet the requirements of this
Charter; and
 Meeting the budget allocated to internal audit.

9. Knowledge and Skill

Internal Audit Department:
 Will be staffed with suitably qualified, competent, and ethical staff, affiliated to the Institute
of Internal Auditors or/and National Board of Accountants and Auditors in accordance with
employment policies.
 Will only engage in services for which they have the required knowledge, skills,
and experience.
 Will source appropriate tools and audit techniques to keep pace with the complexity and
volume of risk and assurance requirements as well as industry trends.
 May engage external service providers to gain the necessary assurance that the staff
assigned to each audit collectively possess the necessary skills, knowledge, and discipline to
conduct the engagements; and
 Will actively encourage an environment of continual improvement through regular
attendance of external and internal training and professional studies.

10. Monitoring of business developments

Internal Audit will be represented on all major committees, so as to keep abreast of
developments and risk/control breakdowns, particularly where internal controls are affected, or
where an objective opinion is needed. The Internal Auditor has a standing invitation to attend
meetings of the executive committee or other committees made up of a majority of senior
executives but is not a member of these committees in order to protect independence.

11. Standard of Audit Practice

The internal audit activity will govern itself by adherence to The Institute of Internal Auditors’
Mandatory Guidance, which includes the Core Principles for the Professional Practice of Internal
Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal
Auditing, and the Definition of Internal Auditing. The IIA’s Mandatory Guidance constitutes the
fundamental requirements for the professional practice of internal auditing and the principles
against which to evaluate the effectiveness of the internal audit activity’s performance.

Watu Tz - Internal Audit Charter Version 2 (October 2023)

Page 6 of 8
 Internal audits shall be conducted in conformance with the Mandatory Guidance.

The IA will be a member of the National Board of Accountants and Auditors (NBAA) and will
adhere to the respective Code of Ethics. In addition, Internal Audit staff will be encouraged to
be members of NBAA and encouraged to obtain the official certifications/qualifications from
the respective professional body. From a career path perspective, such
certifications/qualifications are required for promotion to more senior levels.

As a measure to confirm that the function remains effective, the BARC Committee should
ensure that the internal audit function is subjected to an independent quality review as deemed
appropriate, but at least every five years (except where regulatory requirements prescribe a
shorter period).

12. Review of the Internal Audit Charter

This Charter must be updated annually, but more frequently as circumstances may necessitate.

The INTERNAL AUDITOR is responsible for maintaining this Internal Audit Charter. Amendments
and exceptions to the Charter are subject to acceptance and approval by the XYZ Board.

Approved by the XYZ BARC Committee on ___ October 2023.

Document management and change control

Version Name Designation Date
Version 2.0 created Silvanus Kilindu Internal Audit and Risk Manager 31/08/2023
Version 2.0 reviewed Irene Muasya Head of Internal Audit and Risk
Version 2.0 approved Godwin Rutashobya Chairman: BARC Committee

Stakeholder Distribution List

Name and Surname Role RACI Date distributed
Watu Tz - Internal Audit Charter Version 2 (October 2023)
Page 7 of 8
 Silvanus Kilindu Internal Audit and Risk Manager R/A
Godwin Rutashobya Chairman: BARC Committee C
Crispin Mwebesa Member: BARC Committee C
Irene Muasya Head of Internal Audit and Risk: Group C
Rumisho Shikonyi Head of Growth I
Anastasija Matvejeva Head of Finance I
Seuri Kuoko Head of Market I
Eddsteve Mwangalimi Head of Operations I
Anna Linza Head of Human Resource I
Elihazina Kangala Legal Officer I

Revision History
Version No. Revision Date Summary of Changes Author
Aligning the IA roles with job description and
Version 2.0 31/08/2023 Silvanus Kilindu
Microfinance regulation

Watu Tz - Internal Audit Charter Version 2 (October 2023)

Page 8 of 8