1. You are here:
2. Handbook
3. The Internal Audit Function

On this page

• Internal Audit Charter
  • Purpose and Mission
  • Standards for the Professional Practice of Internal Auditing
  • Authority
  • Independence and Objectivity
  • Scope of Internal Audit Activities
  • Responsibility
  • Quality Assurance and Improvement Program
• Contact the Internal Audit Team

Internal Audit Charter

THE AMENDED INTERNAL AUDIT CHARTER WAS APPROVED BY THE AUDIT COMMITTEE ON 2023-03-29

Purpose and Mission

The purpose of GitLab’s (“Company”) internal audit team (“IA Team”) is to provide independent, objective assurance and consulting services designed to add value and improve the Company’s operations. The IA Team helps the Company accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

Standards for the Professional Practice of Internal Auditing

The IA Team will govern itself by adherence to the mandatory elements of The Institute of Internal Auditors' International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Company’s Code of Business Conduct & Ethics (the “Code of Ethics”), the Institute of Internal Auditors (IIA) Code of Ethics, the International Standards for the Professional Practice of Internal Auditing (the “Standards”), and the Definition of Internal Auditing. The Company’s Vice President, Internal Audit will report periodically to the Company’s E-Group and the Company’s Board of Directors’ Audit Committee (“Committee”) regarding the IA Team’s conformance to the Code of Ethics and the Standards.

Authority

The Company's Vice President, Internal Audit will report functionally to the Committee and administratively (i.e., day-to-day operations) to the Company’s Chief Financial Officer. To establish, maintain, and assure that the IA Team has sufficient authority to fulfill its duties, the Committee will:

• Approve the IA Team’s charter.
• Approve the risk-based internal audit plan and budget.
• Receive communications from the Company’s Vice President, Internal Audit on the IA Team’s performance relative to its plan and other matters.
• Make appropriate inquiries of Company management and the Company’s Vice President, Internal Audit to determine whether there is inadequate scope or resource limitations.
• Evaluate performance of the IA Team.

The Company’s Vice President, Internal Audit will have unrestricted access to, and communicate and interact directly with, the Committee, as necessary, including in private meetings without Company management present.

The Committee authorizes the IA Team to:

• Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.
• Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.
• Obtain assistance from the necessary personnel of the Company, as well as other specialized services from within or outside the Company, in order to complete any engagement.

Independence and Objectivity

The Vice President, Internal Audit will ensure that the IA Team remains free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of audit selection, scope, procedures, frequency, timing, and report content. If the Company’s Vice President, Internal Audit determines that independence or objectivity may be impaired in fact or appearance, the details of impairment will be disclosed to the Committee.

Members of the IA Team will maintain an unbiased attitude that allows them to perform engagements objectively and in such a manner that they have confidence in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.

Members of the IA Team will have no direct operational responsibility or authority over any of the activities audited. Accordingly, members of the IA Team will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair their judgment, including:

• Assessing specific operations for which they had responsibility within the previous year.
• Performing any operational duties for the Company or its subsidiaries.
• Initiating or approving transactions external to the IA Team.
• Directing the activities of any Company team member not on the IA Team, except to the extent that such team members have been appropriately assigned to internal audit auditing teams or to otherwise assist members of the IA Team.

Where the Company’s Vice President, Internal Audit has or is expected to have roles and/or responsibilities that fall outside of internal auditing, safeguards will be established by the IA Team and approved by the Committee to limit impairments to independence or objectivity.

Members of the IA Team will:

• Disclose any impairment of independence or objectivity, in fact or appearance, to the Committee.
• Exhibit objectivity in gathering, evaluating, and communicating information about the activity or process being examined.
• Make balanced assessments of all available and relevant facts and circumstances.
• Take necessary precautions to avoid being unduly influenced by their own interests or by others in forming judgments.

The Company’s Vice President, Internal Audit will report and confirm to the Committee, at least annually, the organizational independence of the IA Team.

The Company’s Vice President, Internal Audit will disclose to the Committee any interference and related implications in determining the scope of internal auditing, performing work, and/or communicating results.

Scope of Internal Audit Activities

The scope of the IA Team’s activities encompasses, but is not limited to, objective examinations of evidence for providing independent assessments to the Committee, Company management, and outside parties on the adequacy and effectiveness of governance, risk management, and control processes for the Company. Internal audit assessments include evaluating whether:

• Risks relating to the achievement of the Company’s strategic objectives are appropriately identified and managed.
• The actions of the Company’s officers, directors, team members, and contractors are in compliance with the Company’s policies, procedures, and applicable laws, regulations, and governance Standards.
• The results of operations or programs are consistent with established goals and objectives.
• Company operations or programs are being carried out effectively and efficiently.
• The Company has established processes and systems to enable compliance with the policies, procedures, laws, and regulations that could significantly impact the Company.
• Information and the means used to identify, measure, analyze, classify, and report such information are reliable and have integrity.
• Resources and assets are acquired economically, used efficiently, and protected adequately.

The Company’s Vice President, Internal Audit will report periodically to E-group and the Committee regarding:

• The IA Teams plan and performance relative to its plan;
• The IA Team’s conformance with The IIA’s Code of Ethics and Standards, and action plans to address any significant conformance issues;
• The Company’s significant risk exposures and control issues, including fraud risks, governance issues, and other matters requiring the attention of, or requested by, the Committee;
• Results of audit engagements or other activities;
• Resource requirements; and
• Any response to risk by management that may be unacceptable to the Company.

The Company’s Vice President, Internal Audit also coordinates activities, where possible, and considers relying upon the work of other internal and external assurance and consulting service providers as needed. The IA Team may perform advisory and related management service activities, the nature and scope of which will be agreed with the management, provided the IA Team does not assume management responsibility.

Opportunities for improving the efficiency of governance, risk management, and control processes may be identified during engagements. These opportunities will be communicated to the appropriate level of management.

Responsibility

The Company’s Vice President, Internal Audit has the responsibility to:

• Submit, at least annually, to E-group and the Committee a risk-based internal audit plan for review and approval.
• Communicate to E-Group and the Committee the impact of resource limitations on the internal audit plan.
• Review and adjust the internal audit plan, as necessary, in response to changes in the Company’s business, risks, operations, programs, systems, and controls.
• Communicate to E-group and the Committee any significant interim changes to the internal audit plan.
• Ensure each engagement of the internal audit plan is executed, including the establishment of objectives and scope, the assignment of appropriate and adequately supervised resources, the documentation of work programs and testing results, and the communication of engagement results with applicable conclusions and recommendations to appropriate parties.
• Follow up on engagement findings and corrective actions, and report periodically to E-group and the Committee any corrective actions not effectively implemented.
• Ensure the principles of integrity, objectivity, confidentiality, and competency are applied and upheld.
• Ensure the IA Team collectively possesses or obtains the knowledge, skills, and other competencies needed to meet the requirements of the internal audit charter.
• Communicate trends and emerging issues that could impact the Company to E-group and the Committee as appropriate.
• Ensure emerging trends and successful practices in internal auditing are considered.
• Establish and ensure adherence to policies and procedures designed to guide the IA Team.
• Ensure IA Team’s adherence to the Company’s relevant policies and procedures, unless such policies and procedures conflict with the internal audit charter. Any such conflicts will be resolved or otherwise communicated to E-group and the Committee.
• Ensure conformance of the IA Team with the Standards, with the following qualifications:
  
  • If the IA Team is prohibited by law or regulation from conforming with certain parts of the Standards, the Company’s Vice President, Internal Audit will ensure appropriate disclosures and will ensure conformance with all other parts of the Standards.
  • If the Standards are used in conjunction with requirements issued by other authoritative bodies, the Company’s Vice President, Internal Audit will ensure that the IA Team conforms with the Standards, even if the IA Team also conforms with the more restrictive requirements of other authoritative bodies.

Quality Assurance and Improvement Program

The IA Team will maintain a quality assurance and improvement program that covers all aspects of the IA Team. The program will include an evaluation of the IA Team’s conformance with the Standards and an evaluation of whether internal auditors apply The IIA’s Code of Ethics. The program will also assess the efficiency and effectiveness of the IA Team and identify opportunities for improvement.

The Company’s Vice President, Internal Audit will communicate to E-group and the Committee on the IA Team’s quality assurance and improvement program, including results of internal assessments (both ongoing and periodic) and external assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the Company.

Contact the Internal Audit Team

• Email
  • [email protected]
• Tag us in GitLab
  • @gitlab-com/internal-audit
• Slack
  • Feel free to use tag @int-audit
  • The #internal_audit slack channel is the best place for questions relating to our team (please add the above tag)

• Sarbanes-Oxley (SOX) Compliance

• Interested in joining our team? Check out more here

• FAQ on Internal Audit