071019 040

Audit committee

The audit committee delivers oversight of internal and external audits and the financial reporting and controls operating within an organisation

Introduction to the audit committee

The audit committee delivers oversight of internal and external audits and the financial reporting and controls operating within an organisation. It is largely backwards-facing, reviewing existing processes and procedures for efficacy and undertaking historical reviews of financials, actions and issues. The main area of divergence from this is in respect of reviews of audit plans and their alignment to strategy and the future of the organisation.

The audit committee is often merged with the risk committee, in which case the oversight of risk as a whole is monitored. Where these committees are separate, the audit committee would maintain oversight of financial risk within the company, coordinating with the risk committee to ensure that no risks fall between these two forums or are duplicated.

Within financial reporting and controls, the audit committee provides specific
oversight of:

  • the financial reporting systems in place within the organisation and their effectiveness
  • the controls and associated financial risk management systems
  • compliance with applicable laws and regulations
  • where requested, the annual report and other external financial reporting on behalf of the board.

Oversight of internal and external audit incorporates:

  • the audit process itself, reflecting the process where an internal audit function exists or where this function is not in place
  • the interaction between internal and external audit processes
  • the appointment process for external auditors.

Terms of reference

While the prevalence of an audit committee is relatively universal in large companies across countries, differences in its roles and responsibilities can be seen under different legislation and should be considered if looking at the audit committee across jurisdictions or when expanding governance controls across multiple countries. 

In general, the framework for the audit committee terms of reference is standard concerning the meeting schedule aligning to audit and financial reporting timetables.

Given the importance of the financial oversight that the audit committee undertakes,
and its reporting to the board, the audit committee should also report to members or shareholders, most prevalently via the annual report, the details of any issues that
remain outstanding between the committee and the board.

The terms of reference should reflect the size and requirements of the organisation, including whether an internal audit function is in place. Where it is not, the audit committee role should include an annual review as to whether one should be implemented and, if the audit committee errs towards its creation, should advise the board accordingly. The decision of whether to implement an audit function or not then rests with the board or the executive committee on their behalf. If the board decides not to implement an audit function against the recommendations of the audit committee, this should be documented in both the board and audit committee minutes, with content reflecting why the decision was made and any additional considerations given.

Composition

It is the board’s responsibility to determine the composition of the audit committee. However, best practice is to appoint at least two, and preferably three, independent non-executive directors, with at least one member of the committee having recent and relevant financial experience. The chair of the board should not ordinarily be a member of the audit committee.

Duties, responsibilities and tasks

Detail within the terms of reference will reflect the dual role of oversight of financial reporting and controls and internal and external audit. Financial reporting and controls encompass all elements of financial reporting, related systems and controls and the application of regulatory and legislative requirements and responsibilities.

There is a wide variety, form and timetable of financial reporting within all organisations and the integrity of the data to underpin wider decision making is key. The audit committee role in ensuring that this integrity is intact should be at the heart of the purpose of an audit committee.

To undertake this, the committee should monitor all financial statements distributed by and within the organisation. This should include its annual and half-yearly reports, interim management statements, preliminary announcements and any other formal statements relating to its financial performance. These should be critically reviewed with any significant financial reporting issues reported to the board along with any judgements which those statements contain. This should also have regard to any matters communicated to it by the auditor. The committee should make an independent judgement, based on the expertise and experience of its members, of whether the organisation has adopted appropriate accounting policies and made appropriate estimates and judgements. This should take into account the external auditor’s views on the financial statements without using the auditor as the sole source.

The audit committee should also review the financial elements of all reporting by the organisation, including within strategic reports, governance statements and reports to members, shareholders or regulators.

Where the committee has concerns or is not satisfied with any aspect of the proposed financial reporting by the company, it should report its views to the board as a matter of priority.

Within the annual report, the board should confirm that the contents of the annual report provide a true and fair representation of the business. The audit committee should be prepared to review the annual report on behalf of the board in support of the board making this statement within the accounts.

The audit committee should review the internal financial control systems that identify, assess, manage and monitor financial risks. Within this, they should review the resourcing available to ensure that controls and systems are maintained and working. This should also extend to risk management systems concerning financial risks, in coordination with the risk committee where there is one or for all risks where there isn’t.

The audit committee should review and approve the statements to be included in the annual report concerning internal control, risk management and the viability statement.

Where an organisation has multiple divisions or locations, the controls and systems of the business are by necessity complex, multi-layered and often applied as a matrix. The audit committee should be mindful of the interaction between reporting and ensure that the systems and controls are applicable both at the top within group-level reporting and in isolation by each specific division or function.

While not an IT committee, the audit committee should be mindful of the sources of data, the transposition of data between systems and the differences between them. This may be as simple as the language used to define terms or the periodicity of recognising revenue.

If a separate risk committee is not constituted, the board may delegate to the audit committee the responsibility for considering the effectiveness of internal control processes for risk and control. The committee will review the corporate risk register and require assurances relating to the management of risk in line with the board’s risk strategy and appetite.

In addition to financial risk, which would fall to the audit committee regardless, other areas of risk might include operational risk, cyber risk, regulatory and compliance risk and emerging risk. For each of the risks identified in the risk register, the audit committee will ensure that there is an effective role in place.

The committee should review the adequacy and security of the arrangements for employees and any contractors to raise concerns about possible wrongdoing in financial reporting or other matters. They should also ensure that such reporting can be undertaken in confidence and to a neutral third party. The committee should also ensure that the processes and procedures once a concern has been raised allow for a proportionate and independent investigation and that appropriate follow up action can be taken. Where a concern has been raised, it would be expected that this would be reported to the committee by the relevant reporting function, after which the committee should monitor the resolution, and any resultant actions agreed to be taken.

The audit committee should also review:

  • procedures for detecting fraud and the reporting of the application of such procedures.
  • systems and controls for the prevention of bribery and should receive reports on non-compliance;
  • where relevant, the regular reports from the money laundering reporting officer and the adequacy and effectiveness of the organisation’s anti-money laundering systems and controls; and
  • regular reports from the compliance officer and keep under review the adequacy and effectiveness of the organisation’s compliance function.

In some organisations, the responsibility for the above reviews may be undertaken by or shared with other committees such as the risk committee or a regulatory committee. Where this is the case, the chair of each committee should coordinate their oversight responsibilities to ensure there is no overlap or areas overlooked.

The audit committee should also coordinate with the general counsel or legal advisers with regard to any new legislation that is planned or implemented to ensure that any new requirements have been captured by the company and whether their oversight responsibilities have been changed or extended as a result. Individual committee members should also bring to the attention of their fellow committee members any new or changed legislation they are aware of through their wider connections. The committee should then ensure that they have notified the board of these and have ensured that appropriate action is being taken or responsibility delegated adequately.

 

Oversight of the internal and external audit incorporates:

  • the audit process itself, reflecting the process where an internal audit exists or
  • where the function is not in place;
  • internal and external audit processes and their interaction; and
  • the appointment process for external auditors

Where there is an internal audit function, the audit committee should be part of the review of the role of head of audit and their appointment and ongoing effectiveness in their role, working with the board, the HR function and, if they exist, the nomination and remuneration committees. As an ongoing responsibility for ensuring effectiveness, the audit committee should ensure that the head of audit has access to the chair of the board as well as heads of functions and is able to deliver in their functions independently of influence or involvement of senior executives. Where a senior representative of the internal audit function flags concerns they may have in respect of their ability to undertake their role, the audit committee should seriously consider their concerns and identify appropriate solutions for discussion and agreement with the board.

The audit committee should ensure that the audit function is effective and sufficiently resourced to fulfil all identified deliverables. If it considers that this is not the case, concerns should be shared with the board with a recommendation that additional resources be provided.

The audit committee should review and challenge the internal audit plan. This should focus on the review of previous issues as well as new areas aligned to strategic focus and ensure that lesser risk areas have sufficient focus.

After each planned internal audit and any emergency audits conducted, the audit committee should review the resultant report, approve any associated actions and oversee the conclusion of any such actions within the timeframes identified and agreed.

Having considered the external quality assessment of internal audit, the committee confirms it is satisfied with the overall performance of the internal audit function.

When reviewing the audit function, which from best practice would be ongoing
in respect of information received and annually on a proactive basis, the audit committee should consider whether the contribution of an external assessor would be of value. If they believe it would, they should raise this with the board for their approval and be part of the appointment, implementation and review process.

Where there is no internal audit function, the audit committee should review the financial risk, controls and reporting of the finance function and other related internal functions as the third line of defence. On an annual basis, they should report to the board whether the absence of an internal audit function remains appropriate and, if not, the options that could be considered for implementing one. The decision of which option is most appropriate is a decision of the board based on input by the audit committee. Consideration would be based on organisation requirements as well as resource availability, current concerns, cost and nature of the business.

The audit committee should be heavily involved in the appointment and ongoing monitoring of the audit provider. Specifically, they should be part of the appointment process, reviewing audit requests, audit firm proposals, as well as the audit processes themselves and the related costs. As part of this, the audit committee should apply best practices, recommendations and regulatory requirements to their consideration.

Where an external auditor tenders their resignation, the audit committee should review the reasons why, investigating the issues and ensuring that any resultant actions are identified, allocated and completed. Given that the external auditor should be an invitee of the audit committee at each meeting, it would be unusual for the committee to not have prior knowledge of the potential resignation of an external auditor and already be involved in understanding and addressing their concerns. Appointment of an alternative auditor in these scenarios would inevitably include the new auditors tendering for the appointment to be apprised of the reasons for resignation.

External auditors must be independent of the company that they are auditing and act objectively. As such, the audit committee should ensure that this is the case and that the external auditors have access to all required data and resources to fulfil their role. As part of this, the audit committee should liaise with the audit firm and the lead partner as well as review their work on an annual basis based on published requirements for audits and ethical standards for professional services.

The audit committee should review the fees of the audit firm, compared to both the overall fee income of the company and the market as a whole. These should also be reviewed in respect of the audit firm itself with regard to the fee income of the firm, the particular office and the relevant partner. These should be assessed in the context of relevant legal, professional and regulatory requirements, guidance and ethical standards.

The audit committee should consider the timetable of the external auditor against the actual and proposed activities of the audit and finance functions within the company to ensure that they can all deliver within their roles. They should also review and challenge the proposed, incurred and invoiced fees relative to both the wider market and the work undertaken.

Where the board may request, or the audit firm may offer, to provide non-audit services, the audit committee should review these for independence, transparency and objectivity. There should be a specific focus on objectivity and independence of the services being provided and any conflict that may arise. Also, fees in isolation of, and in combination with, the audit fees should be reviewed. Consideration should also be given to whether the audit firm is the most suitable provider of such services.

As with any considerations of a committee, but specifically in relation to external audit appointment and oversight, committee members should be transparent in any conflicts of interest they may have with providers or potential providers of an audit or other financial services.

The audit committee should liaise with the head of internal audit and the auditor on receipt of the audit report to identify any areas of concern or risks flagged as a consequence of the audit process or other issues that may arise. As part of this, any feedback or queries to the auditor from the organisation or the board and its members should be accommodated and addressed. The chair of the audit committee should also meet with the auditors independently to ensure that communication can be free of influence or company restrictions.

Reporting

As with other committees of the board, the annual report should include an explanation of how the audit committee undertakes its roles and responsibilities. Any areas that the audit committee has reported to the board that have not been adequately responded to should be reported with detail on how the auditors have been appointed and reviewed. It should include explanations of how any non-audit services and fees are managed by the audit firm and provide evidence of their independence. Alongside the reporting of the risk committee and identified financial risks, mitigating actions and significant issues should be reported.

The best practice would be for the audit committee to review any and all financial statements that are distributed outside the organisation given their independence as well as their knowledge of systems and controls in place within the company.

Internally when reviewing processes for reporting, the audit committee should be mindful of interactions between functions and divisions of a business. They should also include their knowledge of the business strategy when considering the actual data and its presentation, as well as the future areas of focus that the strategy may be moving towards.

The annual report should also include reference to the future deliverables and focus of the audit committee beyond its standard responsibilities as defined in the terms of reference. For example, if the audit committee has an oversight role in terms of new areas of sporting development, systems upgrades, regulatory or legislative amendments or changes to internal financial reporting.

Supporting the committee

All contributors to committee packs should make sure the audit committee is getting information, not just data. With meaningful reporting, the audit committee will be able to review and recommend beneficial actions that will support the organisation. Without clear reporting, the function of the audit committee may deteriorate into the review of the data itself rather than the key issues that the data could be flagging. Too often, reporting is purely factual, with no manipulation or grouping of the data to reflect areas of interest. While the audit committee, with the correct skills within their membership, can tease this out of the provided data, this demeans the contribution they could provide through their wider experience.

The audit committee must understand the various systems used for collating, using and reporting data and the differences between them. Arranging for the IT department to provide an overview of each to committee members and new joiners is beneficial.

While audit committee members should ensure that they keep abreast of regulatory, legislative and legal reporting changes that may affect the company, if there is an internal legal department, they should update the audit committee on any proposed or implemented changes to ensure that these are formally noted and discussed by this forum. Any advice on required actions as a result of these discussions should then be escalated to the board.