Effectiveness
05
Oversight
04
The Team
03
The Foundations
02
Introduction
01
Contents
Risk management
Fraud, compliance and ethics
Independent audit
Internal audit
Internal control over financial reporting
Financial reporting and related disclosures
Overview
To assist the audit committee in fulfilling its role, this section outlines key considerations in each of the key areas of audit committee oversight.
Fulfilling the role — key oversight considerations
Finally, the SEC may issue a “comment letter” to understand disclosures, revise disclosures or request additional or different disclosures. These often seek to enable compliance with accounting standards or address clarification or inconsistencies regarding financial reports. It can be helpful for audit committees to learn about trends in SEC comment letter areas of focus as well as to stay informed about any comment letters received by the company and plans for the company response, which are ultimately public documents. For resources on this, see: https://www.ey.com/en_us/services/audit.
The committee should also seek to understand the financial reporting close process — how financial data is gathered to produce financial reports — including any significant adjustments, offline account reconciliations, delays, data inconsistencies or organizational changes. For more on this, see Can fine-tuning your financial processes help accelerate your growth?.
NYSE guidance explains that the audit committee’s responsibility to discuss earnings releases, as well as financial information and earnings guidance, may be done generally (i.e., discussion of the types of information to be disclosed and the type of presentation to be made). The audit committee need not discuss in advance each earnings release or each instance in which a listed company may provide earnings guidance. However, earnings releases and earnings guidance are important to stakeholders and investors, so it’s valuable to understand anything that could result in a change in earnings after the release and before SEC filing, including what work has not yet been completed by the independent auditor.
Inquire about management’s consideration of its revenue recognition policies, including how the company accounts for complex revenue arrangements and whether any changes in revenue recognition policies were made in the current year
Review the use of non-GAAP measures and understand why management believes they enhance reporting
Review significant financial reporting and regulatory developments, including their effect on the financial statements and on the company’s resource needs
Focus on areas involving significant judgement or high degrees of estimation (such as asset impairments), quality of earnings, cash flows and liquidity position and other ongoing financial statement issues affected by macroeconomic conditions
Focus on new accounting pronouncements adopted during the reporting period, critical accounting policies, risk factors, internal control deficiencies and significant accounting matters and disclosures
Seek to understand complex accounting and reporting issues, such as fair value accounting and related assumptions, and how management addresses them
Ask management for an overview of judgmental or key areas included within the financial statements for the audit committee to evaluate
To accomplish an effective review of the financial statements, leading practice audit committees will:
The committee should clearly understand financial results and how reported results compare to plan as well as significant balance sheet changes in trends or important financial statement relationships. The committee should also assess the congruence between any narrative regarding key risks and the impacts of key risks accounted for in the financial statements. Finally, it’s important to set an expectation with management that accounting errors should be recorded when identified.
The type and presentation of information to be included in earnings press releases (paying particular attention to any use of “pro forma,” or “adjusted” non-GAAP, information), as well as any financial information and earnings guidance provided to analysts and rating agencies
The effect of regulatory and accounting initiatives, as well as off-balance sheet structures, on the financial statements of the company
Analyses prepared by management or the independent auditor setting forth significant financial reporting issues and judgments made in connection with the preparation of the financial statements, including analyses of the effects of alternative GAAP methods on the financial statements
Major issues regarding accounting principles and financial statement presentations, including any significant changes in the company’s selection or application of accounting principles, and major issues as to the adequacy of the company’s internal controls and any special audit steps adopted in light of material control deficiencies
NYSE listing rules guidance to Section 303A.07(b) explains that while the fundamental responsibility for the company’s financial statements and disclosures rests with management and the independent auditor, the audit committee is required to review:
The audit committee will review and discuss (with management and the independent auditor) the annual audited financial statements and recommend to the board whether they should be included in the Form 10-K and review and discuss the quarterly financial statements prior to the filing of Form 10‑Q, including disclosures made in “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and the results of the independent auditor’s review of the quarterly financial statements.
Discuss the company’s earnings and press releases, as well as financial information and earnings guidance provided to analysts and rating agencies (NYSE‑specific)
Review and discuss with management and the independent auditor the company’s quarterly financial statements prior to the filing of its Form 10-Q, including disclosures made in management’s discussion and analysis and the results of the independent auditor’s review of the quarterly financial statements (NYSE‑specific)
Review and discuss the annual audited financial statements and quarterly financial statements with management and the independent auditor, including the company’s specific disclosures under “Management’s Discussion and Analysis of Financial Condition and Results of Operations” (NYSE‑specific)
Oversight of accounting and financial reporting processes (Exchange Act, applicable to both NYSE and Nasdaq companies)
Oversight of the annual and quarterly financial statements and related disclosures (included in Form 10-K and Form 10-Q) is a core aspect of every audit committee’s remit. As financial reporting becomes more complex, the audit committee should determine whether the financial statements are understandable, transparent and reliable. Specific requirements are as follows:
Oversight of financial reporting and related disclosures
Disclosure note
The SEC (Item 407(h) of Regulation S-K) also requires the board to disclose the extent of its role in risk oversight. This typically includes a description of the role of board committees in certain aspects of risk oversight.
Many provide more fulsome descriptions of audit committee oversight activities on a voluntary basis. The depth and scope of audit-related disclosures in the proxy statement have increased in recent years, providing more insight into the committee’s roles, responsibilities and key areas of focus.
Whether it has recommended to the board that the financial statements be included in the annual report
Whether it was provided a disclosure from the independent auditors regarding independence
Whether it discussed them with the independent auditors
Whether the committee reviewed the financial statements with management
SEC (Item 407(d) of Regulation S-K) rules require certain disclosures related to audit committee oversight in the proxy statement. This includes information regarding the composition and operation of the committee as well as:
The audit committee chair will work closely with the corporate secretary to draft the audit committee report, confirming that it addresses any mandatory requirements and is an accurate reflection of the work undertaken by the audit committee over the course of the year.
Audit Committee chair considerations
The audit committee chair will actively engage management, including the CFO, head of internal audit and the independent auditor to help committee members understand the financial statements and related disclosures.
Audit Committee chair considerations
How has the audit committee satisfied itself that management has adequately accounted for complex accounting issues and non‑reoccurring items?
5.
What information, including from independent sources or advisors, did the audit committee use to challenge management over judgments underpinning material estimates?
4.
How has the audit committee challenged management on any voluntary changes to accounting policies, readiness for future mandatory changes in accounting standards and the accounting for any material one-off or unusual transaction, if relevant?
3.
How has the audit committee challenged management on its selection and use of non‑GAAP measures?
2.
Is the committee knowledgeable of the critical accounting policies of the company and the material alternative accounting treatments as well as internal and independent auditors’ views on those?
1.
Questions for consideration
For more on ICFR, see the CAQ Guide to Internal Control Over Financial Reporting.
To create a reference point against which to build a picture of what good looks like and to judge effectiveness, the audit committee can refer to a recognized internal controls framework. Indeed, the SEC requires companies to use a “suitable framework” for assessing effectiveness of ICFR. One such example is the so-called COSO Internal Control — Integrated Framework, developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2013.
Verify that there is a robust management-level disclosure committee, as recommended by the SEC, and confirm it has a clear mandate
Challenge management to leverage the value of controls so that internal control processes and assessments do not simply become compliance exercises
Obtain views from the independent auditor and specifically understand whether the auditor is taking a controls reliance approach in the audit and, if relevant, why a controls approach cannot be adopted
Consider levels of authority and responsibility in key areas, including pricing and contract negotiations, acceptance of risk, commitments and expenditures
Monitor implementation of significant internal control changes
Understand management’s action plans to address material control deficiencies or emerging risks that could have an impact on financial statements
Determine whether the company devotes the resources required for its internal control processes to function effectively
Request regular information on the functioning of internal controls over financial reporting from the finance team, internal audit and potentially the CEO
To conduct these reviews, the audit committee needs to understand key controls and financial reporting risk areas as assessed by financial management, the internal auditor and the independent auditor, as well as mitigating controls and safeguards. Leading practice audit committees will:
Compliance with SOX Section 404 can be an expensive and intensive process. Newly listed companies are not required to comply with SOX Section 404 until their second annual report filing. Among others, emerging growth companies (“EGCs”) are exempt from SOX Section 404(b) regarding independent auditor attestation and reporting on management’s assessment of its internal controls. The SEC allows EGC status to companies for the first five years after their IPO if they do not exceed certain thresholds (i.e., revenue, debt issuance and company becoming a ‘large accelerator’). Therefore, those companies would be exempt from SOX Section 404(b) for their first five years after IPO.
IPO accommodations
Review any major issues as to the adequacy of the company’s internal controls as highlighted by internal or independent audits and any special audit steps adopted in light of material control deficiencies (NYSE‑specific)
Review CEO and CFO quarterly certifications about the effectiveness of ICFR as well as the company’s disclosure controls and procedures (in connection with SOX Section 302, applicable to both NYSE and Nasdaq companies)
Review management’s evaluation and reporting on the effectiveness of ICFR as well as the independent auditor’s attestation and report on management’s assessment of its internal controls (in connection with SOX Section 404, applicable to both NYSE and Nasdaq companies)
The audit committee will:
SOX Section 404 requires management to annually evaluate and report on the effectiveness of these controls and for the independent auditor to report on this assessment. As part of the audit process, the independent auditor must provide the audit committee with written communication about all material weaknesses and significant deficiencies in internal control. Additionally, in accordance with SOX Section 302, the CEO and the CFO are required to make quarterly certifications about the effectiveness of ICFR as well as the company’s disclosure controls and procedures (designed to confirm that disclosures required by the SEC are recorded, processed, summarized and reported, within the designated time periods). Relatedly, SOX Section 906 requires the CEO and CFO to certify that all financial reports fairly present, in all material aspects, the financial condition and results of operations of the issuer and carries criminal penalties for noncompliance.
ICFR refers to a company’s processes designed to reasonably confirm the reliability and accuracy of financial reporting. Management is responsible for establishing and maintaining adequate ICFR; however, the audit committee is responsible for overseeing these controls and reviewing how management has complied with SOX. These controls may include separation of roles and duties, cybersecurity and IT controls, management review, entity and process-level controls, access controls, audit trails and preventive and detective controls.
Oversight of internal control over financial reporting (ICFR)
Does the committee review and determine that disclosures describing any identified material weaknesses and management’s remediation plans are clear and complete?
6.
Does the committee discuss with management its remediation plan to address internal control deficiencies?
5.
Does the committee discuss with management and the independent auditor the deficiencies in ICFR and any differences between management’s assessment and the independent auditor’s assessment?
4.
How satisfied is the audit committee with the reporting it receives from those within the second line who test first-line controls?
3.
What reporting does the audit committee receive so that it can challenge management’s view on the design and operational effectiveness of internal controls across its areas of responsibility? Is this reporting sufficiently regular and timely?
2.
Does the committee effectively monitor how management is assessing the adequacy and effectiveness of ICFR and obtain at least quarterly status reports on management’s assessment of ICFR and the independent audit of ICFR?
1.
Questions for consideration
On which sources of feedback did the audit committee base its assessment of the overall strength of the finance function?
9.
Does the committee discuss with management the process for performing certifications under SOX Section 302 and review management certifications on quarterly and annual reports?
8.
Does the committee discuss with the internal auditors whether management has adequately addressed recommendations for improvements in ICFR, if any?
7.
Within one year of listing, companies on the NYSE must have an internal audit function, with oversight from the audit committee. If the listed company does not yet have an internal audit function because it is availing itself of the transition period accommodation, the committee should review with the board management’s activities with respect to the design and implementation of the internal audit function.
IPO accommodations
For more on oversight of internal audit, see The Audit Committee: Internal Audit Oversight from The Institute of Internal Auditors.
Also, Federal Reserve-supervised institutions with consolidated assets greater than $10 billion, including state member banks, domestic bank and savings and loan holding companies, and US operations of foreign banking organizations (FBOs), are subject to the SR 13-1 / CA 13-1: Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing. These expectations are focused on the characteristics, governance and operational effectiveness of an institution’s internal audit function, including clarity on internal audit’s reporting line, audit committee reporting enhancements, providing opinions on risk management and oversight and awareness of the audit committee.
The audit committee should meet regularly and privately with the internal auditor and should be comfortable that the internal audit staff has the appropriate training and supervision to stay professionally current. Also, the detail and frequency of the internal auditor reporting to the audit committee have increased at many companies over the past several years.
Not only can the audit committee use the provided internal audit reports in discharging its duties, internal audit is also often the audit committee’s eyes and ears on the ground, able to bring cultural insights from across the organization. Where such a function exists, a good working relationship between the audit committee and internal audit is of fundamental importance.
As the role of internal audit is to evaluate and improve the effectiveness of risk management, internal controls and governance processes, a well-implemented function is a great asset to an audit committee. It’s important for the full committee to understand key topics addressed by internal audit so that all directors can fulfill their fiduciary duties and not unduly rely on the expertise of one or two directors.
Regular interaction between the audit committee and the internal auditor, whether or not a company outsources the function to a third-party service provider, is critical to the effective functioning of the internal audit group.
For Nasdaq, an internal audit function requirement is not specifically addressed; however, in practice, many Nasdaq-listed companies voluntarily establish an internal audit function reporting to the audit committee.
Oversee the performance of the company’s internal audit function (or other personnel responsible for the internal audit function) (NYSE‑specific)
The NYSE requires that listed companies maintain an internal audit function to provide management and the audit committee with ongoing assessments of the listed company’s risk management processes and system of internal control. A listed company may choose to outsource — fully or partially — this function to a third-party service provider that is not its independent auditor. As such, audit committees are required to:
Oversight of internal audit
The audit committee chair plays a pivotal role in addressing conflicts that may arise between management and internal audit — especially with respect to budgetary or resource requests and the assessment of the magnitude and priority of findings. The strength of the chair’s relationship with both the CEO or CFO and the head of internal audit is fundamental in this context.
Audit Committee chair considerations
How are the company’s internal audit and risk functions leveraging data and leading-edge analytics to achieve objectives and monitor risks?
6.
Has internal audit disclosed any potential concerns that could indicate independence is impaired?
5.
What information does the audit committee receive that allows it to assess the caliber of internal audit resources in relation to staff, skill sets and technology?
4.
Have there been changes to the business or key risks that have resulted in changes to internal audit’s plan?
3.
How has the audit committee considered changes that might impact internal audit’s charter and mandate?
2.
How does the audit committee confirm that internal audit sourcing arrangements and activities remain appropriate for the strategic objectives and most significant risks of the company?
1.
Questions for consideration
How has the audit committee assessed the quality of internal audit’s work? How is it monitoring whether any recommendations are being adequately implemented?
12.
What does management’s attitude toward actioning internal audit recommendations tell the audit committee about the risk culture within the organization?
11.
Has internal audit confirmed that the organization’s cybersecurity program is aligned to business risks and has it evaluated the maturity of the program against defined frameworks, peers and leading practices?
10.
How can internal audit better help the board understand the overall health of the internal control environment in the company?
9.
How well does the audit committee understand the levels of confirmation provided by internal audit activities over the course of the year and the risk coverage that the activities achieved?
8.
How confident is the audit committee that the head of internal audit will bring all potential matters of significance involving management to its attention?
7.
Are internal audits conducted in conformance with The Institute of Internal Auditors’ Global Internal Audit Standards?
13.
Any side letters, amendments to the engagement agreement or any other agreements, whether oral, written or otherwise, relating to the service between the independent audit firm and the US SEC audit client
The fee structure for the engagement (e.g., hourly‑based, fixed fee)
In seeking audit committee preapproval for tax services and non-audit services related to internal control over financial reporting, PCAOB Rules 3524 and 3525, respectively, require that the independent auditor describe the scope of the proposed service in writing to the audit committee. In addition, with respect to preapproval of tax services, independent auditors should describe in writing to the audit committee:
SOX Section 201 makes it unlawful for audit firms to perform nine specifically listed categories of non‑audit services for public companies they audit. Audit firms are not prohibited from performing any other non‑audit service for a public audit company, as long as such services are preapproved by the company’s audit committee. SOX Section 202 requires audit committees to preapprove all audit and non-audit services.
Preapproval of audit and non-audit services
Other matters arising from the audit that are significant to the oversight of the company’s financial reporting process
Any significant difficulties encountered during the audit
Any disagreements with management about matters, whether or not satisfactorily resolved, that individually or in the aggregate could be significant to the company’s financial statements or the auditor’s report
Any departures from the auditor’s standard report
Other material written communications between the auditor and management
Any corrected misstatements that might not have been detected except through the audit and the implications that such corrected misstatements might have on the company’s financial reporting process
The schedule of uncorrected misstatements related to accounts and disclosures that the auditor presented to management
Certain matters relating to the auditor’s evaluation of the company’s ability to continue as a going concern
Views on any matters of concern on which management consulted with other accountants
Matters that are difficult or contentious for which the auditor consulted outside the engagement team and that the auditor reasonably determined are relevant to the audit committee’s oversight of the financial reporting process
Alternative accounting treatments
New accounting pronouncements
Financial statement presentations
Significant unusual transactions
Critical accounting estimates
Critical accounting policies and practices
Significant accounting policies and practices
In regard to the results of the audit, in accordance with PCAOB AS 16, the independent auditor should communicate to the audit committee regarding:
Whether the audit committee is aware of matters relevant to the audit, such as possible violations of laws or regulations
The audit strategy, timing and significant risks identified in the auditor’s risk assessment (with any significant changes to the strategy communicated on an ongoing basis)
The terms, objectives and responsibilities related to the audit engagement, including in an engagement letter to be provided annually
Any significant issues that the auditor discussed with management in connection with the appointment or retention of the auditor, including significant discussions regarding the application of accounting principles and auditing standards
The PCAOB was established under SOX and sets standards for public company audits. Upon appointment or retention, PCAOB AS 16 stipulates that the auditor should communicate with the audit committee regarding:
Reporting from the independent auditor
The Center for Audit Quality has released a tool to assist audit committees in their evaluation of the independent auditor. The tool includes sample questions, including those designed to assess the independent auditor’s quality of service, communication and independence.
Audit committees also should consider communicating to shareholders the process and related rigor involved in performing an annual evaluation of the auditor and explain the process, scope and results of their assessment.
Audit committee members should evaluate the auditor’s performance throughout the audit process, noting such items as the auditor’s skepticism in evaluating unusual transactions or responsiveness to issues. These contemporaneous assessments provide important input into the annual evaluation process.
The annual auditor assessment should draw on the audit committee’s experience with the auditor during the current engagement (presentations; reports; dialogue during formal, ad hoc and executive sessions). It is appropriate to obtain observations on the auditor from others within the company, including management and internal audit, accompanied by discussions with key personnel interacting with the independent auditors.
Each year, the audit committee should evaluate the independent auditor to make an informed decision regarding whether to retain the auditor. The evaluation should encompass an assessment of the auditor’s qualifications and performance; the quality and candor of the auditor’s communications with the audit committee and the company; and the auditor’s independence, objectivity and professional skepticism.
Annual evaluation of the independent auditor
Candid and open communication between the independent auditor and audit committee is imperative for a successful relationship. To improve oversight of the audit process, audit committees often arrange meetings with the independent auditor throughout the year to encourage candid and open communication and information flow.
When it comes to overseeing the work of the independent auditor, a typical audit cycle involves the following core stages: planning and risk assessment; execution of interim procedures, including consideration of processes and controls testing where relevant; year-end testing, including procedures relating to the annual report; and sharing of observations on areas for potential improvement noted during the audit, including those relating to internal controls over financial reporting.
The audit committee should discuss with the independent auditor whether and how AI is used in performing the audit and how this is being done appropriately and reliably. The audit committee should also understand how AI impacts the audit team’s overall talent strategy, audit methodology and regulatory considerations.
Separately, the audit committee should evaluate the mix of proposed procedures (i.e., controls testing, data analytics, use of forensic capabilities) and locations where these will be performed.
The proposed timing of the procedures allows for reporting of issues early enough to enable their orderly resolution
There will be sufficient involvement of relevant experts and that the audit committee will have access to those experts it may wish to hear from directly
The resourcing of the engagement assumes adequate involvement from executive team members
Compared with the prior year, the plan has adequately evolved in response to changes in the business
The reasons for any divergence between the auditor’s assessment of the company’s risk profile and the audit committee’s own understanding are clearly explained and that no risks of concern to the audit committee have been missed
When scrutinizing the audit plan, the audit committee should, among other considerations, confirm that:
Independent auditors determine the audit scope and discuss the scope with the audit committee. This discussion allows the audit committee to confirm that the audit scope has not been affected by pressures from management. Audit committees also can ask independent auditors to perform more work in certain areas where they may have additional concerns.
Overseeing the independent auditor’s work
Under PCAOB Rule 3526, Communication with Audit Committees Concerning Independence, auditors must affirm their independence and compliance with PCAOB independence rules before accepting an initial engagement and thereafter, at least annually.
The auditor must be independent in fact, as well as in appearance. It is not enough for the auditor to abide by all the de facto independence requirements set out in legislation and professional standards. The auditor also needs to avoid any actions that could create a perception that independence might have been impaired. While the onus is on the independent auditor to police its own independence, the audit committee has a crucial role to play in challenging and supporting how the auditor goes about doing this.
The NYSE specifies that audit committees must assist the board in overseeing the independent auditor’s qualifications and independence. Independence standards for audit firms are set by the SEC, PCAOB and the International Ethics Standards Board for Accountants (IESBA) when applicable. Common issues that may impact independence include providing certain types of non-audit services, the relative value of fees earned from services other than the audit, relationships between the auditor and the organization and the duration of involvement of the audit firm and individual audit team members in the particular engagement.
Preapprove all audit and non-audit services (PCAOB Rules 3524 and 3525, applicable to both NYSE and Nasdaq companies)
Set clear hiring policies for employees or former employees of the independent auditors (NYSE‑specific)
At least annually, obtain and review a report by the independent auditor describing the auditor’s internal quality control procedures, any material issues raised in internal quality control reviews and any steps taken to address those issues, as well as all relationships between the auditor and the company (NYSE‑specific)
Regularly review with the independent auditor any audit problems or difficulties in the course of the audit, including regarding restrictions on scope and access to information, and management’s response (NYSE‑specific)
Receive reporting directly from the independent auditor (Exchange Act Rule 10A-3, applicable to both NYSE and Nasdaq companies)
Carry direct responsibility for the appointment, compensation, retention of the independent auditor as well as oversight of the independent auditor’s work (including resolution of disagreements between management and the auditor regarding financial reporting) (Exchange Act Rule 10A-3, applicable to both NYSE and Nasdaq companies)
Specifically, the audit committee must:
Audit committees play a critical role in overseeing the independent auditor and evaluating audit quality. The primary objective of an independent audit is to provide independent assurance, based on professional standards, that a company’s financial statements are free from material misstatement and give a fair representation of its financial performance and position and are therefore a good basis for decision-making. Fundamental to this objective is the independent auditor’s independence, which requires a direct reporting line between the auditor and the audit committee. The audit committee, not the CFO, owns the relationship with the independent auditor and is responsible for the appointment, compensation and oversight of the independent auditor.
Oversight of the independent audit
In the case of reappointment, the audit committee would review the findings of the annual evaluation of the performance of the independent auditor (see “Annual evaluation of the independent auditor” for more on this).
Oral presentations
Written submissions
Technical challenge
Management meetings at the company’s head office
Visits to company locations by participating bidders
Partner interviews (by audit committee and by management)
The process may include:
Value for money
Caliber of proposed lead partner and engagement team, considering both competence and chemistry
Application of technological advancements to audit methodology
Geographical presence
Accounting and auditing technical ability, combined with experience in the industry
Selection criteria can be divided into essential and preferred criteria, and can include:
Advising on the appointment and retention of the independent auditor is one of the audit committee’s most important tasks. While audit committees lead the audit tender, management’s role is vital to the project’s ultimate success and goes beyond administrative tasks. Executives, including the CFO, and often the broader finance function, should be involved in recommending criteria and conducting their own evaluations of the external auditor. At the end of the tender process, the audit committee is commonly expected to present the board with two choices and its preference.
Appointment and independence of the independent auditor
The NYSE also requires the audit committee to set clear hiring policies for employees or former employees of the independent auditors.
All relationships between the independent auditor and the listed company (to assess the auditor’s independence)
Any material issues raised by the most recent internal quality control review, or peer review, of the firm, or by any inquiry or investigation by governmental or professional authorities, within the preceding five years, respecting one or more independent audits carried out by the firm, and any steps taken to deal with any such issues
The firm’s internal quality control procedures
Additionally, the NYSE requires the audit committee, at least annually, to obtain and review a report by the independent auditor describing:
How effectively is the audit committee overseeing the ways in which management is factoring in independence considerations when awarding service contracts to independent audit providers?
3.
How comprehensive and effective is the committee process for assessing the quality, value and overall performance (in the case of retention) of the independent auditor?
2.
Does the committee have a clear, common understanding of an indicative time frame for when the next audit tender process might be run and for which financial year-end?
1.
Questions for consideration
How did the audit committee assess whether the audit fee is commensurate with the planned effort?
3.
Has the audit committee thoroughly considered the extent of procedures the external auditor should perform over interim financial information, if any?
2.
What practices can be implemented to enhance audit quality and foster the delivery of a high-quality, effective and efficient audit?
1.
Questions for consideration
The audit committee chair will seek to establish and maintain a culture and policy of open dialogue with management and the internal and external auditors. They will establish expectations about the nature and method of communication and exchange of insights, including an annual agenda with the independent auditor.
Audit Committee chair considerations
Audit committee chairs often meet with the lead audit partner between meetings, or before each meeting, to better understand the most important issues and risks impacting the audit and the overall business. Audit committee chairs should routinely provide formal and informal feedback to auditors to improve the audit process and enhance the transparency of two-way communication between audit committees and the auditor.
Audit Committee chair considerations
How confident is the audit committee in the independent auditor’s ability to comply with the PCAOB QC 1000 and other standards?
3.
How effective are the processes the audit committee has put in place to assess audit quality throughout the year? Which data points and other inputs support the assessment?
2.
How confident is the audit committee in their assessment of whether the audit plan was effectively executed and that procedures performed were sufficient to reach an audit opinion?
1.
Questions for consideration
Finally, the Center for Audit Quality has developed a Practice Aid that encourages all audit firms to proactively and robustly communicate with the audit committee any audit deficiencies identified by a PCAOB or internal inspection of the issuer’s audit engagement. The PCAOB also encourages audit committees to ask independent auditors about their inspection processes, findings and quality control procedures.
Any “management” or “internal control” letter issued, or proposed to be issued, by the audit firm to the listed company
Any communications between the audit team and the audit firm’s national office respecting auditing or accounting issues presented by the engagement
Any accounting adjustments that were noted or proposed by the auditor but were “passed” (as immaterial or otherwise)
The NYSE affirms PCAOB AS 16 by requiring review with the independent auditor of any difficulties encountered in the course of the audit work, including any restrictions on scope or access to requested information, as well as any significant disagreements with management. NYSE listing rules guidance to Section 303A.07(b) suggests that among the items the audit committee may want to review with the auditor are:
These communications can be provided either orally or in writing, unless otherwise specified within the standard. However, the auditor must document the communications in the workpapers, whether such communications took place orally or in writing. These communications should be made in a timely manner and prior to the issuance of the auditor’s report.
Regarding PCAOB AS 16 required communications, an auditor may communicate to only the audit committee chair if done in order to communicate matters in a timely manner during the audit. The auditor, however, should communicate such matters to the audit committee prior to the issuance of the auditor’s report.
Audit Committee chair considerations
What role does the audit committee adopt in overseeing management’s response to observations provided by the independent auditor and any audit differences that were identified?
3.
How did the audit committee hold management accountable for addressing any findings from the interim phase of the audit in a timely manner and ahead of the year-end? What reporting did it receive regarding adjustments made to the audit plan in response to any such findings?
2.
How effectively does the audit committee hold the auditor accountable for providing the right communications at the right time?
1.
Questions for consideration
Is the policy covering the awarding of non-audit services to the independent auditor sufficiently clear, comprehensive and actionable?
1.
Questions for consideration
PCAOB rules require the auditor, rather than management, to directly seek preapproval of such services. The rules also require a discussion with the audit committee about, among other matters, the potential effects of the proposed service on the audit firm’s independence, and documentation of the substance of this discussion.
Any compensation arrangements or other agreements (such as a referral agreement, a referral fee or fee‑sharing arrangement) between the independent audit firm and any third party with respect to promoting, marketing or recommending a transaction covered by the proposed tax service. Affirmation that no such side letters, amendments, agreements or arrangements exist should be disclosed
Under SOX Section 307, the SEC established rules requiring attorneys to report evidence of material violations of securities laws or breaches of fiduciary duty or similar violations by the company to the issuer’s chief legal counsel or the CEO. If management does not appropriately respond to the evidence, the attorney must report the evidence to the board, the audit committee or another board committee comprised of solely outside directors. In light of these requirements, the audit committee should have an effective process to respond to any reports from the company’s attorneys about alleged violations of securities laws or breaches of fiduciary duties.
The NYSE and Nasdaq also both require an independent body of the board to review and oversee related-party transactions. If this oversight is assigned to the audit committee, then the committee should also understand management’s process for approval of, identification of and accounting for related-party transactions, paying particular attention to those that could pose a heightened risk for fraud. In accordance with PCAOB AS 2410, the auditor should communicate to the audit committee the auditor’s evaluation of the company’s identification of, accounting for and disclosure of its relationships and transactions with related parties.
The committee should carefully consider the accessibility of hotline and whistle-blower procedures to enable awareness and trust in the mechanisms. Note that Dodd-Frank Act passed in 2010 enhanced the SOX whistle-blower program, established a bounty program for whistle-blowers to receive a certain amount of the proceeds from a litigation settlement, broadened the definition of a covered employee and extended the time frame within which whistle-blowers can bring a claim after discovery of a violation.
Each code of conduct must also contain an enforcement mechanism that enables prompt and consistent enforcement of the code, protection for persons reporting questionable behavior, clear and objective standards for compliance, and a fair process by which to determine violations.
A code of conduct satisfying this rule must comply with the definition of a “code of ethics” set out in SOX Section 406.
Each company shall adopt a code of conduct applicable to all directors, officers and employees.
Nasdaq
Many companies adopt one code of conduct and ethics that meets NYSE and�SOX Section 406 requirements; other companies adopt separate codes for NYSE and SOX Section 406 purposes.
Each code of business conduct and ethics must also contain compliance standards and procedures that will facilitate the effective operation of the code. These standards should enable the prompt and consistent action against violations of the code.
Encouraging reporting of any illegal or unethical behavior
Compliance with laws, rules and regulations (including insider trading laws)
Protection and proper use of company assets
Fair dealing with customers, suppliers, competitors and employees
Confidentiality
Corporate opportunities
Conflicts of interest
The code must go beyond SOX Section 406 requirements to explicitly address:
Each company shall adopt a code of conduct applicable to all directors, officers and employees.
NYSE
Specific NYSE and Nasdaq requirements
Assist board oversight of compliance with legal and regulatory requirements (NYSE‑specific)
Receive corporate attorneys’ reports of evidence of any material violation of securities laws or breaches of fiduciary duty (in connection with SOX Section 307, applicable to both NYSE and Nasdaq companies)
Establish procedures for receiving, retaining and treating complaints about accounting, controls and auditing matters, including complaints from those who wish to remain anonymous (Exchange Act Rule 10A‑3, applicable to both NYSE and Nasdaq companies)
Audit committees are required to:
Fraudulent financial reporting need not be the result of a grand plan or conspiracy. Individuals may rationalize the appropriateness of a misstatement, for example, as an aggressive rather than indefensible interpretation of complex accounting rules. Or they may see it as a temporary misstatement of financial statements, to be corrected later when operational results improve, or as something that is in the best interests of the company or the employees. But whatever the rationalization, these individuals would intend to mislead financial statement users.
Consider situations that may indicate improper earnings management, management override of controls and potential fraud related to revenue recognition. The committee may also seek to understand management’s compensation structure, such as incentive bonuses and stock plans, and consider whether the compensation structure might encourage inappropriate behavior to improve compensation.
Integral to financial reporting oversight is understanding how fraud risks are identified and assessed so that appropriate anti-fraud programs and processes can be established. To oversee anti-fraud controls effectively, the audit committee needs an understanding of the incentives and pressures that may lead to management or employees committing fraud, becoming involved in bribery and corruption and overall impacts to financial reporting and related processes.
Oversight of fraud, compliance and ethics
Review of the fraud risk assessment should include consideration of new types of sophisticated fraud as well as how technologies may be able to support in fraud analysis and defense.
The committee also needs to understand which measures have been put in place by management to prevent and detect fraud. A fraud risk assessment should be performed on a regular basis and be customized to address the specific circumstances of the organization (e.g., industry, geography, size). The audit committee should know the company’s tolerance for identified fraud risks and help align anti‑fraud procedures with the business strategy. While considering all these factors, the audit committee must then oversee the design, execution and monitoring of anti‑fraud controls.
Fraud can be accomplished through manipulating, falsifying or altering accounting records or supporting documents; providing incomplete or misleading disclosures; intentionally misapplying accounting principles; overriding management controls; or exerting other inappropriate influence over the financial reporting process.
By promoting integrity and bringing together insights from various aspects of its work — risk assessment, internal controls monitoring, whistle-blowing oversight and insights from external and internal audit — the audit committee creates a culture that discourages negative behaviors. The tone from the top within the audit committee starts with the audit committee chair who must foster a culture of compliance and ethical conduct.
Audit Committee chair considerations
NYSE and Nasdaq also have specific requirements. See box below.
Prompt internal reporting of code violations; and accountability for code adherence
Compliance with applicable governmental laws, rules and regulations
Full, fair, accurate, timely and understandable disclosure in SEC periodic reports and other public communications
Honest and ethical conduct, including handling of actual or apparent conflicts of interest between personal and professional relationships
In regard to procedures for anonymous complaints related to ethics and conduct, SOX Section 406 requires companies to disclose whether or not they have adopted a code of ethics applicable to the principal executive officer, principal financial officer and controller or principal accounting officer (and, if not, why not) that includes standards reasonably necessary to deter wrongdoing and, promote:
The audit committee’s relationship with the company’s general counsel is evolving. Audit committees and boards are increasingly looking to the general counsel not only for legal advice, but also for business advice. And as a corporate leader, the general counsel helps to set the organization’s tone and culture. The general counsel can help the company better understand its disclosure obligations under the SEC statutes, and it can help to prepare for the event of any potential investigations in the event of a whistle-blowing claim, for example.
The audit committee may also assist the board in monitoring compliance with laws and regulations. This may include an assessment of whether the company has an effective compliance and ethics program (e.g., based on the Federal Sentencing Guidelines Manual). In addition to reviewing reports from regulators about company compliance, the audit committee should meet periodically with compliance officers and the general counsel to better understand the company’s compliance process.
Nasdaq requires that the code of business conduct and ethics be publicly available as per SEC Regulation S-K. SEC Regulation S-K (item 406) requires the SOX Section 406 Code to be publicly available by (a) filing as an exhibit to the annual report, (b) posting on company’s website (provided company has disclosed in its most recently filed annual report its website address and intention to provide disclosure in this manner) or (c) undertaking in the annual report to provide copy to any person upon request.
Disclosure note
The NYSE requires that the code be publicly available on the company website (with reference from the proxy statement or Form 10-K).
How effectively has the audit committee assessed access to whistle-blower hotlines and the implications of whistle-blowing cases on internal controls and corporate reporting?
6.
Has the committee determined a consistent and considered approach for reviewing hotline and whistle-blower reports in terms of level of detail?
5.
How comfortable is the committee in its understanding of technology for fraud prevention, monitoring and detection?
4.
How rigorously has the committee analyzed outcomes of the organization’s fraud risk assessment and considered implications for its remit, including understanding which fraud risks are of the highest priority? �
3.
Does the committee have a reasonable basis on which to know that the company’s attitude toward fraud is understood throughout the company and that management maintains an appropriate culture?
2.
How effectively has the committee cultivated and demonstrated an honest and ethical corporate culture and tone from the top?
1.
Questions for consideration
How clear, timely and effective are updates from the general counsel on legal and regulatory matters that may have a material effect on financial statements?
9.
How well does the committee understand the company’s compliance process?
8.
How clear and comprehensive are updates from management about reports or inquiries from regulators or other outside parties (e.g., SEC, Internal Revenue Service) and its responses to those reports?
7.
Where risks have been transferred rather than reduced, the audit committee may occasionally ask to receive updates from management on major insurance programs. Some risks cannot be successfully reduced or insured against in a cost-effective manner. In such cases, the audit committee may need to recommend to the board an orderly withdrawal from certain activities. When that is not an option, the audit committee may require management to provide more frequent and detailed confirmations that contingency and disaster recovery plans are being kept up to date. It’s also important to consider the upside and opportunities that taking certain risks might present and how the audit committee can support agility and resilience.
Risk management is about accepting a risk but undertaking actions to reduce its severity to tolerable levels (within risk appetite). The overall culture of the organization, and its focus on integrity and compliance, is one of the most important ways to manage risk. The management of enterprise risks will vary depending on the nature of the risk. For example, external risks that are outside of the direct control of the organization may be managed by confirming that effective business continuity, disaster recovery and crisis management plans are in place. Downside risks, where there is limited to no appetite for risk, will be managed through policies, procedures and internal control systems, including entity-level controls. At a process level, the principal means of managing risks is through the operation of a system of effective internal controls.
Oversight of policies regarding risk management
New or future risks, with a potential impact that is not yet reliably understood or known, but where the assessment indicates it could be high, are often referred to as “emerging risks.” The implications of emerging risks are difficult to assess, and the expectation is that they will evolve over time. They may dissipate altogether, exacerbate existing principal risks or evolve into stand-alone risks. Companies need to put in place specific processes to identify emerging risks and monitor their evolution. Often, this involves horizon scanning by the second line and the use of future-back scenarios. Audit committee members, by virtue of not being embedded within the business, can bring fresh perspectives to the emerging risk assessment.
The audit committees should assess the company’s risk assessment and risk management policies and determine a cadence for appropriate reporting, including on how management is identifying, monitoring and reducing the company’s key risks. The audit committee will need to devote time to understand the profile of principal risks, how various risks are interconnected and how the connections are being tracked. Not only can the impact of multiple interconnected risks converging exceed the sum of each part, but interconnectedness can also accelerate the speed with which the risks materialize. Audit committees may also encourage management to conduct a scenario analysis in order to understand the amplified impact of correlated risks.
Discussing policies regarding risk assessment
If the audit committee takes on oversight of too many risks beyond those directly related to financial reporting, it may struggle to adequately discharge its other core duties. For this reason, oversight of some risks may be delegated by the board to other committees. However, even in those situations, the audit committee will typically act as an integrator of most, if not all, risks. This reflects the fact that all risk factors can potentially impact the financial results and on the viability of the business. For example, as it relates to AI, the audit committee should at a minimum understand how AI is being used and can be used to support financial reporting processes and the risks associated with those uses. For example, AI can be used for automation of routine tasks, real-time data analysis detecting fraud, compliance monitoring and forecasting for financial planning.
Related to the banking industry, among other expectations, the Federal Reserve SR 21-3 / CA 21-1: Supervisory Guidance on Board of Directors’ Effectiveness1 states that an effective board of directors, through its risk and audit committees, assesses and supports the stature and independence of the organization’s independent risk management and internal audit functions. Also, an effective risk committee and an effective audit committee engage in robust inquiry into, among other matters, the causes and consequences of material or persistent breaches of the organization’s risk appetite and risk limits.
Guidance on risk management from the Federal Reserve and Office of the Comptroller of the Currency
Other risk topics sometimes under audit committee purview include finance transformation, tax, trade and supply chains, technology and innovation, and policy and regulatory matters.
Generally, while the audit committee’s primary focus is on risks that affect the financial statements as well as ethics and compliance, some boards delegate other aspects of risk oversight to the audit committee (for example, cybersecurity, AI or sustainability, including assurance and internal controls for disclosed sustainability information and metrics). Note that this would exclude those organizations that are required under Dodd-Frank to have risk committees, which are a requirement for some under Dodd-Frank. Some others have an “audit and risk committee.”
Discuss policies regarding risk assessment and management (NYSE‑specific)
Traditionally, audit committees were concerned with oversight of risks related to financial reporting and the related internal controls over financial reporting. Today, however, the role of many audit committees extends beyond this, with the audit committee taking on a risk oversight role more significant than that played by other board committees. The NYSE governance standards recognize that the audit committee is “not the sole body responsible for risk.” However, the standards do require that the audit committee:
Oversight of risk management
Similar to the required disclosure on board oversight of risk noted at the beginning of Section 4, there is also an SEC-required disclosure (Item 106(c) of Regulation S-K) specifically on the board of directors’ oversight of cyber risks. This includes, but is not limited to, the requirement that companies describe the board of directors’ oversight of risks from cybersecurity threats and whether any persons or committee report information about such risks to the board of directors or a committee of the board.
Disclosure note
When joining an audit committee, it’s important to obtain a clear understanding of how the audit committee supports the board in its oversight of risk, which varies between companies and can change over time.
To remain apprised of the risk universe, the audit committee may occasionally hold joint meetings with the other committees, organize joint deep dives into a particular risk area and recommend to the board that overlapping members be nominated to the relevant committees. Risks brought under the oversight of the audit committee will also influence additional members of management the committee may interact with.
How confident is the audit committee that it understands both the evolution of risks and their interconnectedness?
3.
Does the audit committee confirm that the discussion of existing risks leaves sufficient time to debate emerging ones?
2.
How clear, comprehensive, timely and understandable are updates from management on the specific risk factors that are the primary responsibility of the committee? Are there any required enhancements?
1.
Questions for consideration
Leverage COSO frameworks and guidance related to enterprise risk management
Determine whether the company has an appropriate business continuity plan that has been tested
Understand whether IT security processes are updated appropriately
Understand the use, if any, of emerging technologies, as well as their relevance to the company and the associated risks
Clearly require management to inform the committee of extraordinary risk issues and developments that require the committee’s immediate attention outside of the regular reporting process
Meet directly with key executives responsible for risk management and have some exposure to management below the executive level
Require regular reporting of key risk indicators (KRIs) to gain data-driven insights into the company’s risk landscape
Periodically reassess the list of top risks, determining who in management and which board committees are responsible for each
Leading practice audit committees may:
How regularly does the audit committee interact with the head of the risk function? To what extent is this occasionally supplemented with reporting from other representatives of the first and second lines, e.g., when the audit committee commissions a deep dive into a particular risk area?
4.
Does the committee assess whether the company has an appropriate business continuity plan that has been tested?
3.
How well does the committee understand how the company has defined its risk appetite and risk tolerance?
2.
Does the committee discuss guidelines and policies to govern the process that the company uses to address and manage its exposure to risk?
1.
Questions for consideration
For Boards of Directors of Domestic Bank and Savings and Loan Holding Companies with Total Consolidated Assets of $100 Billion or More (Excluding Intermediate Holding Companies of Foreign Banking Organizations Established Pursuant to the Federal Reserve’s Regulation YY) and Systemically Important Nonbank Financial Companies Designated by the Financial Stability Oversight Council for Supervision by the Federal Reserve.
1
Effectiveness
05
Oversight
04
The Team
03
The Foundations
02
Introduction
01
Contents
Meetings and preliminary agendas are generally planned for at least a year ahead, reflecting the structure of the audit committee’s annual work plan. A meeting planner will be based on the committee charter and set out the timing and requirements for covering each of the committee’s responsibilities. This planner can be shared with directors at each meeting to orient them to the overall context of the meeting, enable them to suggest updates as needed and find relevant previous reports if interested as they can easily see when the item was last discussed.
Meetings and executive sessions
However, there are many important aspects that make an effective audit committee.
Report regularly to the board of directors (NYSE‑specific)
Meet separately with management, internal auditors and independent auditors on a periodic basis (NYSE‑specific)
Specifically, the audit committee is required to:
With such important responsibilities and an increasing workload, effective functioning of the audit committee is very important.
Upholding effectiveness – operations and self-evaluation
Meetings and executive sessions
Onboarding
Overview
Have the authority to engage independent counsel and other advisors, as it deems necessary, to help it carry out its duties (Exchange Act Rule 10A-3, applicable to both NYSE and Nasdaq companies)
Evaluate the audit committee annually (NYSE‑specific)
The committee should have a process for confirming that they have access to the above information, which will include but not be limited to, the charter and recent audit committee meeting minutes. New audit committee members can also benefit from meeting with key individuals such as the CFO, chief audit executive or head of internal audit, lead independent audit partner, general counsel, chief risk officer and chief information officer. A formalized and tailored process needs to be responsive to the member’s experiences and skills.
Pending litigation or contingencies
Management’s background, reporting structure and responsibilities
The scope of the current-ye ar external audit and the timing of reports issued
Internal audit’s responsibilities, background and plan
The intersection of accounting policies with judgmental areas of the company’s financial statements
Key accounting policies and any principles and practices unique to the company’s industry
The internal control (including key risks) and financial reporting process
The audit committee’s requirements and objectives (including extent of involvement in oversight of risk) and the timing of reporting requirements
First, audit committees should confirm that onboarding processes are comprehensive and practical. Before their first meeting, in addition to overall board member orientation that will include key duties of directors and overall business context, new audit committee members should understand:
Onboarding
Materials and reporting to the board
Ongoing education and�external insights
Evaluating audit committee�effectiveness
Code of conduct and whistle-blower policy provisions
Regulatory considerations applicable to the sector
Most recently, the average number of meetings of audit committees in the S&P 500 has been eight per year. The proposed schedule for meetings will be aligned to a company’s reporting cycle and linked to the timing of the audit committee chair’s presentations to the full board. The meeting planner will highlight whether the frequency of meetings is appropriate to allow sufficient interval for agreed actions to be addressed and delivered on. For example, the timing of the meeting at which the audit committee will be discussing the annual report needs to be planned sufficiently in advance of final approvals to allow for any arising actions to be taken forward. If not, this can create a sense of urgency and therefore pressure that could result in identified concerns not being properly dealt with.
A significant amount of effort is required to confirm that topical and ad hoc matters find their way onto the agenda and are adequately addressed. Very importantly, any concerns the external auditor may have with respect to internal controls and financial reporting need to be brought to the audit committee’s attention ahead of the meeting. The audit committee should regularly engage with management, internal audit and external audit between official committee meetings.
Giving the external auditor access to the entire audit committee meeting provides them with visibility into areas of the business that are fundamentally important to conduct a high-quality audit. It also signals to other attendees the strength of the relationship between the audit committee and the external auditor. Similar considerations apply to the head of internal audit.
Meet separately with management, internal auditors and independent auditors on a periodic basis (NYSE‑specific)
Other members of management tend to be invited for specific sessions only — as part of a deep dive or a topical presentation. Invitees can include the finance department, the general counsel and heads of compliance and risk, and ethics officers. Many audit committees are expanding these lines of communication to include business unit leaders, treasury and tax functions and the chief information officer.
It is common for the CFO (or equivalent) to have a `standing invitation to audit committee meetings. The CFO will often stay for the entire duration, except for time allocated specifically for the committee to meet without management present. This reflects the ongoing importance of finance-related topics to the committee’s agenda. It is also typical for the CEO, board chair or lead independent director to be invited to meetings and not uncommon for them to participate.
In addition, the audit committee as a whole is required to:
Audit committees tend to hold executive sessions with the external and internal auditors as a means of reinforcing their independence. Executive sessions can create an air of secrecy, so allocating time for these as part of the calendarization normalizes the practice. For example, meetings with the external auditor without management present should be added as a standing item at least for the audit committee meeting during which year-end results are being discussed.
Additionally, the committee should be cognizant of reporting lines between management providing input to the audit committee and the executive directors who may be present. While there are some standing topics that the audit committee meets to discuss without management present (e.g., with the external auditor), the committee needs to consider whether the presence of the CFO or CEO could compromise the willingness of members of management to speak freely and bring concerns to the audit committee.
Some companies create a template for meeting summaries for the purposes of committee reporting to the board with a focus on significant updates, decisions made and matters requiring board approval. It’s important to avoid repeating full discussions that already took place at the committee level and focus on outcomes and recommendations.
Report regularly to the board of directors (NYSE‑specific)
The committee is also required to:
Consider standard sections for the narrative summary such as highlights, trends from internal audit activity during the quarter and emerging risks identified during the quarter. Regarding risk, many committees utilize a dashboard approach with changes from the previous quarter highlighted to get an overall picture of the risk profile with periodic deep dives on key risk areas and key risk reductions. Include trends or publicly available financial peer data to contextualize risk reporting and better align with board-approved risk appetite statement and metrics. Exercise rigor before expanding reporting to assess whether new metrics truly add value. Reevaluating the degree to which indicators are backward- vs. forward-looking and balancing of key performance vs. risk indicators is often needed.
The quality of the audit committee meeting materials is fundamentally important to members’ ability to effectively prepare for meetings. Materials need to provide the appropriate level of detail for the oversight role held by the audit committee and not stray into management territory. They need to include information, not raw data, and should not include jargon that impedes understandability. It’s important to clearly communicate the committee’s information needs to tailor management reporting appropriately. Specifically, the committee should be clear on which topics should appear before the committee, in what format and level of detail and at which frequency to drive consistency as much as possible. The corporate secretary should confirm that documents are provided in a consistent, standardized format.
Materials and reporting to the board
Ongoing education and external insights
Have the authority to engage independent counsel and other advisors, as it deems necessary, to help it carry out its duties (Exchange Act Rule 10A-3, applicable to both NYSE and Nasdaq companies)
Committee members can educate themselves by enrolling in external courses and seminars, as well as by interacting with management, internal auditors, independent auditors and other directors. In addition, many companies invite subject-matter professionals to give presentations at audit committee meetings, allowing members to keep up with current topics. The committee should access external, independent insights as needed and, as previously noted, audit committees:
Given the pace of change, dynamic business environment and emerging risks, audit committees should focus on ongoing education that addresses critical topics relevant to the committee’s needs and incorporate company-specific processes and objectives. Because audit committee members are expected to be financially literate, it’s important for them to keep abreast of accounting and financial reporting developments, as well as any regulatory changes. Additionally, it is critical for the full committee to understand key topics so that all directors can fulfill their fiduciary duties and not unduly rely on the expertise of one or two directors.
In addition, audit committees may want to consider introducing a mechanism for continuous real-time evaluation. For example, post-meeting feedback could be encouraged or required by way of one-to-one check-ins, debrief discussions at the end of meeting or the circulation of a brief, written survey with feedback questions regarding materials, time management, dialogue and agenda focus. Data from this feedback can support chairs in their role and support the annual self‑assessment process.
Regardless of whether it is a formal requirement, many boards consider undergoing a regular performance review to be good practice. The review can be internally or externally facilitated. It is not uncommon for the approach to be rotated, with a self-evaluation conducted annually and an external evaluation conducted every two or three years. When the evaluation is internally facilitated, it is commonly administered by the corporate secretary or general counsel under the direction of the chair. When an external facilitator is appointed, this will generally be done as part of the overall board evaluation processes. The process may include questionnaires, interviews or meeting observations. It may also include individual peer-to-peer assessment and feedback. Consider also gathering insight and feedback from key individuals with whom the committee interacts. An example self-assessment questionnaire can be found here. The committee should review the findings, determine key actions it wishes to take forward, and create a plan for implementing these.
Companies on the NYSE are required to:
Evaluating audit committee effectiveness
Evaluate the audit committee annually (NYSE‑specific)
Are there any topics or activities that should be added to the onboarding program for future new committee members?
2.
Is the onboarding process rigorous, comprehensive and well-organized?
1.
Questions for consideration
The audit committee chair will focus on encouraging dialogue and discussion in which all voices are included and on keeping the committee on track with the agenda. Typical quarterly audit committee meetings range from two to four hours, and it’s important to keep directors engaged by not allowing meetings to go too long. Consider putting the most important topics at the beginning of the agenda to make sure they get full attention before the more routine matters.
Audit Committee chair considerations
Are executive sessions appropriately planned and organized? Are the right people in the room at the right times?
5.
How effective is time management within meetings?
4.
Do all committee members participate and is there a culture of openness and constructive dialogue?
3.
How effectively does the committee balance time spent on presentation of materials vs. time spent on discussion and dialogue?
2.
Are committee agendas appropriately planned and organized with a balance between past and future focus? Are there topics the committee should spend more time on?
1.
Questions for consideration
Agendas need to be set by the audit committee chair, with input from committee members. Management plays a dominant role in preparing the information presented to directors, therefore the CFO or other members of management should also input into the process.
Audit Committee chair considerations
Pre-meeting discussions are often held by the audit committee chair, giving them an opportunity to gain deeper knowledge of the areas to be discussed. In actual committee meetings, the audit committee chair should be conscious not to glide over matters that other members may not have a similarunderstanding of.
Audit Committee chair considerations
In addition, the chair may need to hold one‑on‑one meetings with those involved in delivering presentations, to inform them about the types of questions and challenges they should expect so that they can be well prepared.
Audit Committee chair considerations
Are committee ‘report-outs’ to the board as comprehensive and succinct as possible?
5.
Is the purpose for materials and discussions clear in terms of whether the board needs to discuss, advise or approve?
4.
How effective is the reporting structure and layout utilized to convey information clearly and consistently?
3.
Are committee materials digestible, understandable, actionable and provided with sufficient time ahead of meetings?
2.
How clearly has the committee communicated its information needs and how responsive has management been to feedback?
1.
Questions for consideration
Are there other topic areas that would be useful to cover in more detail for the committee’s education?
2.
How regularly and effectively does the audit committee obtain independent insights on specific topics to allow for robust challenge of management?
1.
Questions for consideration
The chair would be responsible for reviewing post-meeting feedback and providing appropriate feedback to parties. The chair may also provide additional coaching and mentoring during pre‑meetings with relevant parties.
Audit Committee chair considerations
How open is the committee to feedback and continuous improvement?
3.
How effectively are opportunities for timely, regular feedback provided outside of any annual assessment?
2.
How comprehensively does the audit committee review its own performance and operations?
1.
Questions for consideration
Even in cases where individual peer-to-peer assessment is not included in the scope of an assessment, the process will usually include some degree of assessment of the effectiveness of the chair of the committee. In the spirit of continuous feedback, the chair should be open to feedback and find ways to implement feedback.
Audit Committee chair considerations
