Explore the digital audit committee guide
EY Center for Board Matters
The EY guide for US audit committees
Foundations for strong governance
Introduction
Establishing the framework — the audit committee’s oversight role
Upholding effectiveness — operations and self-evaluation
Effectiveness
Contents
Overview
How to read the guide
Sources of audit committee requirements
The Foundations
The Team
Oversight
Audit committees serve as a cornerstone of corporate governance, underpinning trust in capital markets. By rigorously overseeing the integrity of financial statements, internal controls and the independence and performance of external auditors, they help confirm that investors can rely on the numbers.
Their remit also includes monitoring company risk, internal audit (where applicable) and compliance with laws and regulations — making them essential to sustaining investor confidence and market credibility. The role of audit committees has also been evolving, with some audit committees expanding oversight of nonfinancial risks, including areas such as cybersecurity, and aspects of artificial intelligence (AI) and sustainability reporting.
There are many sources of requirements governing audit committees, as well as evolving leading practices, which can be challenging to get to grips with as a new audit committee member. This guide enables an understanding of audit committees from the ground up — “why” the audit committee exists, “who” should be around the table, “what” considerations should be made in each area of oversight and “how” audit committees can operate effectively and evaluate their effectiveness.
Other callout boxes relate to detailed stock exchange requirements, financial services-specific considerations or accommodations for newly listed companies.
In each section, the guide includes considerations for those in the role of audit committee chair, questions for committee consideration and other notes regarding key disclosure requirements in the following formats:
While the information in this guide is geared to audit committees of companies publicly listed in the US, it may also be helpful for those serving private companies, IPO-bound companies or nonprofit organizations.
Audit committees of companies publicly listed in the US are subject to federal laws, including the Securities Exchange Act of 1934 (Exchange Act), Sarbanes-Oxley Act of 2002 (SOX), Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank), and rules set forth by the Securities and Exchange Commission (SEC), as well as the stock exchange relevant to each company. Note that the listing standards of the New York Stock Exchange (NYSE) and Nasdaq are similar but not identical. Additionally, rules and standards for independent auditors under the Public Company Accounting Oversight Board (PCAOB) have implications for audit committees.
Where stock exchange and other requirements are described, please note that there are exemptions to certain rules for certain companies, including, but not limited to, foreign private issuers (FPIs) and closed-end funds, which are not detailed here.
Disclosure notes
Questions for consideration
Audit Committee chair considerations
Key audit committee responsibilities include:
The minimum role of the audit committee is set out in the Exchange Act, with other responsibilities primarily based in NYSE, Nasdaq and SOX rules. Note that the NYSE has more detailed role requirements for the audit committee; however, Nasdaq companies may voluntarily apply some or all NYSE standards.
General requirements
The passage of the Sarbanes-Oxley Act of 2002 (SOX), following numerous high-profile accounting scandals, significantly changed the role of the audit committee with the aim of improving financial reporting accuracy and reducing fraud. SOX Section 301 amended SEC rules to require that every company listed on the NYSE or Nasdaq have an independent audit committee or its equivalent as part of its board of directors.
The Exchange Act explains “the term ‘audit committee’ means — (A) a committee (or equivalent body) established by and amongst the board of directors of an issuer for the purpose of overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer; and (B) if no such committee exists with respect to an issuer, the entire board of directors of the issuer.”
The SEC requires that every US company listed on an exchange have an independent audit committee or its equivalent as part of its board of directors. As an audit committee member, it’s important to understand the rules and regulations designed to guide audit committee members in the performance of their oversight role.
Understanding the foundations — responsibilities and charter
Key responsibilities
Audit committee charter
In general, the audit committee is at least required to support the board in its oversight of:
Risk management: evaluating the company’s risk management systems and internal controls
Financial reporting: overseeing the integrity of a company’s financial statements, financial reporting processes and internal control over financial reporting
External audit: overseeing the engagement, qualifications, independence, compensation and performance of the company’s independent auditor
Internal audit: establishing, approving and supporting the mandate of the internal audit function
Compliance and ethics: the company’s compliance with legal and regulatory requirements, including establishing and maintaining whistle-blower procedures for handling complaints about accounting and auditing matters
Audit committees will want to regularly review the audit committee charter (Nasdaq-listed companies are required to do so at least annually) to appropriately reflect and update for changes in regulatory or legal requirements or the reassignment of responsibilities.
To institutionalize the responsibilities of the audit committee, both the NYSE and Nasdaq require listed companies’ audit committees to have charters, which can be modified as needed and which must include certain responsibilities (as noted above).
Disclosure note
In accordance with Item 407(d)(1) and Instruction 2 to Item 407 of Regulation S-K, the SEC requires any public company to disclose in its proxy statement whether it has a written charter, and if so, whether the charter is available on the company’s website and the website address, if applicable. If not on the website, the company must include the charter as a proxy statement appendix at least once every three years or in any year in which charter was materially amended. If a current copy of the charter is not available on the company’s website and is not included as an appendix to the company’s proxy or information statement, the company should identify in which of the prior fiscal years the charter was included.
Where overlap exists, the audit committee chair needs to confirm work is coordinated across the committees. This can be achieved, for example, through discussion between chairs, cross‑committee membership or by periodically holding joint meetings.
The role of the audit committee may include oversight of other matters and other nonfinancial risks depending on the specifics of each business and its industry. Many audit committees oversee related-party transactions, which are required by both the NYSE and Nasdaq to be overseen by an independent body of the board (More on this in Oversight - Fraud, compliance and ethics). To enable an effective audit committee, it will be important to avoid overloading the audit committee and confirm responsibilities are clearly delineated to avoid overlaps with other committees or the full board.
Evaluate the audit committee annually (NYSE‑specific)
Have the authority to engage independent counsel and other advisors, as it deems necessary, to help it carry out its duties (Exchange Act Rule 10A-3, applicable to both NYSE and Nasdaq companies)
Report regularly to the board of directors (NYSE‑specific)
Meet separately with management, internal auditors and independent auditors on a periodic basis (NYSE‑specific)
Effective operations
Discuss policies regarding risk assessment and management (NYSE‑specific)
Oversight of risk management
Assist board oversight of compliance with legal and regulatory requirements (NYSE‑specific)
Receive corporate attorneys’ reports of evidence of any material violation of securities laws or breaches of fiduciary duty (in connection with SOX Section 307, applicable to both NYSE and Nasdaq companies)
Establish procedures for receiving, retaining and treating complaints about accounting, controls and auditing matters, including complaints from those who wish to remain anonymous (Exchange Act Rule 10A‑3, applicable to both NYSE and Nasdaq companies)
Oversight of fraud, compliance and ethics
Preapprove all audit and non-audit services (PCAOB Rules 3524 and 3525, applicable to both NYSE and Nasdaq companies)
Set clear hiring policies for employees or former employees of the independent auditors (NYSE‑specific)
At least annually, obtain and review a report by the independent auditor describing the auditor’s internal quality control procedures, any material issues raised in internal quality control reviews and any steps taken to address those issues, as well as all relationships between the auditor and the company (NYSE‑specific)
Regularly review with the independent auditor any audit problems or difficulties in the course of the audit, including regarding restrictions on scope and access to information, and management’s response (NYSE‑specific)
Receive reporting directly from the independent auditor (Exchange Act Rule 10A-3, applicable to both NYSE and Nasdaq companies)
Carry direct responsibility for the appointment, compensation and retention of the independent auditor as well as oversight of the independent auditor’s work (including resolution of disagreements between management and the auditor regarding financial reporting) (Exchange Act Rule 10A-3, applicable to both NYSE and Nasdaq companies)
Oversight of independent audit
Oversee the performance of the company’s internal audit function (or other personnel responsible for the internal audit function) (NYSE‑specific)
Oversight of internal audit
Review any major issues as to the adequacy of the company’s internal controls as highlighted by internal or independent audits and any special audit steps adopted in light of material control deficiencies (NYSE‑specific)
Review Chief Executive Officer (CEO) and Chief Financial Officer (CFO) quarterly certifications about the effectiveness of ICFR as well as the company’s disclosure controls and procedures (in connection with SOX Section 302, applicable to both NYSE and Nasdaq companies)
Review management’s evaluation and reporting on the effectiveness of ICFR as well as the independent auditor’s attestation and report on management’s assessment of its internal controls (in connection with SOX Section 404, applicable to both NYSE and Nasdaq companies)
Oversight of internal control over financial reporting (ICFR)
Discuss the company’s earnings and press releases, as well as financial information and earnings guidance provided to analysts and rating agencies (NYSE‑specific)
Review and discuss the annual audited financial statements and quarterly financial statements with management and the independent auditor, including the company’s specific disclosures under “Management’s Discussion and Analysis of Financial Condition and Results of Operations” (NYSE‑specific)
Oversight of accounting and financial reporting processes (Exchange Act, applicable to both NYSE and Nasdaq companies)
Oversight of financial reporting and related disclosures
(see more)
Do all committee members have a clear understanding of the purpose of the audit committee and its key responsibilities?
1.
Does the committee have a clear plan for how responsibilities will be carried out and topics will be covered over the course of the year?
3.
Does the committee regularly review the charter and make necessary updates to confirm it reflects any evolution in the remit of the committee?
2.
Is there appropriate and clear delineation of responsibilities to avoid overlapping discussions with other committees or the full board?
4.
Where there is any overlap, how clear are the protocols for the audit committee interacting with other board committees on those topics?
6.
If there is a separate risk committee, how clear is the division of responsibilities between the audit committee and the board risk committee?
5.
Each member must also be financially literate, as “interpreted by the listed company’s board in its business judgment.”
NYSE
Under Nasdaq rules, one non-independent director (meeting certain criteria) may be appointed in exceptional circumstances, in the best interests of the company, with disclosure requirements set forth in Item 407(d)(2) of SEC Regulation S-K regarding the nature of the relationship that makes the person not independent and the reasons for the board’s decision to appoint them. This exception is rarely utilized.
All audit committee members must be independent. The NYSE and Nasdaq each have specific criteria for independent directors, including “bright-line disqualification standards.” Broadly speaking:
In accordance with NYSE, Nasdaq and SEC rules, the audit committee must comprise at least three members and membership is limited to those who meet independence standards under relevant stock exchange rules as well as under SOX and SEC rules for audit committee membership — which are above and beyond independence requirements for the full board. The average audit committee has three to five members.
Building the team — composition, independence and expertise
Independence requirements
Other considerations
Nasdaq requires that the director have no relationship that would interfere with the exercise of independent judgement in carrying out their responsibilities.
NYSE requires that the director have no material relationship with the company either directly or as a partner, shareholder or officer of an organization that has a relationship with the company.
Audit committee members must also satisfy the SEC’s enhanced definition of independence. SOX Section 301 and Exchange Act Rule 10A-3 require all listed company audit committee members to not be affiliated with the company or any subsidiaries. To be considered independent, an audit committee member may not accept any consulting, advisory or other compensatory fees from the issuer or be an “affiliated person” of the issuer or a subsidiary. Prohibited compensation can include indirect compensation to spouses, minor children or adult children who live with the committee member. For Nasdaq, audit committee members must also not have participated in preparation of the financial statements of the company or any current subsidiary at any time during the past three years.
In addition, all members must be financially literate, and at least one member should be a financial expert with accounting or related financial management experience in alignment with SOX Section 407. Specifically:
Spotlight on financial expertise
Each member must also be able to read and understand fundamental financial statements and have “at least one member with past employment experience in finance or accounting, requisite professional certification in accounting or any other comparable experience or background, which results in the individual’s financial sophistication, including being or having been a chief executive officer, chief financial officer or other senior officer with financial oversight responsibilities.”
Nasdaq
In addition, at least one member must have accounting or related financial management expertise.
Note that the person designated as the “audit committee financial expert” under SOX Section 407 may be presumed to have “accounting or related financial management expertise.”
The director who qualifies as “audit committee financial expert” under SOX Section 407 is presumed to qualify as financially sophisticated audit committee member.
In alignment with SOX Section 407 and Item 407(d)(5) of Regulation S-K, the board of directors will make the “financial expert” determination based on whether the individual has all of the below:
Given the pace of change impacting accounting standards and audit methodologies, the importance of experience being recent and relevant cannot be overstated.
An understanding of financial statements and US generally accepted accounting principles (GAAP)
The ability to assess the general application of US GAAP for estimates, accruals and reserves
An understanding of internal control over financial reporting
Experience in preparing, auditing, analyzing or evaluating financial statements of the same level of complexity as the issuer’s financial statements, or experience in actively supervising those who engaged in such activities
An understanding of the audit committee’s functions
Experience in actively supervising a principal financial officer, principal accounting officer, controller, public accountant, auditor or person performing similar functions
Experience in overseeing or assessing the performance of companies or public accountants in preparing, auditing or evaluating financial statements
Other relevant experience
Education and experience as a principal financial officer, principal accounting officer, controller, public accountant or auditor, or experience in one or more positions that involve the performance of similar functions
These attributes would have been obtained through one or more of the below:
Integrity and high ethical standards are integral attributes for all audit committee members. They also need the mindset to raise and address challenging issues, probe management and encourage open and frank debate. Tenacity in asking questions and pursuing answers is a must.
The industry in which a company operates has a fundamental impact on the accounting policies, judgments and estimates that shape its financials (and therefore also on the external audit plan), as well as on the risks it faces. Hence competency in the given sector as well as risk areas that may be within the committee’s remit may also be an important factor for audit committee members. For example, an increasing number of audit committee members may have cybersecurity and other IT experience.
Financial expertise requirements
In addition, all members must be financially literate, and at least one member should be a financial expert with accounting or related financial management experience. See specifics in box below.
Committee members are typically required to complete preliminary and annual tailored financial expertise and independence questionnaires and to provide notification to the company of any changes on an ongoing basis. These questionnaires are carefully reviewed in consultation with legal counsel as needed.
It’s also important to confirm that audit committee members have enough time to effectively carry out their responsibilities. Many boards limit the number of other public company audit committees on which their audit committee members can sit. When such a limit exists, usually no more than two other audit committees are allowed.
In practice, most companies have at least a majority independent, if not fully independent audit committee with at least two members at listing.
At least three members within one year of listing date
Fully independent committee within one year of effective date of registration statement
At least two members within 90 days of listing date
Majority independent members within 90 days of effective date of registration statement
At least one independent member by listing date
For both NYSE and Nasdaq, independence requirements are phased in for newly listed companies, as follows:
IPO accommodations
NYSE and Nasdaq both require compliance with Item 407(a) of Regulation S-K related to disclosure of determinations of independence for each director in the annual meeting proxy statement or annual report on Form 10-K, including disclosure relating to transactions, relationships or arrangements that were considered by the board in determining independence.
SEC rules (Item 407(d)(5) of Regulation S-K) adopted in response to the disclosure requirements of SOX Section 407 require companies to disclose in the annual report whether they have at least one financial expert serving on the audit committee, and if not, why not. If the committee has a financial expert, the company must disclose the expert’s name and whether that person is independent. Additional financial experts may also be identified by name and whether they are independent. If the person qualifies by virtue of “other relevant experience,” a brief list of the relevant experience must be disclosed according to SEC rule item 401(e) (which may be by reference to the required disclosure of business experience during the past five years of each director).
Most audit committee chairs have financial backgrounds. They are often current or former CFOs, other financial leaders, CEOs, public accounting executives or bankers.
Does the committee maintain effective records regarding financial expertise and independence with changes made as needed on an ongoing basis?
How has the audit committee assessed whether the number of members remains optimal for the committee to discharge its remit and allow for an equitable distribution of members’ efforts?
Do all committee members have the time and capacity to effectively carry out their roles?
Does the committee continuously assess its composition and succession planning to avoid gaps in skills or committee size?
Companies listed on the NYSE must disclose whether an audit committee member serves on more than three audit committees of public companies and if so, the board’s determination that such additional service would not impair their effectiveness (on website or in proxy, or if no proxy filed, then in Form 10-K and if on website, reference must be provided in annual report or proxy, including web address).
To effectively lead the audit committee, the chair needs strong communication, interpersonal and leadership skills, as well as an ability to coach, challenge and build consensus.
Risk management
Fraud, compliance and ethics
Independent audit
Internal audit
Internal control over financial reporting
Financial reporting and related disclosures
To assist the audit committee in fulfilling its role, this section outlines key considerations in each of the key areas of audit committee oversight.
Fulfilling the role — key oversight considerations
Finally, the SEC may issue a “comment letter” to understand disclosures, revise disclosures or request additional or different disclosures. These often seek to enable compliance with accounting standards or address clarification or inconsistencies regarding financial reports. It can be helpful for audit committees to learn about trends in SEC comment letter areas of focus as well as to stay informed about any comment letters received by the company and plans for the company response, which are ultimately public documents. For resources on this, see: https://www.ey.com/en_us/services/audit.
The committee should also seek to understand the financial reporting close process — how financial data is gathered to produce financial reports — including any significant adjustments, offline account reconciliations, delays, data inconsistencies or organizational changes. For more on this, see Can fine-tuning your financial processes help accelerate your growth?.
NYSE guidance explains that the audit committee’s responsibility to discuss earnings releases, as well as financial information and earnings guidance, may be done generally (i.e., discussion of the types of information to be disclosed and the type of presentation to be made). The audit committee need not discuss in advance each earnings release or each instance in which a listed company may provide earnings guidance. However, earnings releases and earnings guidance are important to stakeholders and investors, so it’s valuable to understand anything that could result in a change in earnings after the release and before SEC filing, including what work has not yet been completed by the independent auditor.
Inquire about management’s consideration of its revenue recognition policies, including how the company accounts for complex revenue arrangements and whether any changes in revenue recognition policies were made in the current year
Review the use of non-GAAP measures and understand why management believes they enhance reporting
Review significant financial reporting and regulatory developments, including their effect on the financial statements and on the company’s resource needs
Focus on areas involving significant judgement or high degrees of estimation (such as asset impairments), quality of earnings, cash flows and liquidity position and other ongoing financial statement issues affected by macroeconomic conditions
Focus on new accounting pronouncements adopted during the reporting period, critical accounting policies, risk factors, internal control deficiencies and significant accounting matters and disclosures
Seek to understand complex accounting and reporting issues, such as fair value accounting and related assumptions, and how management addresses them
Ask management for an overview of judgmental or key areas included within the financial statements for the audit committee to evaluate
To accomplish an effective review of the financial statements, leading practice audit committees will:
The committee should clearly understand financial results and how reported results compare to plan as well as significant balance sheet changes in trends or important financial statement relationships. The committee should also assess the congruence between any narrative regarding key risks and the impacts of key risks accounted for in the financial statements. Finally, it’s important to set an expectation with management that accounting errors should be recorded when identified.
The type and presentation of information to be included in earnings press releases (paying particular attention to any use of “pro forma,” or “adjusted” non-GAAP, information), as well as any financial information and earnings guidance provided to analysts and rating agencies
The effect of regulatory and accounting initiatives, as well as off-balance sheet structures, on the financial statements of the company
Analyses prepared by management or the independent auditor setting forth significant financial reporting issues and judgments made in connection with the preparation of the financial statements, including analyses of the effects of alternative GAAP methods on the financial statements
Major issues regarding accounting principles and financial statement presentations, including any significant changes in the company’s selection or application of accounting principles, and major issues as to the adequacy of the company’s internal controls and any special audit steps adopted in light of material control deficiencies
NYSE listing rules guidance to Section 303A.07(b) explains that while the fundamental responsibility for the company’s financial statements and disclosures rests with management and the independent auditor, the audit committee is required to review:
The audit committee will review and discuss (with management and the independent auditor) the annual audited financial statements and recommend to the board whether they should be included in the Form 10-K and review and discuss the quarterly financial statements prior to the filing of Form 10‑Q, including disclosures made in “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and the results of the independent auditor’s review of the quarterly financial statements.
Review and discuss with management and the independent auditor the company’s quarterly financial statements prior to the filing of its Form 10-Q, including disclosures made in management’s discussion and analysis and the results of the independent auditor’s review of the quarterly financial statements (NYSE‑specific)
Oversight of the annual and quarterly financial statements and related disclosures (included in Form 10-K and Form 10-Q) is a core aspect of every audit committee’s remit. As financial reporting becomes more complex, the audit committee should determine whether the financial statements are understandable, transparent and reliable. Specific requirements are as follows:
The SEC (Item 407(h) of Regulation S-K) also requires the board to disclose the extent of its role in risk oversight. This typically includes a description of the role of board committees in certain aspects of risk oversight.
Many provide more fulsome descriptions of audit committee oversight activities on a voluntary basis. The depth and scope of audit-related disclosures in the proxy statement have increased in recent years, providing more insight into the committee’s roles, responsibilities and key areas of focus.
Whether it has recommended to the board that the financial statements be included in the annual report
Whether it was provided a disclosure from the independent auditors regarding independence
Whether it discussed them with the independent auditors
Whether the committee reviewed the financial statements with management
SEC (Item 407(d) of Regulation S-K) rules require certain disclosures related to audit committee oversight in the proxy statement. This includes information regarding the composition and operation of the committee as well as:
The audit committee chair will work closely with the corporate secretary to draft the audit committee report, confirming that it addresses any mandatory requirements and is an accurate reflection of the work undertaken by the audit committee over the course of the year.
The audit committee chair will actively engage management, including the CFO, head of internal audit and the independent auditor to help committee members understand the financial statements and related disclosures.
How has the audit committee satisfied itself that management has adequately accounted for complex accounting issues and non‑reoccurring items?
What information, including from independent sources or advisors, did the audit committee use to challenge management over judgments underpinning material estimates?
How has the audit committee challenged management on any voluntary changes to accounting policies, readiness for future mandatory changes in accounting standards and the accounting for any material one-off or unusual transaction, if relevant?
How has the audit committee challenged management on its selection and use of non‑GAAP measures?
Is the committee knowledgeable of the critical accounting policies of the company and the material alternative accounting treatments as well as internal and independent auditors’ views on those?
For more on ICFR, see the CAQ Guide to Internal Control Over Financial Reporting.
To create a reference point against which to build a picture of what good looks like and to judge effectiveness, the audit committee can refer to a recognized internal controls framework. Indeed, the SEC requires companies to use a “suitable framework” for assessing effectiveness of ICFR. One such example is the so-called COSO Internal Control — Integrated Framework, developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2013.
Verify that there is a robust management-level disclosure committee, as recommended by the SEC, and confirm it has a clear mandate
Challenge management to leverage the value of controls so that internal control processes and assessments do not simply become compliance exercises
Obtain views from the independent auditor and specifically understand whether the auditor is taking a controls reliance approach in the audit and, if relevant, why a controls approach cannot be adopted
Consider levels of authority and responsibility in key areas, including pricing and contract negotiations, acceptance of risk, commitments and expenditures
Monitor implementation of significant internal control changes
Understand management’s action plans to address material control deficiencies or emerging risks that could have an impact on financial statements
Determine whether the company devotes the resources required for its internal control processes to function effectively
Request regular information on the functioning of internal controls over financial reporting from the finance team, internal audit and potentially the CEO
To conduct these reviews, the audit committee needs to understand key controls and financial reporting risk areas as assessed by financial management, the internal auditor and the independent auditor, as well as mitigating controls and safeguards. Leading practice audit committees will:
Compliance with SOX Section 404 can be an expensive and intensive process. Newly listed companies are not required to comply with SOX Section 404 until their second annual report filing. Among others, emerging growth companies (“EGCs”) are exempt from SOX Section 404(b) regarding independent auditor attestation and reporting on management’s assessment of its internal controls. The SEC allows EGC status to companies for the first five years after their IPO if they do not exceed certain thresholds (i.e., revenue, debt issuance and company becoming a ‘large accelerator’). Therefore, those companies would be exempt from SOX Section 404(b) for their first five years after IPO.
Review CEO and CFO quarterly certifications about the effectiveness of ICFR as well as the company’s disclosure controls and procedures (in connection with SOX Section 302, applicable to both NYSE and Nasdaq companies)
The audit committee will:
SOX Section 404 requires management to annually evaluate and report on the effectiveness of these controls and for the independent auditor to report on this assessment. As part of the audit process, the independent auditor must provide the audit committee with written communication about all material weaknesses and significant deficiencies in internal control. Additionally, in accordance with SOX Section 302, the CEO and the CFO are required to make quarterly certifications about the effectiveness of ICFR as well as the company’s disclosure controls and procedures (designed to confirm that disclosures required by the SEC are recorded, processed, summarized and reported, within the designated time periods). Relatedly, SOX Section 906 requires the CEO and CFO to certify that all financial reports fairly present, in all material aspects, the financial condition and results of operations of the issuer and carries criminal penalties for noncompliance.
ICFR refers to a company’s processes designed to reasonably confirm the reliability and accuracy of financial reporting. Management is responsible for establishing and maintaining adequate ICFR; however, the audit committee is responsible for overseeing these controls and reviewing how management has complied with SOX. These controls may include separation of roles and duties, cybersecurity and IT controls, management review, entity and process-level controls, access controls, audit trails and preventive and detective controls.
Does the committee review and determine that disclosures describing any identified material weaknesses and management’s remediation plans are clear and complete?
Does the committee discuss with management its remediation plan to address internal control deficiencies?
Does the committee discuss with management and the independent auditor the deficiencies in ICFR and any differences between management’s assessment and the independent auditor’s assessment?
How satisfied is the audit committee with the reporting it receives from those within the second line who test first-line controls?
What reporting does the audit committee receive so that it can challenge management’s view on the design and operational effectiveness of internal controls across its areas of responsibility? Is this reporting sufficiently regular and timely?
Does the committee effectively monitor how management is assessing the adequacy and effectiveness of ICFR and obtain at least quarterly status reports on management’s assessment of ICFR and the independent audit of ICFR?
On which sources of feedback did the audit committee base its assessment of the overall strength of the finance function?
9.
Does the committee discuss with management the process for performing certifications under SOX Section 302 and review management certifications on quarterly and annual reports?
8.
Does the committee discuss with the internal auditors whether management has adequately addressed recommendations for improvements in ICFR, if any?
7.
Within one year of listing, companies on the NYSE must have an internal audit function, with oversight from the audit committee. If the listed company does not yet have an internal audit function because it is availing itself of the transition period accommodation, the committee should review with the board management’s activities with respect to the design and implementation of the internal audit function.
For more on oversight of internal audit, see The Audit Committee: Internal Audit Oversight from The Institute of Internal Auditors.
Also, Federal Reserve-supervised institutions with consolidated assets greater than $10 billion, including state member banks, domestic bank and savings and loan holding companies, and US operations of foreign banking organizations (FBOs), are subject to the SR 13-1 / CA 13-1: Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing. These expectations are focused on the characteristics, governance and operational effectiveness of an institution’s internal audit function, including clarity on internal audit’s reporting line, audit committee reporting enhancements, providing opinions on risk management and oversight and awareness of the audit committee.
The audit committee should meet regularly and privately with the internal auditor and should be comfortable that the internal audit staff has the appropriate training and supervision to stay professionally current. Also, the detail and frequency of the internal auditor reporting to the audit committee have increased at many companies over the past several years.
Not only can the audit committee use the provided internal audit reports in discharging its duties, internal audit is also often the audit committee’s eyes and ears on the ground, able to bring cultural insights from across the organization. Where such a function exists, a good working relationship between the audit committee and internal audit is of fundamental importance.
As the role of internal audit is to evaluate and improve the effectiveness of risk management, internal controls and governance processes, a well-implemented function is a great asset to an audit committee. It’s important for the full committee to understand key topics addressed by internal audit so that all directors can fulfill their fiduciary duties and not unduly rely on the expertise of one or two directors.
Regular interaction between the audit committee and the internal auditor, whether or not a company outsources the function to a third-party service provider, is critical to the effective functioning of the internal audit group.
For Nasdaq, an internal audit function requirement is not specifically addressed; however, in practice, many Nasdaq-listed companies voluntarily establish an internal audit function reporting to the audit committee.
The NYSE requires that listed companies maintain an internal audit function to provide management and the audit committee with ongoing assessments of the listed company’s risk management processes and system of internal control. A listed company may choose to outsource — fully or partially — this function to a third-party service provider that is not its independent auditor. As such, audit committees are required to:
The audit committee chair plays a pivotal role in addressing conflicts that may arise between management and internal audit — especially with respect to budgetary or resource requests and the assessment of the magnitude and priority of findings. The strength of the chair’s relationship with both the CEO or CFO and the head of internal audit is fundamental in this context.
How are the company’s internal audit and risk functions leveraging data and leading-edge analytics to achieve objectives and monitor risks?
Has internal audit disclosed any potential concerns that could indicate independence is impaired?
What information does the audit committee receive that allows it to assess the caliber of internal audit resources in relation to staff, skill sets and technology?
Have there been changes to the business or key risks that have resulted in changes to internal audit’s plan?
How has the audit committee considered changes that might impact internal audit’s charter and mandate?
How does the audit committee confirm that internal audit sourcing arrangements and activities remain appropriate for the strategic objectives and most significant risks of the company?
How has the audit committee assessed the quality of internal audit’s work? How is it monitoring whether any recommendations are being adequately implemented?
12.
What does management’s attitude toward actioning internal audit recommendations tell the audit committee about the risk culture within the organization?
11.
Has internal audit confirmed that the organization’s cybersecurity program is aligned to business risks and has it evaluated the maturity of the program against defined frameworks, peers and leading practices?
10.
How can internal audit better help the board understand the overall health of the internal control environment in the company?
How well does the audit committee understand the levels of confirmation provided by internal audit activities over the course of the year and the risk coverage that the activities achieved?
How confident is the audit committee that the head of internal audit will bring all potential matters of significance involving management to its attention?
Are internal audits conducted in conformance with The Institute of Internal Auditors’ Global Internal Audit Standards?
13.
Any side letters, amendments to the engagement agreement or any other agreements, whether oral, written or otherwise, relating to the service between the independent audit firm and the US SEC audit client
The fee structure for the engagement (e.g., hourly‑based, fixed fee)
In seeking audit committee preapproval for tax services and non-audit services related to internal control over financial reporting, PCAOB Rules 3524 and 3525, respectively, require that the independent auditor describe the scope of the proposed service in writing to the audit committee. In addition, with respect to preapproval of tax services, independent auditors should describe in writing to the audit committee:
SOX Section 201 makes it unlawful for audit firms to perform nine specifically listed categories of non‑audit services for public companies they audit. Audit firms are not prohibited from performing any other non‑audit service for a public audit company, as long as such services are preapproved by the company’s audit committee. SOX Section 202 requires audit committees to preapprove all audit and non-audit services.
Preapproval of audit and non-audit services
Other matters arising from the audit that are significant to the oversight of the company’s financial reporting process
Any significant difficulties encountered during the audit
Any disagreements with management about matters, whether or not satisfactorily resolved, that individually or in the aggregate could be significant to the company’s financial statements or the auditor’s report
Any departures from the auditor’s standard report
Other material written communications between the auditor and management
Any corrected misstatements that might not have been detected except through the audit and the implications that such corrected misstatements might have on the company’s financial reporting process
The schedule of uncorrected misstatements related to accounts and disclosures that the auditor presented to management
Certain matters relating to the auditor’s evaluation of the company’s ability to continue as a going concern
Views on any matters of concern on which management consulted with other accountants
Matters that are difficult or contentious for which the auditor consulted outside the engagement team and that the auditor reasonably determined are relevant to the audit committee’s oversight of the financial reporting process
Alternative accounting treatments
New accounting pronouncements
Financial statement presentations
Significant unusual transactions
Critical accounting estimates
Critical accounting policies and practices
Significant accounting policies and practices
In regard to the results of the audit, in accordance with PCAOB AS 16, the independent auditor should communicate to the audit committee regarding:
Whether the audit committee is aware of matters relevant to the audit, such as possible violations of laws or regulations
The audit strategy, timing and significant risks identified in the auditor’s risk assessment (with any significant changes to the strategy communicated on an ongoing basis)
The terms, objectives and responsibilities related to the audit engagement, including in an engagement letter to be provided annually
Any significant issues that the auditor discussed with management in connection with the appointment or retention of the auditor, including significant discussions regarding the application of accounting principles and auditing standards
The PCAOB was established under SOX and sets standards for public company audits. Upon appointment or retention, PCAOB AS 16 stipulates that the auditor should communicate with the audit committee regarding:
Reporting from the independent auditor
The Center for Audit Quality has released a tool to assist audit committees in their evaluation of the independent auditor. The tool includes sample questions, including those designed to assess the independent auditor’s quality of service, communication and independence.
Audit committees also should consider communicating to shareholders the process and related rigor involved in performing an annual evaluation of the auditor and explain the process, scope and results of their assessment.
Audit committee members should evaluate the auditor’s performance throughout the audit process, noting such items as the auditor’s skepticism in evaluating unusual transactions or responsiveness to issues. These contemporaneous assessments provide important input into the annual evaluation process.
The annual auditor assessment should draw on the audit committee’s experience with the auditor during the current engagement (presentations; reports; dialogue during formal, ad hoc and executive sessions). It is appropriate to obtain observations on the auditor from others within the company, including management and internal audit, accompanied by discussions with key personnel interacting with the independent auditors.
Each year, the audit committee should evaluate the independent auditor to make an informed decision regarding whether to retain the auditor. The evaluation should encompass an assessment of the auditor’s qualifications and performance; the quality and candor of the auditor’s communications with the audit committee and the company; and the auditor’s independence, objectivity and professional skepticism.
Annual evaluation of the independent auditor
Candid and open communication between the independent auditor and audit committee is imperative for a successful relationship. To improve oversight of the audit process, audit committees often arrange meetings with the independent auditor throughout the year to encourage candid and open communication and information flow.
When it comes to overseeing the work of the independent auditor, a typical audit cycle involves the following core stages: planning and risk assessment; execution of interim procedures, including consideration of processes and controls testing where relevant; year-end testing, including procedures relating to the annual report; and sharing of observations on areas for potential improvement noted during the audit, including those relating to internal controls over financial reporting.
The audit committee should discuss with the independent auditor whether and how AI is used in performing the audit and how this is being done appropriately and reliably. The audit committee should also understand how AI impacts the audit team’s overall talent strategy, audit methodology and regulatory considerations.
Separately, the audit committee should evaluate the mix of proposed procedures (i.e., controls testing, data analytics, use of forensic capabilities) and locations where these will be performed.
The proposed timing of the procedures allows for reporting of issues early enough to enable their orderly resolution
There will be sufficient involvement of relevant experts and that the audit committee will have access to those experts it may wish to hear from directly
The resourcing of the engagement assumes adequate involvement from executive team members
Compared with the prior year, the plan has adequately evolved in response to changes in the business
The reasons for any divergence between the auditor’s assessment of the company’s risk profile and the audit committee’s own understanding are clearly explained and that no risks of concern to the audit committee have been missed
When scrutinizing the audit plan, the audit committee should, among other considerations, confirm that:
Independent auditors determine the audit scope and discuss the scope with the audit committee. This discussion allows the audit committee to confirm that the audit scope has not been affected by pressures from management. Audit committees also can ask independent auditors to perform more work in certain areas where they may have additional concerns.
Overseeing the independent auditor’s work
Under PCAOB Rule 3526, Communication with Audit Committees Concerning Independence, auditors must affirm their independence and compliance with PCAOB independence rules before accepting an initial engagement and thereafter, at least annually.
The auditor must be independent in fact, as well as in appearance. It is not enough for the auditor to abide by all the de facto independence requirements set out in legislation and professional standards. The auditor also needs to avoid any actions that could create a perception that independence might have been impaired. While the onus is on the independent auditor to police its own independence, the audit committee has a crucial role to play in challenging and supporting how the auditor goes about doing this.
The NYSE specifies that audit committees must assist the board in overseeing the independent auditor’s qualifications and independence. Independence standards for audit firms are set by the SEC, PCAOB and the International Ethics Standards Board for Accountants (IESBA) when applicable. Common issues that may impact independence include providing certain types of non-audit services, the relative value of fees earned from services other than the audit, relationships between the auditor and the organization and the duration of involvement of the audit firm and individual audit team members in the particular engagement.
Carry direct responsibility for the appointment, compensation, retention of the independent auditor as well as oversight of the independent auditor’s work (including resolution of disagreements between management and the auditor regarding financial reporting) (Exchange Act Rule 10A-3, applicable to both NYSE and Nasdaq companies)
Specifically, the audit committee must:
Audit committees play a critical role in overseeing the independent auditor and evaluating audit quality. The primary objective of an independent audit is to provide independent assurance, based on professional standards, that a company’s financial statements are free from material misstatement and give a fair representation of its financial performance and position and are therefore a good basis for decision-making. Fundamental to this objective is the independent auditor’s independence, which requires a direct reporting line between the auditor and the audit committee. The audit committee, not the CFO, owns the relationship with the independent auditor and is responsible for the appointment, compensation and oversight of the independent auditor.
Oversight of the independent audit
In the case of reappointment, the audit committee would review the findings of the annual evaluation of the performance of the independent auditor (see “Annual evaluation of the independent auditor” for more on this).
Oral presentations
Written submissions
Technical challenge
Management meetings at the company’s head office
Visits to company locations by participating bidders
Partner interviews (by audit committee and by management)
The process may include:
Value for money
Caliber of proposed lead partner and engagement team, considering both competence and chemistry
Application of technological advancements to audit methodology
Geographical presence
Accounting and auditing technical ability, combined with experience in the industry
Selection criteria can be divided into essential and preferred criteria, and can include:
Advising on the appointment and retention of the independent auditor is one of the audit committee’s most important tasks. While audit committees lead the audit tender, management’s role is vital to the project’s ultimate success and goes beyond administrative tasks. Executives, including the CFO, and often the broader finance function, should be involved in recommending criteria and conducting their own evaluations of the external auditor. At the end of the tender process, the audit committee is commonly expected to present the board with two choices and its preference.
Appointment and independence of the independent auditor
The NYSE also requires the audit committee to set clear hiring policies for employees or former employees of the independent auditors.
All relationships between the independent auditor and the listed company (to assess the auditor’s independence)
Any material issues raised by the most recent internal quality control review, or peer review, of the firm, or by any inquiry or investigation by governmental or professional authorities, within the preceding five years, respecting one or more independent audits carried out by the firm, and any steps taken to deal with any such issues
The firm’s internal quality control procedures
Additionally, the NYSE requires the audit committee, at least annually, to obtain and review a report by the independent auditor describing:
How effectively is the audit committee overseeing the ways in which management is factoring in independence considerations when awarding service contracts to independent audit providers?
How comprehensive and effective is the committee process for assessing the quality, value and overall performance (in the case of retention) of the independent auditor?
Does the committee have a clear, common understanding of an indicative time frame for when the next audit tender process might be run and for which financial year-end?
How did the audit committee assess whether the audit fee is commensurate with the planned effort?
Has the audit committee thoroughly considered the extent of procedures the external auditor should perform over interim financial information, if any?
What practices can be implemented to enhance audit quality and foster the delivery of a high-quality, effective and efficient audit?
The audit committee chair will seek to establish and maintain a culture and policy of open dialogue with management and the internal and external auditors. They will establish expectations about the nature and method of communication and exchange of insights, including an annual agenda with the independent auditor.
Audit committee chairs often meet with the lead audit partner between meetings, or before each meeting, to better understand the most important issues and risks impacting the audit and the overall business. Audit committee chairs should routinely provide formal and informal feedback to auditors to improve the audit process and enhance the transparency of two-way communication between audit committees and the auditor.
How confident is the audit committee in the independent auditor’s ability to comply with the PCAOB QC 1000 and other standards?
How effective are the processes the audit committee has put in place to assess audit quality throughout the year? Which data points and other inputs support the assessment?
How confident is the audit committee in their assessment of whether the audit plan was effectively executed and that procedures performed were sufficient to reach an audit opinion?
Finally, the Center for Audit Quality has developed a Practice Aid that encourages all audit firms to proactively and robustly communicate with the audit committee any audit deficiencies identified by a PCAOB or internal inspection of the issuer’s audit engagement. The PCAOB also encourages audit committees to ask independent auditors about their inspection processes, findings and quality control procedures.
Any “management” or “internal control” letter issued, or proposed to be issued, by the audit firm to the listed company
Any communications between the audit team and the audit firm’s national office respecting auditing or accounting issues presented by the engagement
Any accounting adjustments that were noted or proposed by the auditor but were “passed” (as immaterial or otherwise)
The NYSE affirms PCAOB AS 16 by requiring review with the independent auditor of any difficulties encountered in the course of the audit work, including any restrictions on scope or access to requested information, as well as any significant disagreements with management. NYSE listing rules guidance to Section 303A.07(b) suggests that among the items the audit committee may want to review with the auditor are:
These communications can be provided either orally or in writing, unless otherwise specified within the standard. However, the auditor must document the communications in the workpapers, whether such communications took place orally or in writing. These communications should be made in a timely manner and prior to the issuance of the auditor’s report.
Regarding PCAOB AS 16 required communications, an auditor may communicate to only the audit committee chair if done in order to communicate matters in a timely manner during the audit. The auditor, however, should communicate such matters to the audit committee prior to the issuance of the auditor’s report.
What role does the audit committee adopt in overseeing management’s response to observations provided by the independent auditor and any audit differences that were identified?
How did the audit committee hold management accountable for addressing any findings from the interim phase of the audit in a timely manner and ahead of the year-end? What reporting did it receive regarding adjustments made to the audit plan in response to any such findings?
How effectively does the audit committee hold the auditor accountable for providing the right communications at the right time?
Is the policy covering the awarding of non-audit services to the independent auditor sufficiently clear, comprehensive and actionable?
PCAOB rules require the auditor, rather than management, to directly seek preapproval of such services. The rules also require a discussion with the audit committee about, among other matters, the potential effects of the proposed service on the audit firm’s independence, and documentation of the substance of this discussion.
Any compensation arrangements or other agreements (such as a referral agreement, a referral fee or fee‑sharing arrangement) between the independent audit firm and any third party with respect to promoting, marketing or recommending a transaction covered by the proposed tax service. Affirmation that no such side letters, amendments, agreements or arrangements exist should be disclosed
Under SOX Section 307, the SEC established rules requiring attorneys to report evidence of material violations of securities laws or breaches of fiduciary duty or similar violations by the company to the issuer’s chief legal counsel or the CEO. If management does not appropriately respond to the evidence, the attorney must report the evidence to the board, the audit committee or another board committee comprised of solely outside directors. In light of these requirements, the audit committee should have an effective process to respond to any reports from the company’s attorneys about alleged violations of securities laws or breaches of fiduciary duties.
The NYSE and Nasdaq also both require an independent body of the board to review and oversee related-party transactions. If this oversight is assigned to the audit committee, then the committee should also understand management’s process for approval of, identification of and accounting for related-party transactions, paying particular attention to those that could pose a heightened risk for fraud. In accordance with PCAOB AS 2410, the auditor should communicate to the audit committee the auditor’s evaluation of the company’s identification of, accounting for and disclosure of its relationships and transactions with related parties.
The committee should carefully consider the accessibility of hotline and whistle-blower procedures to enable awareness and trust in the mechanisms. Note that Dodd-Frank Act passed in 2010 enhanced the SOX whistle-blower program, established a bounty program for whistle-blowers to receive a certain amount of the proceeds from a litigation settlement, broadened the definition of a covered employee and extended the time frame within which whistle-blowers can bring a claim after discovery of a violation.
Each code of conduct must also contain an enforcement mechanism that enables prompt and consistent enforcement of the code, protection for persons reporting questionable behavior, clear and objective standards for compliance, and a fair process by which to determine violations.
A code of conduct satisfying this rule must comply with the definition of a “code of ethics” set out in SOX Section 406.
Each company shall adopt a code of conduct applicable to all directors, officers and employees.
Many companies adopt one code of conduct and ethics that meets NYSE and SOX Section 406 requirements; other companies adopt separate codes for NYSE and SOX Section 406 purposes.
Each code of business conduct and ethics must also contain compliance standards and procedures that will facilitate the effective operation of the code. These standards should enable the prompt and consistent action against violations of the code.
Encouraging reporting of any illegal or unethical behavior
Compliance with laws, rules and regulations (including insider trading laws)
Protection and proper use of company assets
Fair dealing with customers, suppliers, competitors and employees
Confidentiality
Corporate opportunities
Conflicts of interest
The code must go beyond SOX Section 406 requirements to explicitly address:
Specific NYSE and Nasdaq requirements
Audit committees are required to:
Fraudulent financial reporting need not be the result of a grand plan or conspiracy. Individuals may rationalize the appropriateness of a misstatement, for example, as an aggressive rather than indefensible interpretation of complex accounting rules. Or they may see it as a temporary misstatement of financial statements, to be corrected later when operational results improve, or as something that is in the best interests of the company or the employees. But whatever the rationalization, these individuals would intend to mislead financial statement users.
Consider situations that may indicate improper earnings management, management override of controls and potential fraud related to revenue recognition. The committee may also seek to understand management’s compensation structure, such as incentive bonuses and stock plans, and consider whether the compensation structure might encourage inappropriate behavior to improve compensation.
Integral to financial reporting oversight is understanding how fraud risks are identified and assessed so that appropriate anti-fraud programs and processes can be established. To oversee anti-fraud controls effectively, the audit committee needs an understanding of the incentives and pressures that may lead to management or employees committing fraud, becoming involved in bribery and corruption and overall impacts to financial reporting and related processes.
Review of the fraud risk assessment should include consideration of new types of sophisticated fraud as well as how technologies may be able to support in fraud analysis and defense.
The committee also needs to understand which measures have been put in place by management to prevent and detect fraud. A fraud risk assessment should be performed on a regular basis and be customized to address the specific circumstances of the organization (e.g., industry, geography, size). The audit committee should know the company’s tolerance for identified fraud risks and help align anti‑fraud procedures with the business strategy. While considering all these factors, the audit committee must then oversee the design, execution and monitoring of anti‑fraud controls.
Fraud can be accomplished through manipulating, falsifying or altering accounting records or supporting documents; providing incomplete or misleading disclosures; intentionally misapplying accounting principles; overriding management controls; or exerting other inappropriate influence over the financial reporting process.
By promoting integrity and bringing together insights from various aspects of its work — risk assessment, internal controls monitoring, whistle-blowing oversight and insights from external and internal audit — the audit committee creates a culture that discourages negative behaviors. The tone from the top within the audit committee starts with the audit committee chair who must foster a culture of compliance and ethical conduct.
NYSE and Nasdaq also have specific requirements. See box below.
Prompt internal reporting of code violations; and accountability for code adherence
Compliance with applicable governmental laws, rules and regulations
Full, fair, accurate, timely and understandable disclosure in SEC periodic reports and other public communications
Honest and ethical conduct, including handling of actual or apparent conflicts of interest between personal and professional relationships
In regard to procedures for anonymous complaints related to ethics and conduct, SOX Section 406 requires companies to disclose whether or not they have adopted a code of ethics applicable to the principal executive officer, principal financial officer and controller or principal accounting officer (and, if not, why not) that includes standards reasonably necessary to deter wrongdoing and, promote:
The audit committee’s relationship with the company’s general counsel is evolving. Audit committees and boards are increasingly looking to the general counsel not only for legal advice, but also for business advice. And as a corporate leader, the general counsel helps to set the organization’s tone and culture. The general counsel can help the company better understand its disclosure obligations under the SEC statutes, and it can help to prepare for the event of any potential investigations in the event of a whistle-blowing claim, for example.
The audit committee may also assist the board in monitoring compliance with laws and regulations. This may include an assessment of whether the company has an effective compliance and ethics program (e.g., based on the Federal Sentencing Guidelines Manual). In addition to reviewing reports from regulators about company compliance, the audit committee should meet periodically with compliance officers and the general counsel to better understand the company’s compliance process.
Nasdaq requires that the code of business conduct and ethics be publicly available as per SEC Regulation S-K. SEC Regulation S-K (item 406) requires the SOX Section 406 Code to be publicly available by (a) filing as an exhibit to the annual report, (b) posting on company’s website (provided company has disclosed in its most recently filed annual report its website address and intention to provide disclosure in this manner) or (c) undertaking in the annual report to provide copy to any person upon request.
The NYSE requires that the code be publicly available on the company website (with reference from the proxy statement or Form 10-K).
How effectively has the audit committee assessed access to whistle-blower hotlines and the implications of whistle-blowing cases on internal controls and corporate reporting?
Has the committee determined a consistent and considered approach for reviewing hotline and whistle-blower reports in terms of level of detail?
How comfortable is the committee in its understanding of technology for fraud prevention, monitoring and detection?
How rigorously has the committee analyzed outcomes of the organization’s fraud risk assessment and considered implications for its remit, including understanding which fraud risks are of the highest priority?
Does the committee have a reasonable basis on which to know that the company’s attitude toward fraud is understood throughout the company and that management maintains an appropriate culture?
How effectively has the committee cultivated and demonstrated an honest and ethical corporate culture and tone from the top?
How clear, timely and effective are updates from the general counsel on legal and regulatory matters that may have a material effect on financial statements?
How well does the committee understand the company’s compliance process?
How clear and comprehensive are updates from management about reports or inquiries from regulators or other outside parties (e.g., SEC, Internal Revenue Service) and its responses to those reports?
Where risks have been transferred rather than reduced, the audit committee may occasionally ask to receive updates from management on major insurance programs. Some risks cannot be successfully reduced or insured against in a cost-effective manner. In such cases, the audit committee may need to recommend to the board an orderly withdrawal from certain activities. When that is not an option, the audit committee may require management to provide more frequent and detailed confirmations that contingency and disaster recovery plans are being kept up to date. It’s also important to consider the upside and opportunities that taking certain risks might present and how the audit committee can support agility and resilience.
Risk management is about accepting a risk but undertaking actions to reduce its severity to tolerable levels (within risk appetite). The overall culture of the organization, and its focus on integrity and compliance, is one of the most important ways to manage risk. The management of enterprise risks will vary depending on the nature of the risk. For example, external risks that are outside of the direct control of the organization may be managed by confirming that effective business continuity, disaster recovery and crisis management plans are in place. Downside risks, where there is limited to no appetite for risk, will be managed through policies, procedures and internal control systems, including entity-level controls. At a process level, the principal means of managing risks is through the operation of a system of effective internal controls.
Oversight of policies regarding risk management
New or future risks, with a potential impact that is not yet reliably understood or known, but where the assessment indicates it could be high, are often referred to as “emerging risks.” The implications of emerging risks are difficult to assess, and the expectation is that they will evolve over time. They may dissipate altogether, exacerbate existing principal risks or evolve into stand-alone risks. Companies need to put in place specific processes to identify emerging risks and monitor their evolution. Often, this involves horizon scanning by the second line and the use of future-back scenarios. Audit committee members, by virtue of not being embedded within the business, can bring fresh perspectives to the emerging risk assessment.
The audit committees should assess the company’s risk assessment and risk management policies and determine a cadence for appropriate reporting, including on how management is identifying, monitoring and reducing the company’s key risks. The audit committee will need to devote time to understand the profile of principal risks, how various risks are interconnected and how the connections are being tracked. Not only can the impact of multiple interconnected risks converging exceed the sum of each part, but interconnectedness can also accelerate the speed with which the risks materialize. Audit committees may also encourage management to conduct a scenario analysis in order to understand the amplified impact of correlated risks.
Discussing policies regarding risk assessment
If the audit committee takes on oversight of too many risks beyond those directly related to financial reporting, it may struggle to adequately discharge its other core duties. For this reason, oversight of some risks may be delegated by the board to other committees. However, even in those situations, the audit committee will typically act as an integrator of most, if not all, risks. This reflects the fact that all risk factors can potentially impact the financial results and on the viability of the business. For example, as it relates to AI, the audit committee should at a minimum understand how AI is being used and can be used to support financial reporting processes and the risks associated with those uses. For example, AI can be used for automation of routine tasks, real-time data analysis detecting fraud, compliance monitoring and forecasting for financial planning.
Related to the banking industry, among other expectations, the Federal Reserve SR 21-3 / CA 21-1: Supervisory Guidance on Board of Directors’ Effectiveness1 states that an effective board of directors, through its risk and audit committees, assesses and supports the stature and independence of the organization’s independent risk management and internal audit functions. Also, an effective risk committee and an effective audit committee engage in robust inquiry into, among other matters, the causes and consequences of material or persistent breaches of the organization’s risk appetite and risk limits.
Guidance on risk management from the Federal Reserve and Office of the Comptroller of the Currency
Other risk topics sometimes under audit committee purview include finance transformation, tax, trade and supply chains, technology and innovation, and policy and regulatory matters.
Generally, while the audit committee’s primary focus is on risks that affect the financial statements as well as ethics and compliance, some boards delegate other aspects of risk oversight to the audit committee (for example, cybersecurity, AI or sustainability, including assurance and internal controls for disclosed sustainability information and metrics). Note that this would exclude those organizations that are required under Dodd-Frank to have risk committees, which are a requirement for some under Dodd-Frank. Some others have an “audit and risk committee.”
Traditionally, audit committees were concerned with oversight of risks related to financial reporting and the related internal controls over financial reporting. Today, however, the role of many audit committees extends beyond this, with the audit committee taking on a risk oversight role more significant than that played by other board committees. The NYSE governance standards recognize that the audit committee is “not the sole body responsible for risk.” However, the standards do require that the audit committee:
Similar to the required disclosure on board oversight of risk noted at the beginning of Section 4, there is also an SEC-required disclosure (Item 106(c) of Regulation S-K) specifically on the board of directors’ oversight of cyber risks. This includes, but is not limited to, the requirement that companies describe the board of directors’ oversight of risks from cybersecurity threats and whether any persons or committee report information about such risks to the board of directors or a committee of the board.
When joining an audit committee, it’s important to obtain a clear understanding of how the audit committee supports the board in its oversight of risk, which varies between companies and can change over time.
To remain apprised of the risk universe, the audit committee may occasionally hold joint meetings with the other committees, organize joint deep dives into a particular risk area and recommend to the board that overlapping members be nominated to the relevant committees. Risks brought under the oversight of the audit committee will also influence additional members of management the committee may interact with.
How confident is the audit committee that it understands both the evolution of risks and their interconnectedness?
Does the audit committee confirm that the discussion of existing risks leaves sufficient time to debate emerging ones?
How clear, comprehensive, timely and understandable are updates from management on the specific risk factors that are the primary responsibility of the committee? Are there any required enhancements?
Leverage COSO frameworks and guidance related to enterprise risk management
Determine whether the company has an appropriate business continuity plan that has been tested
Understand whether IT security processes are updated appropriately
Understand the use, if any, of emerging technologies, as well as their relevance to the company and the associated risks
Clearly require management to inform the committee of extraordinary risk issues and developments that require the committee’s immediate attention outside of the regular reporting process
Meet directly with key executives responsible for risk management and have some exposure to management below the executive level
Require regular reporting of key risk indicators (KRIs) to gain data-driven insights into the company’s risk landscape
Periodically reassess the list of top risks, determining who in management and which board committees are responsible for each
Leading practice audit committees may:
How regularly does the audit committee interact with the head of the risk function? To what extent is this occasionally supplemented with reporting from other representatives of the first and second lines, e.g., when the audit committee commissions a deep dive into a particular risk area?
Does the committee assess whether the company has an appropriate business continuity plan that has been tested?
How well does the committee understand how the company has defined its risk appetite and risk tolerance?
Does the committee discuss guidelines and policies to govern the process that the company uses to address and manage its exposure to risk?
For Boards of Directors of Domestic Bank and Savings and Loan Holding Companies with Total Consolidated Assets of $100 Billion or More (Excluding Intermediate Holding Companies of Foreign Banking Organizations Established Pursuant to the Federal Reserve’s Regulation YY) and Systemically Important Nonbank Financial Companies Designated by the Financial Stability Oversight Council for Supervision by the Federal Reserve.
Meetings and preliminary agendas are generally planned for at least a year ahead, reflecting the structure of the audit committee’s annual work plan. A meeting planner will be based on the committee charter and set out the timing and requirements for covering each of the committee’s responsibilities. This planner can be shared with directors at each meeting to orient them to the overall context of the meeting, enable them to suggest updates as needed and find relevant previous reports if interested as they can easily see when the item was last discussed.
Meetings and executive sessions
However, there are many important aspects that make an effective audit committee.
Specifically, the audit committee is required to:
With such important responsibilities and an increasing workload, effective functioning of the audit committee is very important.
Upholding effectiveness – operations and self-evaluation
Onboarding
The committee should have a process for confirming that they have access to the above information, which will include but not be limited to, the charter and recent audit committee meeting minutes. New audit committee members can also benefit from meeting with key individuals such as the CFO, chief audit executive or head of internal audit, lead independent audit partner, general counsel, chief risk officer and chief information officer. A formalized and tailored process needs to be responsive to the member’s experiences and skills.
Pending litigation or contingencies
Management’s background, reporting structure and responsibilities
The scope of the current-ye ar external audit and the timing of reports issued
Internal audit’s responsibilities, background and plan
The intersection of accounting policies with judgmental areas of the company’s financial statements
Key accounting policies and any principles and practices unique to the company’s industry
The internal control (including key risks) and financial reporting process
The audit committee’s requirements and objectives (including extent of involvement in oversight of risk) and the timing of reporting requirements
First, audit committees should confirm that onboarding processes are comprehensive and practical. Before their first meeting, in addition to overall board member orientation that will include key duties of directors and overall business context, new audit committee members should understand:
Materials and reporting to the board
Ongoing education and external insights
Evaluating audit committee effectiveness
Code of conduct and whistle-blower policy provisions
Regulatory considerations applicable to the sector
Most recently, the average number of meetings of audit committees in the S&P 500 has been eight per year. The proposed schedule for meetings will be aligned to a company’s reporting cycle and linked to the timing of the audit committee chair’s presentations to the full board. The meeting planner will highlight whether the frequency of meetings is appropriate to allow sufficient interval for agreed actions to be addressed and delivered on. For example, the timing of the meeting at which the audit committee will be discussing the annual report needs to be planned sufficiently in advance of final approvals to allow for any arising actions to be taken forward. If not, this can create a sense of urgency and therefore pressure that could result in identified concerns not being properly dealt with.
A significant amount of effort is required to confirm that topical and ad hoc matters find their way onto the agenda and are adequately addressed. Very importantly, any concerns the external auditor may have with respect to internal controls and financial reporting need to be brought to the audit committee’s attention ahead of the meeting. The audit committee should regularly engage with management, internal audit and external audit between official committee meetings.
Giving the external auditor access to the entire audit committee meeting provides them with visibility into areas of the business that are fundamentally important to conduct a high-quality audit. It also signals to other attendees the strength of the relationship between the audit committee and the external auditor. Similar considerations apply to the head of internal audit.
Other members of management tend to be invited for specific sessions only — as part of a deep dive or a topical presentation. Invitees can include the finance department, the general counsel and heads of compliance and risk, and ethics officers. Many audit committees are expanding these lines of communication to include business unit leaders, treasury and tax functions and the chief information officer.
It is common for the CFO (or equivalent) to have a `standing invitation to audit committee meetings. The CFO will often stay for the entire duration, except for time allocated specifically for the committee to meet without management present. This reflects the ongoing importance of finance-related topics to the committee’s agenda. It is also typical for the CEO, board chair or lead independent director to be invited to meetings and not uncommon for them to participate.
In addition, the audit committee as a whole is required to:
Audit committees tend to hold executive sessions with the external and internal auditors as a means of reinforcing their independence. Executive sessions can create an air of secrecy, so allocating time for these as part of the calendarization normalizes the practice. For example, meetings with the external auditor without management present should be added as a standing item at least for the audit committee meeting during which year-end results are being discussed.
Additionally, the committee should be cognizant of reporting lines between management providing input to the audit committee and the executive directors who may be present. While there are some standing topics that the audit committee meets to discuss without management present (e.g., with the external auditor), the committee needs to consider whether the presence of the CFO or CEO could compromise the willingness of members of management to speak freely and bring concerns to the audit committee.
Some companies create a template for meeting summaries for the purposes of committee reporting to the board with a focus on significant updates, decisions made and matters requiring board approval. It’s important to avoid repeating full discussions that already took place at the committee level and focus on outcomes and recommendations.
The committee is also required to:
Consider standard sections for the narrative summary such as highlights, trends from internal audit activity during the quarter and emerging risks identified during the quarter. Regarding risk, many committees utilize a dashboard approach with changes from the previous quarter highlighted to get an overall picture of the risk profile with periodic deep dives on key risk areas and key risk reductions. Include trends or publicly available financial peer data to contextualize risk reporting and better align with board-approved risk appetite statement and metrics. Exercise rigor before expanding reporting to assess whether new metrics truly add value. Reevaluating the degree to which indicators are backward- vs. forward-looking and balancing of key performance vs. risk indicators is often needed.
The quality of the audit committee meeting materials is fundamentally important to members’ ability to effectively prepare for meetings. Materials need to provide the appropriate level of detail for the oversight role held by the audit committee and not stray into management territory. They need to include information, not raw data, and should not include jargon that impedes understandability. It’s important to clearly communicate the committee’s information needs to tailor management reporting appropriately. Specifically, the committee should be clear on which topics should appear before the committee, in what format and level of detail and at which frequency to drive consistency as much as possible. The corporate secretary should confirm that documents are provided in a consistent, standardized format.
Committee members can educate themselves by enrolling in external courses and seminars, as well as by interacting with management, internal auditors, independent auditors and other directors. In addition, many companies invite subject-matter professionals to give presentations at audit committee meetings, allowing members to keep up with current topics. The committee should access external, independent insights as needed and, as previously noted, audit committees:
Given the pace of change, dynamic business environment and emerging risks, audit committees should focus on ongoing education that addresses critical topics relevant to the committee’s needs and incorporate company-specific processes and objectives. Because audit committee members are expected to be financially literate, it’s important for them to keep abreast of accounting and financial reporting developments, as well as any regulatory changes. Additionally, it is critical for the full committee to understand key topics so that all directors can fulfill their fiduciary duties and not unduly rely on the expertise of one or two directors.
In addition, audit committees may want to consider introducing a mechanism for continuous real-time evaluation. For example, post-meeting feedback could be encouraged or required by way of one-to-one check-ins, debrief discussions at the end of meeting or the circulation of a brief, written survey with feedback questions regarding materials, time management, dialogue and agenda focus. Data from this feedback can support chairs in their role and support the annual self‑assessment process.
Regardless of whether it is a formal requirement, many boards consider undergoing a regular performance review to be good practice. The review can be internally or externally facilitated. It is not uncommon for the approach to be rotated, with a self-evaluation conducted annually and an external evaluation conducted every two or three years. When the evaluation is internally facilitated, it is commonly administered by the corporate secretary or general counsel under the direction of the chair. When an external facilitator is appointed, this will generally be done as part of the overall board evaluation processes. The process may include questionnaires, interviews or meeting observations. It may also include individual peer-to-peer assessment and feedback. Consider also gathering insight and feedback from key individuals with whom the committee interacts. An example self-assessment questionnaire can be found here. The committee should review the findings, determine key actions it wishes to take forward, and create a plan for implementing these.
Companies on the NYSE are required to:
Are there any topics or activities that should be added to the onboarding program for future new committee members?
Is the onboarding process rigorous, comprehensive and well-organized?
The audit committee chair will focus on encouraging dialogue and discussion in which all voices are included and on keeping the committee on track with the agenda. Typical quarterly audit committee meetings range from two to four hours, and it’s important to keep directors engaged by not allowing meetings to go too long. Consider putting the most important topics at the beginning of the agenda to make sure they get full attention before the more routine matters.
Are executive sessions appropriately planned and organized? Are the right people in the room at the right times?
How effective is time management within meetings?
Do all committee members participate and is there a culture of openness and constructive dialogue?
How effectively does the committee balance time spent on presentation of materials vs. time spent on discussion and dialogue?
Are committee agendas appropriately planned and organized with a balance between past and future focus? Are there topics the committee should spend more time on?
Agendas need to be set by the audit committee chair, with input from committee members. Management plays a dominant role in preparing the information presented to directors, therefore the CFO or other members of management should also input into the process.
Pre-meeting discussions are often held by the audit committee chair, giving them an opportunity to gain deeper knowledge of the areas to be discussed. In actual committee meetings, the audit committee chair should be conscious not to glide over matters that other members may not have a similarunderstanding of.
In addition, the chair may need to hold one‑on‑one meetings with those involved in delivering presentations, to inform them about the types of questions and challenges they should expect so that they can be well prepared.
Are committee ‘report-outs’ to the board as comprehensive and succinct as possible?
Is the purpose for materials and discussions clear in terms of whether the board needs to discuss, advise or approve?
How effective is the reporting structure and layout utilized to convey information clearly and consistently?
Are committee materials digestible, understandable, actionable and provided with sufficient time ahead of meetings?
How clearly has the committee communicated its information needs and how responsive has management been to feedback?
Are there other topic areas that would be useful to cover in more detail for the committee’s education?
How regularly and effectively does the audit committee obtain independent insights on specific topics to allow for robust challenge of management?
The chair would be responsible for reviewing post-meeting feedback and providing appropriate feedback to parties. The chair may also provide additional coaching and mentoring during pre‑meetings with relevant parties.
How open is the committee to feedback and continuous improvement?
How effectively are opportunities for timely, regular feedback provided outside of any annual assessment?
How comprehensively does the audit committee review its own performance and operations?
Even in cases where individual peer-to-peer assessment is not included in the scope of an assessment, the process will usually include some degree of assessment of the effectiveness of the chair of the committee. In the spirit of continuous feedback, the chair should be open to feedback and find ways to implement feedback.