Rows of colourful brick walls

A guide for high-performing audit committees

Authors

  • Andrew Hobbs

    EY EMEIA Center for Board Matters Leader, EMEIA Public Policy Leader

  • Maria Kępa

    Director, Governance and Public Policy, Ernst & Young LLP

15 minute read 04 Oct 2024
Related topics
Assurance
Audit

In their oversight capacity, audit committees need to build trust with stakeholders and enable the board to take informed strategic decisions. But how?

In brief

  • Audit committee members need an independent, skeptical mindset and a willingness to challenge management.
  • Oversight of corporate reporting is core to the audit committee’s remit – it must scrutinize the company’s financial and nonfinancial information.
  • As the audit committee owns the relationship with the external auditor, it should hold the auditor to account while fostering open and candid communication.  

Audit committees are a fundamental pillar of good corporate governance, enabling their company to build its trustworthiness vis-à-vis its stakeholders. As a subcommittee of the board (or supervisory board in a dual-board structure), they are responsible for monitoring whether their company delivers high-quality corporate reporting that presents a true and accurate picture of its business performance.

For listed and other public interest companies, the requirements for audit committees are set by national laws, governance codes and stock exchange rules. As a result, these requirements can vary significantly between jurisdictions. What is common across the world, however, is that audit committees have a broad and ever-evolving remit. Currently, this remit is further expanding with the advent of mandatory sustainability reporting and assurance in many markets. As well as overseeing their company’s corporate reporting processes, audit committees oversee internal controls, risk management and the external audit process. Additionally, they may have responsibilities in relation to cybersecurity, taxation and legal compliance, among other areas.

Being an audit committee member is a weighty and often pressured job that requires a substantial time commitment, as well as very specific skills from those who take on the role. So, how can audit committee members be as effective as possible, both as individuals and as a team? A new EY publication, the Audit Committee Guide (pdf), explores this question in depth, offering practical advice for new and existing audit committee members, regardless of where they are based. This article explores some of the chief insights from the guide.

What makes a good audit committee member?

In line with their important role in building trust, integrity and high ethical standards are integral attributes for all audit committee members. They should also be willing and capable of asking hard questions of management, as well as tenacious in their pursuit of answers.

Independence is a common requirement for audit committee members. The reason for this is that when audit committee members are independent, they are more likely to have a skeptical mindset and a willingness to openly challenge management. Additionally, being independent allows them to freely state problems with the company’s corporate reporting or processes, without being unduly influenced by the potentially difficult consequences for the company and its executives.

The proportion of independent directors required on an audit committee can range from at least one, through to the majority, to all. Jurisdictions assess independence in different ways, but common considerations include:

  • Any form of executive involvement or employment at the company or businesses linked to it
  • Significant business relationship with the company or an associated company
  • Family members who may be similarly associated with the company
  • Having recently been a partner at the firm that is conducting the external audit

The cooling-off period (the duration of time that needs to pass after any of the above relationships has been terminated) can be as long as five years in some cases.

Independence can also potentially be impaired by tenure on the committee, or broadly on the board. For example, according to the UK Corporate Governance Code, serving on the board for more than nine years is likely to impair, or could appear to impair, a nonexecutive director’s independence.

Unsurprisingly, given their remit, audit committee members are often required to have financial expertise and skills. Many jurisdictions expect that at least one of the committee members will be financially savvy. As an example, the German Corporate Governance Code requires at least one member of the audit committee to have expertise in the field of accounting, with at least one other having expertise in the field of auditing. Where independence is not required of all members, financial expertise can often be required of the member who is deemed independent.

The additional competencies and experiences required of audit committee members will differ according to the sector and jurisdictions in which their company operates, as well as the specific responsibilities assigned to the audit committee itself. Given the general expansion of the audit committee’s responsibilities, it is not enough for members to have financial competence alone. Increasingly, they are expected to possess a broader range of skills and knowledge. For example, technology is seen as an area of additional knowledge that is vital to audit committee effectiveness, given that cybersecurity is one of the rapidly evolving risks that audit committees must oversee. In fact, audit committees that oversee cybersecurity risks may benefit from having a member with technology expertise.

Related content

Tone at the top

The whole board will typically oversee corporate culture. Nevertheless, the audit committee will often be tasked with oversight of the compliance aspects of culture and with promoting the importance of risk management.

To help set the right tone at the top, the audit committee needs to encourage adherence to the code of conduct while championing a culture of integrity and monitoring the company’s whistleblowing arrangements. It should aim to create an environment where people feel able to admit to mistakes and where the collective mindset is geared toward learning, rather than blaming.

Fraud and corruption pose major financial and reputational risks to businesses and can threaten their viability. According to the Association of Certified Fraud Examiners’ 2022 Report to the Nations, organizations lose 5% of their revenue to fraud each year.1 So, the audit committee requires a good understanding of the incentives and pressures that may lead to management or employees committing fraud or becoming involved in bribery and corruption. It should also be aware of the risks associated with the misuse of data.

Audit committees can also set the right tone through their own interactions with internal and external stakeholders. Typically, they engage with senior executives such as the CFO and head of risk, as well as a cross-section of employees. From an external perspective, the audit committee chair is responsible for addressing shareholders’ concerns effectively and transparently. There may also be cases when the chair interacts with regulators – for example, when there is an inspection of the company’s annual report.

Related Services

  • Audit services

    We merge traditional and innovative approaches, combined with a consistent methodology, to deliver quality audit services to you. Find out more.

    Read more

Oversight of corporate reporting

Oversight over the audited financial statements is a core aspect of every audit committee’s remit. When overseeing the financial reporting process, the audit committee’s responsibilities include:

  • Assessing the overall appropriateness of accounting policies. This is especially important where management has applied judgement and made departures from GAAP and industry norms. There should be scrutiny of any voluntary changes to accounting policies, especially policies that are most material to the financial statements or relate to judgements and estimates.

  • Understanding how management calculated material estimates. The audit committee should interrogate the judgements made by management to arrive at the proposed measurement. It should also ensure that objective and credible external data points were used, where available, and appropriate specialist input was sought, where relevant.

  • Scrutinizing matters with material impacts. Examples include a one-off event such as an acquisition or disposal, an unusual transaction with a complex structure, or an off-balance sheet arrangement.

  • Ensuring the consideration of principal risks. The audit committee should check that management has adequately reflected the extent to which principal risks, including climate-related risks, affect the financial statements.

  • Overseeing the selection of alternative performance measures (APMs). Companies commonly use APMs – such as EBITDA, operating profit and earnings per share – in their reporting. If APMs are inadequately defined, presented inconsistently, or given undue prominence over measures based on accounting principles, they can give a misleading picture, however. The audit committee should oversee how APMs are selected, calculated and displayed. It should also challenge whether their use helps to improve transparency and contributes to presenting a true and fair view of the company’s performance.

  • Reviewing related party transactions (RPTs). RPTs carry a heightened risk of fraud. So, the audit committee must be confident that all RPTs have been identified and disclosed. If management states that transactions were carried out at arm’s length, the committee should scrutinize this assertion.

  • Reading the financial narrative in the annual report. The narrative section of the annual report will often include a review of the company’s financial performance and a variety of metrics – both GAAP measures and APMs. The audit committee should read these areas of the report and advise the board as to whether the tone and messaging are consistent with its own understanding of the financial statements. Additionally, the audit committee should scrutinize the entire annual report to ensure that there are no inconsistencies with the assumptions embedded within the financial statements.

  • Scrutinizing the going concern assessment. Financial statements are normally prepared on the assumption that the company will keep operating for the foreseeable future. As there may be circumstances that cast doubt on this assumption, management prepares an assessment that considers the company’s ability to continue as a going concern. The audit committee must scrutinize this assessment, considering different factors, including the reasonableness of assumptions in relation to monthly forecasts and funding sources.

  • Increasingly, audit committees are also providing oversight around their companies’ environmental and social (E&S) reporting, including in the EU, where they are legally obliged to oversee sustainability reporting under the Corporate Sustainability Reporting Directive. Where audit committees have oversight of E&S reporting, they usually oversee whether the processes for data collection that underpin reporting are robust and lead to reliable, quality reporting. Additionally, they will consider data provenance, the reasonability of underlying assumptions and whether all regulatory reporting requirements have been complied with. They will also oversee integration between the E&S reporting and the financial statements, as well as external assurance, where appropriate.

Oversight of risk management and internal controls

Today’s rapidly changing and dynamic business environment (via ey.com UK)​ demands that boards oversee a wide spectrum of risks that could potentially impact on their organization. Risks range from economic, financial and geopolitical issues through to technology-related risks and the E&S risks inherent in supply chains.

Traditionally, audit committees have tended to be concerned with oversight of risks related to financial reporting and the related internal controls. Increasingly, however, they are monitoring a far broader range of risks. So much so that many audit committees are known as the “risk and audit committee.” 

Today’s changing business environment requires audit committees to oversee a far broader range of risks that could potentially impact their organization.

As a result, audit committees are devoting more time to understanding the main – or “principal” – risks facing their organization, how the various risks are interconnected, and how these connections are being tracked. They are also ensuring that their company has processes in place to identify “emerging risks.” Emerging risks are new or future risks, with a potential impact that is not yet reliably understood or known but could be high.

As well as ensuring that their company is identifying and assessing risks, an effective audit committee oversees the risk responses implemented by management. They will challenge management over whether these risk responses are in line with the company’s risk appetite as set by the board. Where the design of risk responses is adequate, the audit committee will seek evidence that the responses are operating as intended.

Internal controls are crucial to risk management – which is why oversight of internal controls is one of the audit committee’s most important responsibilities. When exercising this responsibility, the committee considers management’s evaluation of whether the design of the controls is effective. It will also request reporting to assess whether those controls have been implemented and are working as intended. To provide effectual oversight of internal controls, the audit committee needs regular and robust information from the finance team and internal audit function, as well as input from the company’s external auditor.

Often, the internal audit function acts as the audit committee’s eyes and ears on the ground. For this reason, the audit committee is commonly responsible for overseeing internal audit and will regularly assess the quality of its work. Additionally, the audit committee chair would normally be involved with the appointment, appraisal and replacement of the head of internal audit. It is not unusual for the head of internal audit to have a dual reporting line – primarily to the audit committee, with a dotted line to the CFO or CEO.

The audit committee’s role in the external audit

It is the audit committee – not the CFO – that owns the company’s relationship with the external auditor, having responsibility for its appointment, remuneration and oversight. This is a substantial duty given the purpose of the external audit is to provide independent assurance, based on professional standards, that a company’s financial statements are free from material misstatement, provide a fair representation of its financial performance and position, and are therefore a good basis for decision-making by stakeholders.

The process of appointing an auditor requires considerable thought and preparation. When the audit committee puts its company’s audit out for tender, it will consider several factors, including:

  • Timing

    The timescales for audit tendering and rotation vary according to jurisdiction. Companies can choose to tender or switch audit firms before they are legally required to do, however – for example, ahead of the anticipated retirement of the CFO. Also, in some sectors and countries, there may be a limited number of auditors with the necessary experience and skills to perform an audit of a particular company. As a result, an audit committee will sometimes consider when another company will be rotating its audit while developing its own timeline.

  • Independence

    Certain services are subject to a cooling-in period. Typically, this means that a new external auditor cannot have provided these services in the 12 months prior to the start of the first period for which they are external auditor.

  • Selection criteria

    The audit committee will put together a list of selection criteria, which can include accounting and auditing technical ability, geographical presence, use of advanced technological tools in the audit, caliber of key personnel, and value for money.

After conducting the tender process – which will typically involve meetings, site visits and workshops – the audit committee will usually narrow down the bidding audit firms to a shortlist of two and ask those firms to make a presentation. Based on this presentation, the audit committee will make a recommendation to the board. 

The audit committee must ensure that the auditor can access the required information it needs to execute the audit to a high standard.

Once appointed, it is vital that the audit committee establishes the expectation of open, candid and direct communication between management, the external auditor and the audit committee. The committee should also ensure that the auditor can access all the information it needs to execute the audit to a high standard. Additionally, the committee should scrutinize the audit plan to evaluate the scope of work and planned procedures.
 

The audit committee is responsible for reviewing the auditor’s findings and challenging management over audit differences (the known and projected misstatements identified during the audit process). It should also consider how it will monitor management’s plan to address the findings of the auditor’s “management letter points report” – a summary of observations arising from the audit.
 

Throughout the audit process, the audit committee is responsible for monitoring auditor effectiveness and audit quality. One way of doing this is by using recognized audit quality indicators (AQIs). Some AQIs will relate to the audit practice of the firm (in certain cases, at firm-wide level) while others will relate to the specific engagement. Examples of AQIs include regulatory inspection reports, technical expertise, partner workload and responsiveness, and timing of audit execution, including progress against milestones. The committee must also ensure that the auditor adheres with all relevant independence requirements and that the company’s policy for awarding non-audit work to the auditor reflects these requirements.
 

The audit committee as a highly performing team

Healthy dynamics underpin the performance of effective audit committees, in the same way as they underpin the performance of all highly performing teams. While collegiality is important, an effective audit committee should not be homogenous. Quite the opposite, in fact.
 

In an effective audit committee, dissenting views are heard out, contrarian positions are debated, and open discussion is encouraged. Diversity of thought is cultivated, and there is an emphasis on constructive disagreement.
 

Typically audit committees consist of three to five members, who are nominated from within the ranks of the board. In some jurisdictions, regulations may stipulate that other company stakeholders, such as employees, are represented on audit committees. Nevertheless, the committee, as a whole, needs to have the financial expertise and industry understanding to effectively discharge its core duties. It must also be committed to continual upskilling so that it can maintain high performance in an era of rapid change.
 

The audit committee needs a robust annual workplan to ensure that it meets all its regulatory and compliance requirements, allowing enough time to robustly debate material issues in meetings. Audit committees should use their meetings to discuss key matters, having read the relevant briefing papers in advance. Meetings should be long enough to allow the audit committee to get to the crux of a particular matter, but not be so long that energy levels wane.
 

A high-performing audit committee will welcome the perspectives of others. Nevertheless, it should exercise caution when allowing other board members, who are not committee members, to participate in its meetings. In particular, the presence of the full board could inhibit the committee’s ability to function effectively, especially if the chair of the board inadvertently assumes a leading role in the meeting and thereby unduly influences the independent work of the audit committee.
 

Self-evaluation underpins audit committee effectiveness. To ensure that they can continue to fulfill their important responsibilities, committees should undertake periodic evaluations of their own effectiveness, which can either be internally or externally facilitated. The audit committee chair can then develop a plan to address any findings.


Summary 

By providing confidence in the integrity of corporate reporting, audit committees enable their companies to comply with their regulatory obligations and meet the demands of their stakeholders. They also support both the board and the management team to make informed strategic decisions. Without the existence of effective audit committees, corporate governance would almost certainly be weaker, and there would be less trust in the information provided by companies.

Related articles

EMEIA board priorities 2024

In today’s demanding economic and geopolitical environment, boards are playing a critical advisory role. Find out more.

Andrew Hobbs

How European boards can steer sustainability reporting

Find out how boards and audit committees are responding to the EU’s Corporate Sustainability Reporting Directive.

Andrew Hobbs

    About this article

    Authors

    • Andrew Hobbs
      EY EMEIA Center for Board Matters Leader, EMEIA Public Policy Leader
    • Maria Kępa
      Director, Governance and Public Policy, Ernst & Young LLP
    Related topics
    Assurance
    Audit

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.