EY - Leading practices for audit committees

Leading practices for audit committees

  • Share

As an audit committee member, your role is increasingly complex and demanding. Regulators, standard-setters and investors are pressing for more transparency. We share some leading practices to consider as you carry out your role.

  • Financial reporting oversight

    As financial reporting becomes more complex, the audit committee should determine whether the financial statements are understandable and transparent.

    Leading practices

    • Consider whether the company reports information that is reliable and understandable
    • Continually evaluate capabilities of company personnel
    • Understand complex accounting and reporting issues and how management addresses them
    • Continue to focus on matters such as potential asset impairments, quality of earnings, cash flows and liquidity position, pension and major obligations and other ongoing business, risk and financial statement issues affected by economic conditions
    • Review significant financial reporting and regulatory developments, including their effect on the financial statements and on the company’s resource needs
    • Invest time in understanding the company’s operations and significant risks
    • Assess the quality of the accounting principles and their appropriateness, considering alternative treatments under US generally accepted accounting principles (US GAAP)
    • Inquire about management’s considerations of its revenue recognition policies, including how the company accounts for complex revenue arrangements and whether any changes in revenue recognition policies were made in the current year.


  • Risk oversight

    The audit committee’s role is to review and challenge, where appropriate, the company’s assessment of its risk profile and determine that risk management processes are in place.

    Leading practices

    • Understand the company’s framework for risk assessment and management’s related policies and procedures
    • Understand how the company documents and responds to identified risks, including cyber risks
    • Review whether the company is appropriately focusing on its risk intelligence gathering and assessment processes, and understand the company’s ability to both identify emerging risks and anticipate risk events
    • Review whether the risk disclosures in the financial statements and the Form 10-K are appropriate, robust and understandable
    • Review the company’s major financial risk areas and understand the adequacy of controls and monitoring procedures in place
    • Periodically reassess the list of top risks, determining who in management and which board committees are responsible for each
    • Meet directly with key executives responsible for risk management and focus on whether they understand that they should inform the committee of extraordinary risk issues and developments that require the committee’s immediate attention outside of the regular reporting process
    • Focus on the company’s plans for achieving any information technology (IT) milestones
    • Understand the use of emerging technologies such as cloud computing, as well as their relevance to the company and the associated risks
    • Understand whether IT security processes are updated appropriately


  • Oversight of internal controls

    While the audit committee’s key focus is on internal controls over financial reporting, that focus is expanding to assist with the board’s legal and regulatory compliance efforts.

    Leading practices

    • Understand key controls and financial reporting risk areas as assessed by financial management, the internal auditor and the independent auditor
    • Understand risk issues involving taxes
    • Understand internal audit’s role and planned coverage
    • Meet with the internal audit director on a regular basis
    • Assess and help set the company’s tone at the top
    • Consider levels of authority and responsibility in key areas, including pricing and contracts, acceptance of risk, commitments and expenditures
    • Monitor implementation of significant internal control changes
    • Determine whether the company devotes the resources required for its internal control processes to function effectively
    • Understand the company’s process for refreshing its focus on control environment


  • Relationship with the independent auditor

    The audit committee appoints the independent auditor, assesses its independence, discusses the audit scope and results and determines the independent auditor’s compensation.

    Leading practices

    • Exercise ownership of the relationship with the independent auditor
    • Get to know the lead partners and meet with them periodically
    • Establish expectations about the nature and method of communication, as well as the exchange of insights
    • Review the proposed audit plan and scope of work
    • Engage in regular dialogue outside the scheduled meetings
    • Focus on independence, including the preapproval process
    • Consider the findings from the audit and determine that management responds to the findings
    • Discuss with the auditors their views regarding the company’s internal controls over financial reporting
    • Seek the auditor’s views on the effectiveness of the company’s governance process
    • Provide formal evaluations of the auditor as well as regular feedback


  • Working with management

    Audit committees rely heavily on management and therefore need an open and effective relationship.

    Leading practices

    • Focus on the tone at the top, culture, ethics and hotline monitoring
    • Work with management to anticipate and identify emerging issues
    • Provide input to management’s goal setting
    • Discuss succession planning for the CFO and staff
    • Conduct annual evaluations assessing management's competency and integrity


  • Working with internal auditors

    Many audit committees are interacting with the company’s internal auditors much more frequently.

    Leading practices

    • Determine whether the internal auditors have a direct functional reporting line to the audit committee and an indirect line to senior management for administrative activities
    • Be involved with the internal audit risk assessment and audit plans
    • Understand whether the internal audit department is viewed as objective and competent by the independent auditors
    • Establish how the internal audit function relates to other risk-related functions, such as legal, security, environmental health and safety, compliance and credit risks, considering duplication of efforts or gaps between these functions
    • Conduct annual evaluations assessing the effectiveness and competence of the internal audit department


  • Committee composition and operations

    Diverse perspectives and thinking helps strengthen the quality of audit committee deliberations and provides real value to companies and shareholders.

    Leading practices

    • Focus on committee composition issues, including independence, financial expertise, broad business or leadership experience, and succession planning
    • Evaluate the expertise and competence of the members in the context of the company’s strategy and risk profile today and for the next several years
    • Consider the ability to work collectively, to challenge decisions in a credible manner and to avoid groupthink
    • Help promote healthy skepticism among fellow committee and board members
    • Consider periodically rotating audit committee members, staggering the terms of service to bring in new skills and perspectives
    • Engage independent advisers as necessary
    • Align audit committee meeting materials and agendas with priority areas
    • Present compliance matters, standard reports and informational items at the end of advance material packages and meetings
    • Follow meetings with private and executive sessions with independent auditors and the internal auditor


  • Self-assessment and evaluation

    Regular performance evaluation enables the audit committee to determine that it is meeting the expectations of its members, the full board and regulators.

    Leading practices

    • Perform a self-assessment in a thorough and thoughtful manner rather than treating it as a compliance exercise
    • Consider evaluating the performance of individual committee members and assessing the effectiveness of the committee as a whole
    • Consider using self-assessment results as a catalyst to re-engineer processes, procedures and agendas
    • Communicate with the board on activities and recommendations
    • Consider the committee’s composition in the context of the company’s current and future strategy and challenges


  • Interaction with the compensation committee

    Overseeing the assessment and disclosure of compensation-related risks is mainly the role of the compensation committee and the full board. However, the audit committee can help assess how certain financial metrics are employed in the company’s compensation plans.

    Leading practices

    • Coordinate with the compensation committee to assess how certain financial metrics are employed in the company’s compensation plans and to review the proxy statement
    • Periodically conduct meetings with the compensation committee about management incentives and related topics
    • Consider, together with the compensation committee, the appropriateness of the incentive structure and whether it contributes to increased fraud risk
    • Determine whether adequate and appropriate focus is being paid to the compensation of officers and directors, including the appropriate use of corporate assets such as planes and apartments


  • Executive sessions

    Audit committees are increasingly holding private sessions, often with internal audit, the independent auditor and management. Audit committee members may use this time to explore matters in greater detail, reflect on issues and identify follow-up actions.

    Leading practices

    • Schedule regular sessions with and without internal audit, the independent auditor and management
    • Schedule regular sessions with various members of management, such as the CFO, controller, general counsel and others
    • Consider private audit committee sessions both before and after meetings with the internal auditor, the independent auditor and management
    • Provide clear objectives and expectations for each meeting
    • Prepare specific topics and questions
    • Understand the response and resolution for each issue raised


  • Training and education

    Audit committee members — especially those who are new to the role — need sufficient training and education to fulfill their responsibilities.

    Leading practices

    • Make sure that board education as described in the company’s corporate governance guidelines is consistent with New York Stock Exchange (NYSE) listing standards
    • Provide orientation for new audit committee members
    • Consider offering continuing education in specialized or regulated industry matters, industry trends, reporting, operations and regulated topics
    • Consider customized programs of continuing education that address topics relevant to the committee’s needs and incorporate company-specific processes and objectives
    • Offer one-on-one and committee-level education