ABC COMPANY AUDIT COMMITTEE HANDBOOK
Table of Contents
Introduction............................................................................................................................4 Good practice principles for Audit Committees.....................................................................5 Role of the Audit Committee.................................................................................................6 Terms of Reference............................................................................................................6 Membership, Independence, Objectivity and Understanding................................................6 Independence......................................................................................................................7 Relationship with the Executive.........................................................................................7 Conflicts of Interest............................................................................................................7 Terms of Appointment........................................................................................................8 Skills...................................................................................................................................8 Additional Skills.................................................................................................................8 Training and Development.................................................................................................9 Scope of work.........................................................................................................................9 Overall Assurance..............................................................................................................9 Internal and External Audit................................................................................................9 Financial Reporting..........................................................................................................10 Communication....................................................................................................................10 Co-ordination between the Audit Committee and the Board of Directors.......................10 Annual Reports.................................................................................................................11 Bilateral Communications................................................................................................11 Appendix A. Model Audit Committee Charter.....................................................................11 Appendix B. The Role of the Chairperson...........................................................................16 Appendix C. Committee Support.........................................................................................18 Appendix D. Model Letter of Appointment to the Audit Committee..................................20 Audit Committee Handbook Page 2
Appendix E. Model of Work Programme.............................................................................22 Appendix F. Fraud and the Responsibilities of the Audit Committee..................................24 Appendix G. Internal Control: A Tool for the Audit Committee..........................................27 Appendix H. Key Questions for the Audit Committee to Ask.............................................38 Appendix I. Audit Committee Competency Framework....................................................41 Appendix J. Audit Committee Self Assessment Checklist...................................................42 .............................................................................................................................................46 Appendix K. Model of Corporate Governance Questionnaire.............................................46 Appendix L. Model of Audit Committee Annual Report.....................................................50 Appendix M. Model of a Whistle-blowing Policy...............................................................53 Appendix N. Model Policy on Using External Auditor for Non-audit Services..................55 Appendix O. Model Policy on Employing Former Employees of the External Auditor.....57 Appendix P. Evaluation of the External Auditor..................................................................58 Appendix Q. External Audit: Model of the Terms of Reference .........................................61 Appendix R. Guidelines for Hiring the Chief Audit Executive (CAE)................................65 Appendix S. Internal Audit: Model of the Terms of Reference ..........................................68 Appendix T. Engaging Independent Counsel and Other Advisers.......................................71 Appendix U. Model of an Internal Audit Plan.....................................................................72 Appendix V. Model of an Internal Audit Report..................................................................74 Appendix W. Evaluation of Internal Audit...........................................................................76 Appendix X. Self-Assessment of the Audit Committee.......................................................82
Audit Committee Handbook
In today's complex world, the Audit Committee can contribute tremendously to a 'no surprise' environment. An effective Audit Committee should be a key feature in a strong, effective governance culture and bring significant benefits to the Company. Carefully designed practices can also help the Audit Committee to maximise its contribution to the ABC Company. Developing practices which are based on robust principles - whether terms of reference, recruiting the right members, or focused agendas and rigorous processes - is fundamental in fulfilling the Audit Committee's responsibilities. This handbook articulates the principles underlying the role of the Audit Committee. It provides guidance to help Audit Committee members to gain a better understanding of the processes and issues that drive effective oversight of risk management, control and governance, and of economy, efficiency and effectiveness. The main focus of the Audit Committee’s work is related to internal control matters, such as the safeguarding of assets, the maintenance of proper accounting records and the reliability of financial information.
Audit Committee Handbook
Today, the Audit Committee’s primary role is to conclude upon the adequacy and effective operation of the ABC Company’s overall internal control system. In performing that role the Audit Committee’s work will predominantly focus upon the framework of risks, controls and related assurances that underpin the delivery of the Company’s objectives (the Assurance Framework). As a result, the Audit Committee has a pivotal role to play in reviewing the disclosure statements that flow from the Company’s assurance processes. In particular these cover the Statement on Internal Control, included in the Annual Financial Statements. Both of these documents should come to the Audit Committee before being submitted for approval to the Board. It is the responsibility of the Board of Directors to establish and maintain processes for governance. The Audit Committee independently monitors, reviews and reports to the Board of Directors on the processes of governance and, where appropriate, facilitates and supports, through its independence, the attainment of effective processes. We hope that this handbook will help Audit Committee members to identify and achieve their objectives and add value to governing bodies, their organisations and other stakeholders
Good practice principles for Audit Committees
1. Role of the Audit Committee The Audit Committee shall support the Board of Directors and the Managing Director by reviewing the comprehensiveness of assurances in meeting the Board of Directors and Managing Director’s assurance needs, and reviewing the reliability and integrity of these assurances. 2. Membership, Independence, Objectivity and Understanding The Audit Committee shall be independent and objective; in addition each member shall have a good understanding of the objectives and priorities of the organisation and of their role as the Audit Committee member. 3. Skills The Audit Committee shall corporately own appropriate skills to allow it to carry out its overall function. 4. Scope of Work The scope of the Audit Committee’s work shall be defined in its Terms of Reference, and encompass all the assurance needs of the Board of Directors and the Managing Director. Within this, the Audit Committee shall have particular engagement with the work of Internal Audit, the work of the External Auditor, and Financial Reporting issues. Audit Committee Handbook Page 5
5. Communication The Audit Committee shall ensure it has effective communication with the Board of Directors, the Chief Audit Executive, the External Auditor, and other stakeholders. In addition, the role of the Chairperson and provision of appropriate secretariat support are important elements in achieving Audit Committee effectiveness. The Chairperson of the Audit Committee has particular responsibility for ensuring that the work of the Audit Committee is effective, that the Audit Committee is appropriately resourced, and is maintaining effective communication with stakeholders. The Audit Committee shall be provided with appropriate secretariat support to enable it to be effective. This is more than a minute taking function - it involves providing pro-active support for the work of the Audit Committee and helping its members to be effective in their role.
Role of the Audit Committee
Terms of Reference
The Audit Committee shall be given formal Terms of Reference by the Board of Directors. These shall be reviewed regularly and in turn shall require the Audit Committee to regularly review its own effectiveness. The Audit Committee shall have appropriate authority to require any member of the organisation either to: • • Attend the Audit Committee meeting; or Provide written report(s) to the Audit Committee for the purpose of providing information to assist the Audit Committee in fulfilling its role of advising the Board of Directors.
The Audit Committee will require access to funding to cover the costs incurred in fulfilling its role. The funding shall be sufficient to: • • • • Adequately meet the remuneration and working expenses of its members; Adequately meet the relevant training needs of its members; Provide specialist (external) advice or opinions when required; and (If agreed as appropriate in the organisation) provide external review of the effectiveness of the Audit Committee.
Membership, Independence, Objectivity and Understanding
Audit Committee Handbook
An effective Audit Committee must have members who are both independent and objective. It is good practice, so far as possible, for Audit Committee members to be independent nonexecutive Board members. However, many organisations will not have sufficient independent non-executive Board members who are also willing to serve as Audit Committee members to provide sufficient numbers or skills for the Audit Committee. When there are insufficient non-executive Board members to form the Audit Committee, independent external members need to be appointed. These members will be appointed to the Audit Committee but not to the Board of Directors. They will often be chosen because of particular skills or experience that they hold which will be beneficial to the Audit Committee. They may be remunerated at appropriate rate for the time and effort they are expected to contribute. As Audit Committee membership will be the only contact they have with the organisation, such members will have to make particular efforts to obtain and maintain appropriate understanding of the organisation, which is vital if they are to make a meaningful contribution to the Audit Committee’s considerations. In this respect, appropriate induction training is critical, as is an ongoing programme of activity to ensure the member maintains sufficient appropriate contact with the organisation.
Relationship with the Executive
Executive members of the organisation shall not be appointed to the Audit Committee. The role of the Executive is to attend, to provide information, and to participate in discussions, either for the whole duration of a meeting or for particular agenda items. The Managing Director and the Chief Financial Officer shall routinely attend the Audit Committee. It is also normal for the Chief Audit Executive and a representative of the External Auditor to attend. However, the Terms of Reference should provide for the Audit Committee to sit privately without any non-members present for all or part of a meeting if they so decide.
Conflicts of Interest
Normally the process for recording declarations of conflicts of interests in the Audit Committee shall mirror the processes used at Board level. Each member of the Audit Committee shall take personal responsibility to pro-actively declare any potential conflict of interest arising out of business arising on the Audit Committee’s agenda or from changes in the member’s personal circumstances. The Chairperson of the Audit Committee shall then determine an appropriate course of action with the member. For example, the member might simply be asked to leave while a particular item of business is taken; or in more extreme cases the member could be asked to leave the Audit Committee. Audit Committee Handbook Page 7
If it is the Chairperson who has a conflict of interest, the Board of Directors shall ask another member of the Audit Committee to lead in determining the appropriate course of action. A key factor in determining the course of action will be the likely duration of the conflict of interest: a conflict likely to endure for a long time is more likely to suggest that the member should leave.
Terms of Appointment
All members of Audit Committees shall have a clear understanding of: • • What is expected of them in their role, including time commitments; How their individual performance will be appraised, including a clear understanding of what would be regarded as unsatisfactory performance and the criteria which would indicate the termination of Audit Committee membership shall be considered; and The duration of their appointment and how often it may be renewed.
The terms of appointment of the Audit Committee member shall be clearly set out at the time of appointment in a Letter of Appointment. The letter shall also specify what other activities the individual may or may not undertake in relation to the organisation. The impact on independence of further remuneration from other activities shall be given careful consideration.
The Audit Committee is charged with ensuring that the Board of Directors and Managing Director of the organisation gain the assurance they need on risk management, governance and internal control. So, it needs a range of skills and experience relevant to various aspects of risk, governance and control. Because of the importance of financial management and financial reporting to every organisation, at least one member of the Audit Committee shall have recent and relevant financial experience. This experience shall be sufficient to allow them to competently engage with financial management and reporting in the organisation, and associated assurances. The Audit Committee shall identify, and agree with the Board of Directors, the other skills required for Committee effectiveness. These identified skills shall inform the choice of members of the Audit Committee. The required skills set shall be periodically reviewed.
The Audit Committee shall be empowered to either: • Co-opt members for a period of time (not exceeding a year, and with the approval of the Board of Directors) to provide specialist skills, knowledge and experience which the Audit Committee needs at a particular time; or
Audit Committee Handbook
Procure specialist advice at the expense of the organisation on an ad-hoc basis to support them in relation to particular pieces of Committee business. Budgets for such procurement shall be approved by the Board of Directors.
Training and Development
All Audit Committee members, whatever their status or background, will have training and development needs. Those who have recently joined the Audit Committee will need induction training, either to help them understand their role; or if they have Audit Committee experience elsewhere, to help them understand the organisation.
Scope of work
In most organisations there are a number of sources of assurance, both internal and external, sometimes primarily intended for the benefit of the organisation and sometimes primarily intended for the benefit of other stakeholders. The Board of Directors and Managing Director’s assurance needs are largely met by evaluating the various sources of assurance (or gaps in sources of assurance), testing and determining their reliability, and then forming an overall view on the state of risk management, governance and internal control (which is especially important in supporting the Statement on Internal Control). Overall assurance of this kind is unlikely to be capable of expression in a single phrase, sentence or indicator because it is highly unlikely that all risk will be equally managed. Rather, the overall view may draw attention to areas where: • • • • Risk is being appropriately managed (no action is needed); Risk is inadequately controlled (action is needed to improve control); Risk is over controlled (resource is wasted which could be diverted to other use); There is lack of evidence to support a conclusion - and if this concerns areas material to the operations of the organisation more audit and/or assurance work will need to be done.
Internal and External Audit
The work of Internal Audit is carried out primarily for the benefit of the Board of Directors and Managing Director of the organisation. Although the work of the External Auditor is normally primarily conducted for the benefit of shareholders, it is still of significant benefit to the organisation as well. The work of Internal Audit is likely to be the single most significant resource used by the Audit Committee in discharging its responsibilities. This is because the Chief Audit Executive, in accordance with Generally Accepted Auditing Standards, has a responsibility to Audit Committee Handbook Page 9
submit an annual opinion on the overall adequacy and effectiveness of the organisation’s risk management, control and governance processes. There is consequently a major synergy between the purpose of the Chief Audit Executive and the role of the Audit Committee. The role of the Audit Committee in relation to Internal Audit shall include advising the Board of Directors and Managing Director on: • The Audit Strategy and periodic Audit Plans, forming a view on how well they support the Chief Audit Executive’s responsibility to provide an annual opinion on the overall adequacy and effectiveness of the Company’s risk management, control and governance processes. The results of Internal Audit work, and management response to issues raised by that work. The resourcing of Internal Audit. The Terms of Reference (or equivalent) for Internal Audit.
• • •
Whilst the work of the External Auditor is not primarily conducted for the benefit of the Company or its Audit Committee, the Audit Committee shall nevertheless engage with the activity of the External Auditor. As well as considering the results of external audit work, they shall enquire about and consider the External Auditor’s planned approach and the way in which the External Auditor is co-operating with Internal Audit to maximise overall audit efficiency, capture opportunities to derive a greater level of assurance and minimise unnecessary duplication of work.
The Audit Committee will not itself be able to review the accounts in detail in order to advise the Managing Director whether they are true and fair. In reaching a view on the accounts, the Audit Committee shall consider: • Key accounting policies and disclosures; • Assurances about the financial systems which provide the figures for the accounts; • The quality of the control arrangements over the preparation of the accounts by the Chief Financial Officer; • Key judgements made in preparing the accounts; • Any disputes arising between those responsible for preparing the accounts and the Auditor.
Co-ordination between the Audit Committee and the Board of Directors
The work of the Audit Committee needs to be effectively communicated if it is to be effective. After each meeting of the Audit Committee a report shall be prepared for the Board of Directors and Managing Director to: Audit Committee Handbook Page 10
Summarise the business taken by the Audit Committee, explaining if necessary why that business was regarded as important; and Offer the views and advice from the Audit Committee on issues which they consider the Board of Directors or Managing Director should be taking action.
If the minutes of the Audit Committee meeting are used as the report, care shall be taken in their presentation to highlight the advice being provided. These reports shall normally be copied to the Chief Audit Executive and to the External Auditor (especially if the report contains advice about or to the Auditor).
The Audit Committee shall also provide an Annual Report, timed to support preparation of the Statement on Internal Control. This internal report needs to be open and honest in presenting the Audit Committee’s views if it is to be of real benefit to the Board of Directors and Managing Director. The Annual Report shall summarise the Audit Committee’s work for the year past, and present the Audit Committee’s opinion about: • The comprehensiveness of assurances in meeting the Board of Directors and Managing Director’s needs; • The reliability and integrity of these assurances; • Whether the assurances available are sufficient to support the Board of Directors and the Managing Director in their decision-taking and their accountability obligations; • The implication of these assurances for the overall management of risk; • Any issues that the Audit Committee considers pertinent to the Statement on Internal Control and any long term issues that the Audit Committee thinks the Board of Directors and/or Managing Director should give attention to; • Financial reporting for the year; • The quality of both Internal and External Audit and their approach to their responsibilities; and • The Audit Committee’s view of its own effectiveness, including advice on ways in which it considers it needs to be strengthened or developed.
There shall be mutual rights of access among each of the Chairperson of the Audit Committee, the Managing Director, the Chief Audit Executive, and the External Auditor. Whether or not that right of access is exercised, there shall be an annual bilateral meeting between the Chairperson of the Audit Committee and each of these parties to ensure that there is clear understanding of expectations and mutual understanding of current issues.
Appendix A. Model Audit Committee Charter
Purpose Audit Committee Handbook Page 11
To assist the Board of Directors in fulfilling its oversight responsibilities for the financial reporting process, the system of internal control, the audit process, and the company's process for monitoring compliance with laws and regulations and the Code of Conduct. Authority The Audit Committee has authority to conduct or authorise investigations into any matters within its scope of responsibility. It is empowered to:
• • • • • •
Appoint, compensate, and oversee the work of any registered public accounting firm employed by the organisation. Resolve any disagreements between management and the Auditor regarding financial reporting. Pre-approve all auditing and non-audit services. Retain outside counsel, accountants, or others to advise the Audit Committee or assist in the conduct of an investigation. Seek any information it requires from employees - all of whom are directed to cooperate with the Audit Committee's requests - or external parties. Meet with company officers, External Auditor, or outside counsel, as necessary.
Composition The Audit Committee shall consist of at least three and no more than six members. The Board of Directors or its nominating Committee shall appoint Committee members and the Chairperson of the Audit Committeeperson. Each Committee member shall be both independent and financially literate. At least one member shall be designated as the "financial expert," as defined by applicable legislation and regulation. Meetings The Audit Committee will meet at least four times a year, with authority to convene additional meetings, as circumstances require. All Committee members are expected to attend each meeting. The Audit Committee will invite members of management, Auditor or others to attend meetings and provide pertinent information, as necessary. It will hold private meetings with Auditor (see below) and executive sessions. Meeting agendas will be prepared and provided in advance to members, along with appropriate briefing materials. Minutes will be prepared. Responsibilities The Audit Committee will carry out the following responsibilities: Financial Statements Audit Committee Handbook Page 12
Review significant accounting and reporting issues, including complex or unusual transactions and highly judgmental areas, and recent professional and regulatory pronouncements, and understand their impact on the financial statements. Review with management and the External Auditor the results of the audit, including any difficulties encountered. Review the annual financial statements, and consider whether they are complete, consistent with information known to Committee members, and reflect appropriate accounting principles. Review other sections of the annual report and related regulatory filings before release and consider the accuracy and completeness of the information. Review with management and the External Auditor all matters required to be communicated to the Audit Committee under Generally Accepted Auditing Standards. Understand how management develops interim financial information, and the nature and extent of internal and External Auditor involvement. Review interim financial reports with management and the External Auditor before filing with regulators, and consider whether they are complete and consistent with the information known to Committee members.
• • • •
Consider the effectiveness of the company's internal control system, including information technology security and control. Understand the scope of Internal and External Auditor’s review of internal control over financial reporting, and obtain reports on significant findings and recommendations, together with management's responses.
• • • • • •
Review with management and the Chief Audit Executive the charter, activities, staffing, and organisational structure of the Internal Audit function. Have final authority to review and approve the annual audit plan and all major changes to the plan. Ensure there are no unjustified restrictions or limitations, and review and concur in the appointment, replacement, or dismissal of the Chief Audit Executive. At least once per year, review the performance of the CAE and concur with the annual compensation and salary adjustment. Review the effectiveness of the Internal Audit function, including compliance with Generally Accepted Auditing Standards. On a regular basis, meet separately with the Chief Audit Executive to discuss any matters that the Audit Committee or Internal Audit believe should be discussed privately.
Audit Committee Handbook
• • •
Review the External Auditor’s proposed audit scope and approach, including coordination of audit effort with Internal Audit. Review the performance of the External Auditor, and exercise final approval on the appointment or discharge of the Auditor. Review and confirm the independence of the External Auditor by obtaining statements from the Auditor on relationships between the Auditor and the company, including non-audit services, and discussing the relationships with the Auditor. On a regular basis, meet separately with the External Auditor to discuss any matters that the Audit Committee or the Auditor believe should be discussed privately.
Review the effectiveness of the system for monitoring compliance with laws and regulations and the results of management's investigation and follow-up (including disciplinary action) of any instances of non-compliance. Review the findings of any examinations by regulatory agencies, and any Auditor observations. Review the process for communicating the Code of Conduct to company personnel, and for monitoring compliance therewith. Obtain regular updates from management and company legal counsel regarding compliance matters.
• • •
• • •
Regularly report to the Board of Directors about Committee activities, issues, and related recommendations. Provide an open avenue of communication between Internal Audit, the External Auditor, and the Board of Directors. Report annually to the shareholders, describing the Audit Committee's composition, responsibilities and how they were discharged, and any other information required by rule, including approval of non-audit services. Review any other reports the Company issues that relate to Committee responsibilities.
Perform other activities related to this charter as requested by the Board of Directors. Institute and oversee special investigations as needed.
Audit Committee Handbook
Review and assess the adequacy of the Audit Committee charter annually, requesting Board approval for proposed changes, and ensure appropriate disclosure as may be required by law or regulation. Confirm annually that all responsibilities outlined in this charter have been carried out. Evaluate the Audit Committee's and individual members' performance on a regular basis.
Audit Committee Handbook
Appendix B. The Role of the Chairperson
The role of the Chairperson of the Audit Committee goes a good deal beyond chairing meetings. Indeed it is the key to achieving Committee effectiveness. The additional workload should be taken into account when appointing the Chairperson. Exactly how a particular Chairperson manages the Audit Committee will vary depending on the character of the individual and the needs of the specific organisation. Key activities beyond Committee meetings shall include the following: Agenda Setting • Before each meeting the Chairperson and the Audit Committee Secretary shall meet to discuss and agree the business for the meeting. The Chairperson shall take ownership of, and have final say in, the decisions about what business will be pursued at any particular meeting.
Communication • • • The Chairperson shall ensure that after each meeting appropriate reports are prepared from the Audit Committee to the Board of Directors and to the Managing Director. The Chairperson shall ensure that the Audit Committee provides a suitable Annual Report to the Board of Directors. The Chairperson shall have bilateral meetings at least annually with the Managing Director, the Chief Audit Executive and the External Auditor, and with the Chairperson of the Board of Directors. In addition, the Chairperson shall meet any people newly appointed to these positions as soon as practicable after their appointment. The Chairperson shall also ensure that all Committee members have an appropriate programme of interface with the organisation and its activities to help them understand the organisation, its objectives, business needs and priorities.
Monitoring actions • • The Chairperson shall ensure that there is an appropriate process between meetings for action points arising from Committee business to be appropriately pursued. The Chairperson shall also ensure that members who have missed a meeting are appropriately briefed on the business conducted in their absence. The Chairperson may choose to rely on the Secretariat to take these actions.
Audit Committee Handbook
Appraisal • The Chairperson shall take the lead in ensuring that Committee members are provided with appropriate appraisal of their performance as a Committee member and that training needs are identified and addressed. The Chairperson shall themselves seek appraisal of their performance from the Managing Director (or Chairperson of the Board of Directors), as appropriate The Chairperson shall ensure that there is a periodic review of the overall effectiveness of the Audit Committee and of its Terms of Reference.
Appointments • The Chairperson shall be involved in the appointment of new Committee members, including providing advice on the skills and experience being sought by the Audit Committee when a new member is appointed.
Audit Committee Handbook
Appendix C. Committee Support
The secretariat shall be able to support the Chairperson of the Audit Committee in identifying business to be taken, and the relevant priorities of the business. For this reason, and as the Audit Committee is a committee of the Board of Directors, the Audit Committee Secretariat function shall be supervised by the Board of Directors secretariat. The Chairperson of the Audit Committee and the secretariat shall agree procedures for commissioning briefing to accompany business items on the Audit Committee’s agenda and timetables for the issue of meeting notices, agendas, and minutes. The Chairperson of the Audit Committee shall always review and approve minutes of meetings before they are circulated. The specific responsibilities of the Audit Committee Secretariat shall include: • • • • • • • • Meeting with the Chairperson of the Audit Committee to prepare agendas for meetings; Commissioning papers as necessary to support agenda items; Circulating meeting documents in good time before each meeting; Arranging for executives to be available as necessary to discuss specific agenda items with the Audit Committee during meetings; Keeping a record of meetings and providing draft minutes for the Chairperson’s approval; Ensuring action points are being taken forward between meetings; Supporting the Chairperson in the preparation of Audit Committee reports to the Board of Directors; Arranging the Chairperson’s bilateral meetings with the Managing Director, the Chief Audit Executive and the External Auditor, and with the Chairperson of the Board of Directors; Keeping the Chairperson and Committee members in touch with developments and relevant background information about developments in the organisation; Maintaining a record of when members’ terms of appointment are due for renewal or termination; Ensuring that appropriate appointment processes are initiated when required; Ensuring that new members receive appropriate induction training, and that all members are supported in identifying and participating in ongoing training; Managing budgets allocated to the Audit Committee.
• • • • •
Careful consideration shall be given to ensuring that the Audit Committee Secretariat function is not biased. If the function is provided by Internal Audit there may be a risk of bias Audit Committee Handbook Page 18
towards Internal Audit interests. On the other hand, there is merit in ensuring the secretariat is independent of pressure from senior management, as could happen if the Board of Directors Secretariat also supports the Audit Committee. When the Audit Committee decides to meet privately, the Chairperson shall decide whether the secretariat members should also withdraw. If so, the Chairperson shall ensure that an adequate note of proceedings is kept to support the Audit Committee’s conclusions and advice.
Audit Committee Handbook
Appendix D. Model Letter of Appointment to the Audit Committee
(Date) Dear (Name of Committee Member) You are hereby appointed by the Board of Directors as a member of the Audit Committee of (organisation). As a member of the Audit Committee you are accountable to the Board of Directors through the Chairperson of the Audit Committee. Your appointment is for (number) years from (date). This appointment may be renewed (number) times (by mutual agreement) after the duration of this appointment. The Audit Committee is a Committee of the Board of Directors of (organisation) and the purpose of the Audit Committee is to: • Review the comprehensiveness of assurances in meeting the Board of Directors and Managing Director’s assurance needs; • Review the reliability and integrity of these assurances; • Advise the Board of Directors and the Managing Director about how well assurances consequently support them in decision taking and in discharging their accountability obligations. A copy of the Audit Committee’s Terms of Reference is enclosed. The Audit Committee is chaired by (name) and the other members are (names). (It is recommended that the new member be provided with a list of their contact details) Support and Training The Secretary of the Audit Committee is (name / contact details) and they will shortly be in touch with you to discuss and arrange appropriate induction training. To help you understand the governance arrangements and the role of Audit Committees, a copy of the “Audit Committee Handbook” is enclosed with this letter of appointment. Commitment and Remuneration Your duties as the Audit Committee member are expected to typically take (number) days per annum, including time to read papers in preparation for meetings and a programme of activity to keep you in touch with the organisation’s activities and priorities. The Audit Committee normally meets (number) times each year, but additional meetings may be required from time to time. Your remuneration will be (include details of amount and means by which it will be paid). Conflicts of Interest
Audit Committee Handbook
If during your period of appointment to the Audit Committee your personal circumstances change in any way that may provide a conflict of interest for you in your Audit Committee role, you must declare the circumstances to the Chairperson of the Audit Committee. Appraisal As a member of the Audit Committee you will be subject to appraisal by the Chairperson of the Audit Committeeperson (include brief details of the appraisal process). Termination If you choose to resign from this appointment you will be expected to give (number) months notice, unless your circumstances have changed in a way that makes it appropriate for you to resign immediately. If your performance as the Audit Committee member is decided to be unacceptable (see appraisal) or if your conduct (including conflicts of interests) is unacceptable your appointment may be terminated by the Board of Directors.
Audit Committee Handbook
Appendix E. Model of Work Programme
Spring Meeting • • • • Comment on the accounts for the year just finished prior to their finalisation and submission for audit; Advise on the content of the Statement on Internal Control for the year just finished, to be presented alongside the finalised accounts; Review Internal Audit’s finalised periodic work plan for the financial year just begun. Agree the Audit Committee’s annual report to the Board of Directors and Managing Director.
Summer Meeting • • Review and consider the accounts; Consider (emerging) External Auditor’s opinion for the financial year just finished and advise the Managing Director on signing the accounts and the Statement on Internal Control (SIC); Consider Internal Audit opinion for the financial year just finished; Discuss the implications of the result of the Managing Director’s review of effectiveness of the system of internal control in relation to the Statement on Internal Control; Some Audit Committees choose to have an additional meeting timed to deal with no business other than the pre-recess finalisation of the accounts.
Autumn Meeting • • Consider mid-year report on emerging findings from Internal Audit; Consider the External Auditor’s management letter for the previous year, any emerging findings from the current interim / in-year work of the External Auditor, and External Auditor’s approach to their work; Consider the External Auditor’s strategy proposed in respect of the current year’s accounts; Consider any residual actions arising from the previous year’s work of both internal and external audit.
Winter Meeting • Advise on the Internal Audit strategy and the periodic work plan for the beginning of the new financial year; Page 22
Audit Committee Handbook
• • •
Consider areas in which the Audit Committee will particularly promote cooperation between External Auditor and other review bodies in the coming year; Re-visit emerging findings from the External Auditor and review actions in response to the External Auditor’s management letter; Consider the Audit Committee’s own effectiveness in its work.
Audit Committee Handbook
Appendix F. Fraud and the Responsibilities of the Audit Committee
The Audit Committee shall take an active role in the prevention and deterrence of fraud, as well as an effective ethics and compliance program. The Audit Committee shall constantly challenge management and the External Auditor to ensure that the organisation has appropriate antifraud programs and controls in place to identify potential fraud and ensuring that investigations are undertaken if fraud is detected. The Audit Committee shall take an interest in ensuring that appropriate action is taken against known perpetrators of fraud. This document is intended to make Audit Committee members aware of their responsibilities as they undertake this important role. It highlights areas of corporate activity that may require additional scrutiny by the Audit Committee. Definition and Categories of Fraud An understanding of fraud is essential for the Audit Committee to carry out its responsibilities. The term fraud may be defined as: An intentional perversion of truth for the purpose of inducing another in reliance upon it to part with some valuable thing belonging to him or to surrender a legal right. A false representation of a matter of fact, whether by words or by conduct, by false or misleading allegations, or by concealment of that which should have been disclosed, which deceives and is intended to deceive another so that he shall act upon it to his legal injury. . . A generic term, embracing all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or by suppression of truth, and includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated. The Audit Committee also needs to be aware that fraud affecting the organisation often falls within one of three categories: • Management fraud, which involves senior management’s intentional misrepresentation of financial statements, or theft or improper use of company resources. Employee fraud, which involves non-senior employee theft or improper use of company resources. External fraud, which involves theft or improper use of resources by people who are neither management nor employees of the firm.
Audit Committee Handbook
This categorisation of fraud is useful, but not absolute. Middle management employees may intentionally misrepresent financial statement transactions, for example, to improve their apparent performance, or outside individuals may collude with company management or employees. Role of the Audit Committee in the Prevention, Deterrence, Investigation, and Discovery or Detection of Fraud The members of the Audit Committee should understand their role of ensuring that the organisation has antifraud programs and controls in place to help prevent fraud, and aid in its discovery if it does occur, to properly fulfil their fiduciary duties of: • • • • Monitoring the financial reporting process Overseeing the internal control system Overseeing the Internal Audit and the External Auditor, and Reporting findings to the Board of Directors.
The Audit Committee should ensure that the organisation has implemented an effective ethics and compliance program, and that it is periodically tested. Since the occurrence of significant frauds can frequently be attributed to an override of internal controls, the Audit Committee plays an important role to ensure that internal controls address the appropriate risk areas and are functioning as designed. Internal Audit and the External Auditor can serve a vital role in aiding in fraud prevention and deterrence. Internal Audit staff and External Auditor staff who are experienced and trained in fraud prevention and deterrence can help to provide assurance that: • • • Risks are effectively identified and monitored; Organisational processes are effectively controlled and tested periodically; and Appropriate follow-up action is taken to address control weaknesses.
The Audit Committee needs to ensure that Internal Audit and the External Auditor are carrying out their responsibilities in connection with potential fraud. When Fraud Is Discovered Fraud can be discovered through many sources, namely, Internal Audit or the External Auditor, accounting consultants, employees, suppliers, and others. Establishing a confidential hotline can also be an important source of information leading to fraud discovery, as part of an organisation’s overall ethics, compliance, and fraud prevention program. If fraud or improprieties are asserted or discovered, the Audit Committee - through the External Auditor, Internal Audit, or accounting consultants, as appropriate - should investigate, and, if necessary, retain legal counsel to assert claims on the organisation’s behalf. If fraud is discovered, or there is a reasonable basis to believe that fraud may have occurred, the Audit Committee is responsible for ensuring that an investigation is undertaken. Criteria Audit Committee Handbook Page 25
should be in place describing the Audit Committee’s level of involvement, based on the severity of the offense. Most Audit Committee members will also want to obtain information about all violations of the law and the organisation’s policies. Conclusion Audit Committees are required to play a pivotal role in the prevention and deterrence of fraud, and to take appropriate action in the discovery of fraud. Independent accountants, hired by the Audit Committee and Internal Audit will continue to play an important part in the process.
Audit Committee Handbook
Appendix G. Internal Control: A Tool for the Audit Committee
Internal control over financial reporting has always been a major area in the governance of an organisation, and this importance has been magnified in recent years. This document is intended to give Audit Committee members basic information about internal control to understand what it is, what it is not, how it can be used most effectively in the organisation, and the requirements of management with respect to the system of internal control over financial reporting. Note that the primary responsibility of the Audit Committee with respect to internal control is the system of internal control over financial reporting. Basics of Internal Control In 1992, the Audit Committee of Sponsoring Organisations (COSO)1 of the National Commission on Fraudulent Financial Reporting (also known as the Treadway Commission) published a document called: Internal Control – Integrated Framework,2 which defined internal control as “a process, effected by an entity’s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in three categories: 1. Effectiveness and efficiency of operations 2. Reliability of financial reporting, and 3. Compliance with applicable laws and regulations Internal control can be judged as effective in each of these categories if the Board of Directors and management have reasonable assurance that: 1. They understand the extent to which the entity’s operations objectives are being achieved. 2. Published financial statements are being prepared reliably. 3. Applicable laws and regulations are being complied with. The COSO Framework went on to say that internal control consists of five interrelated components as follows: 1. Control environment. Sometimes referred to as the “tone at the top” of the organisation, meaning the integrity, ethical values and competence of the entity’s people, management’s philosophy and operating style, the way management assigns authority and responsibility, organises and develops its people, and the attention and direction provided by the Board of Directors. It is the foundation for all other components of internal control, providing discipline and structure.
The Audit Committee of Sponsoring Organisations consists of the American Institute of CPAs (AICPA), the Institute of Management Accountants (IMA), the Institute of Internal Auditor (IIA), Financial Executives International (FEI), and the American Accounting Association (AAA). 2 The COSO publication Internal Control—Integrated Framework (Product Code Number 990012), may be purchased through the AICPA store.
Audit Committee Handbook
2. Risk assessment. The identification and analysis of relevant risks to achieve the objectives which form the basis to determine how risks should be managed. This component should address the risks, both internal and external, that must be assessed. Before conducting a risk assessment, objectives must be set and linked at different levels. 3. Control activities. Policies and procedures that help ensure that management directives are carried out. Control activities occur throughout the organisation at all levels in all functions. These include activities like approvals, authorisations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. 4. Information and communication. Addresses the need in the organisation to identify, capture and communicate information to the right people to enable them to carry out their responsibilities. Information systems within the organisation are key to this element of internal control. Internal information, as well as external events, activities and conditions must be communicated to enable management to make informed business decisions and for external reporting purposes. 5. Monitoring. The internal control system must be monitored by management and others in the organisation. This is the framework element that is associated with the Internal Audit function in the company, as well as other means of monitoring such as general management activities and supervisory activities. It is important that internal control deficiencies be reported upstream, and that serious deficiencies are reported to top management and the Board of Directors. These five components are linked together and form an integrated system that should react dynamically to changing conditions. The internal control system is intertwined with the organisation’s operating activities, and is most effective when controls are built into the organisation’s infrastructure becoming part of the very essence of the organisation. An effective internal control structure can actually be part of the competitive advantage of the organisation. Key Terms in Internal Control There are a few terms that you will hear frequently when discussing internal control, and these are identified and described as follows: Reportable condition. Has the same meaning as the term “significant deficiency.” These two terms are used to define a significant deficiency in the design or operation of internal control that could adversely affect a company’s ability to record, process, summarise and report financial data consistent with the assertions of management in the organisation’s financial statements. An aggregation of significant deficiencies could constitute a material weakness. Material weakness. Defined in the auditing literature as a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by errors or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be Audit Committee Handbook Page 28
detected within a timely period by employees in the normal course of performing their assigned duties. Compensating controls. Some organisations, by virtue of their size, are not able to implement basic controls such as segregation of duties. This apparent lack of control should be overcome through other controls, which should be expected to be more rigorous in this situation than in a situation where the basic control exists. This compensating control could be a permanent part of the control system, or just temporary if a basic control is not able to function for some period of time. What Internal Control Cannot Do As important as an internal control structure is to an organisation, an effective system is not a guarantee that the organisation will be successful. An effective internal control structure will keep the right people informed about the organisation’s progress (or lack of progress) in achieving its objectives, but it cannot turn a poor manager into a good one. Internal control cannot ensure success, or even survival. Internal control is not an absolute assurance to management and to the Board of Directors about the organisation’s achievement of its objectives. It can only provide reasonable assurance, due to limitations inherent in all internal control systems. For example, breakdowns in the internal control structure can occur due to simple error or mistake, as well as faulty judgments that could be made at any level of management. In addition, controls can be circumvented by collusion or by management override. Finally, the design of the internal control system is a function of the resources available, meaning that there must be a costbenefit analysis in the design of the system. Roles and Responsibilities Everyone in the organisation has some role to play in the organisation’s internal control system. In a public company, the CFO and CEO are required to certify that they (among other things): • • Are responsible for establishing and maintaining internal controls; Have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to the CFO and CEO by others within those entities, particularly during the period in which the periodic reports are being prepared; Have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report; and Have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date; Have disclosed to the company’s External Auditor and the Audit Committee (a) all significant deficiencies in the design or operation of internal control which could adversely affect the company’s ability to record, process, summarise, and report financial data and have identified for the company’s External Auditor any material Page 29
• • •
Audit Committee Handbook
weaknesses in internal control; and (b) any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal controls; and • Have indicated in their report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
CEO. The CEO has ultimate responsibility and “ownership” of the internal control system. The individual in this role sets the tone at the top that affects the integrity and ethics and other factors that create the positive control environment needed for the internal control system to thrive. Aside from setting the tone at the top, much of the day-to-day operation of the control system is delegated to other senior managers in the company, under the leadership of the CEO. CFO. Much of the internal control structure flows through the accounting and finance area of the organisation under the leadership of the CFO. In particular, controls over financial reporting fall within the domain of the Chief Financial Officer. The Audit Committee should use interactions with the CFO, and others, as a basis for their comfort level on the internal control over financial reporting. This is not intended to suggest that the CFO must provide the Audit Committee with a level of assurance regarding the system of internal control over financial reporting. Rather, through interactions with the CFO and others, the Audit Committee should get a “gut feeling” about the completeness, accuracy, validity and maintenance of the system of internal control over financial reporting. Controller. Much of the basics of the control system come under the domain of this position. It is key that the Controller understand the need for the internal control system, is committed to the system, and communicates the importance of the system to all people in the accounting organisation. Further, the Controller must demonstrate respect for the system though his or her actions. Internal Audit. A main role for the Internal Audit team is to evaluate the effectiveness of the internal control system and contribute to its ongoing effectiveness. With Internal Audit reporting directly to the Audit Committee of the Board of Directors and/or the most senior levels of management, it is often this function that plays a significant role in monitoring the internal control system. Board of Directors/Audit Committee. A strong, active Board is necessary. This is particularly important when the organisation is controlled by an executive or management team with tight reins over the organisation and the people within the organisation. The Board should recognise that its scope of oversight of the internal control system applies to all three major areas of control: over operations, over compliance with laws and regulations, and over financial reporting. The Audit Committee is the Board’s first line of defence with respect to the system of internal control over financial reporting. All Other Personnel. The internal control system is only as effective as the employees throughout the organisation that must comply with it. Employees throughout the organisation Audit Committee Handbook Page 30
should understand their role in internal control and the importance of supporting the system through their own actions and encouraging respect for the system by their colleagues throughout the organisation. Compensating Controls It is important to realise that both the design and compliance with the internal control system is important. The Audit Committee should be “tuned-in” to the tone-at-the-top of the organisation as a first indicator of the functioning of the internal control system. In addition, the Audit Committee should realise that the system of internal control should be scaled to the organisation. Some organisations will be so small, for example, that they will not be able to have appropriate segregation of duties. The message here is that the lack of segregation of duties is not automatically a material weakness, or even a reportable condition, depending on the compensating controls that are in place. For example, suppose a company’s accounting department is so small that it is not possible to segregate duties between the person that does the accounts payable, and the person that reconciles the bank statements. In this case, it is one and the same person, so the implication is that there are no checks and balances on the accounts payable person, who could be writing cheques to a personal account, then passing on them during the bank reconciliation process (that is, there is no one to raise the red flag that personal cheques are being written on the company account). Compensating controls could make up for this apparent breech in the internal control system. Here are some examples of compensating controls in this situation: • • • All cheques are hand signed by officers of the company, rather than using a signature plate that is in the control of the person that prepared the cheques. The bank reconciliation may be reviewed by the person’s manager. A periodic report of all cheques that are cleared at the bank could be prepared by the bank and forwarded to an officer of the company for review.
The Audit Committee should be aware of situations like this, and be prepared to ask questions and evaluate the answers when an obvious breach in internal control surfaces. Management Override of Controls Another area that the Audit Committee needs to focus on is the ability of management to override internal controls over financial reporting to perpetrate a fraud. Examples of techniques used by management in overriding internal controls over the financial reporting function include: • • • Back dating sales documents to a prior period; Making adjusting entries during the financial reporting closing process; or Reclassifying items improperly between the income statement and the balance sheet. Page 31
Audit Committee Handbook
Some of these override techniques were used in some accounting scandals and have gained substantial notoriety. The Audit Committee has the responsibility to help prevent or deter a management override of controls. It is important for the Audit Committee to understand that there is a system to uncover an override, as well as follow-up to determine its appropriateness. Questions about management override, and the controls over management override, as well as audit steps to detect if a management override has occurred, should be addressed to the CEO, CFO, CAE, and External Auditor during the respective executive sessions with the Audit Committee. Conclusion This document should have given you a sense of what people mean when they refer to internal control. The concepts are not complex, but sometimes the application of internal control can be a challenge in an organisation, depending on its size and the corporate culture. However, it is vitally important to design the system of internal control to achieve the objectives of: • • • Effectiveness and efficiency of operations; Reliability of financial reporting; and Compliance with applicable laws and regulations.
Internal Control Questionnaire This questionnaire focuses on the five interrelated components of an internal control system, as described in the COSO Internal Control – Integrated Framework3 publication. The Audit Committee’s role in the internal control structure of the Company focuses on internal controls over financial reporting and the various systems (human resources, computing, and other) available to support that process, and this document is created to facilitate that role. The Audit Committee needs to be assured that the controls are in place and operating effectively. This can be achieved through the Audit Committee’s interaction with senior management, External Auditor, Internal Audit, and other key members of the financial management team. Instructions for Using this Document This questionnaire is created around the five interrelated components of an internal control structure. Within each component is a series of questions that the Audit Committee should focus on to assure itself that controls are in place and functioning. These questions should be discussed in an open forum with the individuals that have a basis for responding to the questions.
The questions in this questionnaire are adapted from “Evaluation Tools,” Volume 2 of the COSO Internal Control – Integrated Framework, published September 1992, by the Audit Committee of Sponsoring Organisations.
Audit Committee Handbook
The Audit Committee should ask for detailed answers and examples from the management team, including key members of the financial management team, Internal Audit and External Auditor to assure itself that the system is operating as management represents. Evaluation of the internal control structure is not a one-time, but rather a continuous event for the Audit Committee. The Audit Committee members should always have their eyes and ears open for potential weaknesses in internal control, and should continually probe the responsible parties regarding the operation of the system. These questions are written in such a manner that a “No” response indicates a weakness that must be addressed. Control Environment—Integrity and Ethical Values 1. Does the organisation have a comprehensive Code of Conduct or other policies addressing acceptable business practice, conflicts of interest, and expected standards of ethical and moral behaviour? 2. Is the code distributed to all employees? 3. Are all employees required to periodically acknowledge that they have read, understood, and complied with the code? 4. Does management demonstrate through actions its own commitment to the Code of Conduct? 5. Are dealings with customers, suppliers, employees, and other parties based on honesty and fair business practices? 6. Does management take appropriate action in response to violations of the Code of Conduct? 7. Is management explicitly prohibited from overriding established controls? What controls are in place to provide reasonable assurance that controls are not overridden by management? Are deviations from this policy investigated and documented? Are violations (if any) and the results of investigations brought to the attention of the Audit Committee? 8. Is the organisation proactive in reducing fraud opportunities by (1) identifying and measuring fraud risks, (2) taking steps to mitigate identified risks, (3) identifying a position within the organisation to “own” the fraud prevention program, and (4) implementing and monitoring appropriate preventative and detective internal controls and other deterrent measures? 9. Does the company use an anonymous ethics and fraud hotline, and, if so, are procedures in place to investigate and report results to the Audit Committee? Control Environment—Commitment to Competence 1. Is the level of competence, and the requisite knowledge and skills defined for each job in the accounting and Internal Audit organisations? 2. Does management make an effort to determine whether the accounting and Internal Audit organisations have adequate knowledge and skills to do their jobs? Audit Committee Handbook Page 33
Control Environment—Board of Directors and Audit Committee 1. Are the Audit Committee’s responsibilities defined in a charter? If so, is the charter updated annually and approved by the Board of Directors? 2. Are Audit Committee members independent of the company and of management? Do Audit Committee members have the knowledge, industry experience, and financial expertise to serve effectively in their role? 3. Are a sufficient number of meetings held, and are the meetings of sufficient length and depth to cover the agenda, and provide healthy discussion of issues? 4. Does the Audit Committee constructively challenge management’s planned decisions, particularly in the area of financial reporting, and probe the evaluation of past results? 5. Are regular meetings held between the Audit Committee and the Chief Financial Officer, the Chief Audit Executive, other key members of the financial management and reporting team, and the External Auditor? Are executive sessions conducted on a regular basis? 6. Does the Audit Committee approve Internal Audit’s annual audit plan? 7. Does the Audit Committee receive key information from management in sufficient time in advance of meetings to prepare for discussions at the meetings? 8. Does a process exist for informing Audit Committee members about significant issues on a timely basis and in a manner conducive to the Audit Committee having a full understanding of the issues and their implications? 9. Is the Audit Committee informed about personnel turnover in key functions including the audit team, senior executives, and key personnel in the financial accounting and reporting teams? Are unusual employee turnover situations observed for patterns or other indicators of problems? Control Environment—Management’s Philosophy and Operating Style 1. Is the accounting function viewed as a team of competent professionals bringing information, order, and controls to decision-making? 2. Is the selection of accounting principles made in the long-term best interest of the organisation (as opposed to short-term maximisation of income)? 3. Are valuable assets, including intellectual assets, protected from unauthorised access and use? 4. Do managers respond appropriately to unfavourable signals and reports? 5. Are estimates and budgets reasonable and achievable? Control Environment—Organisational Structure 1. Is the organisational structure within the accounting function and the Internal Audit function appropriate for the size of the organisation? 2. Are key managers in the accounting and Internal Audit functions given adequate definition of their responsibilities? Audit Committee Handbook Page 34
3. Do sufficient numbers of employees exist, particularly at the management levels in the accounting and Internal Audit functions to allow those individuals to effectively carry out their responsibilities? Control Environment—Assignment of Authority and Responsibility 1. Is the authority delegated appropriate for the responsibilities assigned? 2. Are job descriptions in place for management and supervisory personnel in the accounting and Internal Audit functions? 3. Do senior managers get involved as needed to provide direction, address issues, correct problems and/or implement improvements? Control Environment—Human Resources Policies and Practices 1. Are policies and procedures in place for hiring, training, promoting, and compensating employees in the accounting and Internal Audit functions? 2. Do employees understand that sub-standard performance will result in remedial action? 3. Is remedial or corrective action taken in response to departures from approved policies? 4. Do employees understand the performance criteria necessary for promotions and salary increases? Risk Assessment 1. Does the organisation consider risks from external sources such as creditor demands, economic conditions, regulation, labour relations (e.g. unions), etc.? 2. Does the organisation consider risks from internal sources such as key employees (retention and succession planning), financing and the availability of funding for key programs, competitive compensation and benefits, information systems security and backup systems? 3. Is the risk of a misstatement in the financial statements considered and are steps taken to mitigate that risk? 4. If applicable, are the risks associated with foreign/off-shore operations considered, including their impact on the financial reporting process? Control Activities 1. Does the organisation have a process in place to ensure that controls as described in its policy and procedures manuals are applied as they are meant to be applied? 2. Do the policy and procedures manuals document all important policies and procedures? Are these policies and procedures reviewed and updated on a regular basis? If so, by whom?
Audit Committee Handbook
3. Do supervisory personnel review the functioning of controls? If so, how is that review conducted and what happens to the results? Is appropriate and timely follow-up action taken on exceptions? Information and Communication 1. Is a process in place to collect information from external sources, such as industry, economic, and regulatory information that could have an impact on the business or the financial reporting process? 2. Are milestones to achieve financial reporting objectives monitored to ensure that timing deadlines are met? 3. Is necessary operational and financial information communicated to the right people in the organisation on a timely basis and in a format that facilitates its use, including new or changed policies and procedures? 4. Is a process in place to respond to new information needs in the organisation on a timely basis? 5. Is there a process in place to collect and document errors or complaints to analyse, determine the cause, and eliminate a problem from recurring in the future? 6. Is a process established and communicated to officers, employees and others, about how to communicate suspected instances of wrongdoing by the company or employees of the company? Furthermore, does a process exist to ensure that anyone making such a report is protected from retaliation? Monitoring 1. Do officers and employees understand their obligation to communicate observed weaknesses in design or compliance with the internal control structure of the organisation to the appropriate supervisory or management personnel? 2. Are interactions with external stakeholders periodically evaluated to determine if they are indicative of a weakness in the internal control structure? (For example, consider the frequency of customer complaints about incorrect bills.) 3. Is there follow-up on recommendations from Internal Audit and the External Auditor for improvements to the internal control system? 4. Are personnel asked to periodically state whether they understand and comply with the organisation’s Code of Conduct? 5. Are personnel required to sign off, indicating their performance of critical control activities such as performing reconciliations? 6. Does Internal Audit have the right number of competent and experienced staff? 7. Do they have access to the Board of Directors and Audit Committee? 8. Is the reporting structure in place to ensure their objectivity and independence? 9. Is the work of Internal Audit appropriate to the organisation’s needs, and prioritised with the Audit Committee’s direction?
Audit Committee Handbook
Audit Committee Handbook
Appendix H. Key Questions for the Audit Committee to Ask
On the strategic processes for risk, control and governance, how do we know: 1. That the risk management culture is appropriate? 2. That there is a comprehensive process for identifying and evaluating risk, and for deciding what levels of risk are tolerable? 3. That the Risk Register is an appropriate reflection of the risks facing the organisation? 4. That appropriate ownership of risk is in place? 5. That management has an appropriate view of how effective internal control is? 6. That risk management is carried out in a way that really benefits the organisation or is it treated as a box ticking exercise? 7. That the organisation as a whole is aware of the importance of risk management and of the organisation’s risk priorities? 8. That the system of internal control will provide indicators of things going wrong? 9. That the Statement on Internal Control is meaningful, and what evidence underpins it? 10. That the Statement on Internal Control appropriately discloses action to deal with material problems? 11. That the Board of Directors is appropriately considering the results of the effectiveness review underpinning the Statement on Internal Control? On risk management processes, how do we know: 1. How senior management supports and promote risk management? 2. How well people are equipped and supported to manage risk? 3. That there is a clear risk strategy and policies? 4. That there are effective arrangements for managing risks with partners? 5. That the organisation’s processes incorporate effective risk management? 6. If risks are handled well? 7. If risk management contributes to achieving outcomes? On the planned activity and results of both internal and external audit, how do we know: 1. That the Internal Audit strategy is appropriate for delivery of a positive reasonable assurance on the whole of risk, control and governance? 2. That the periodic audit plan will achieve the objectives of the Internal Audit strategy, and in particular is it adequate to facilitate a positive, reasonable assurance? 3. That Internal Audit has appropriate resources, including skills, to deliver its objectives? 4. That Internal Audit recommendations agreed by management are actually implemented? Audit Committee Handbook Page 38
5. That any issues arising from line management not accepting Internal Audit recommendations are appropriately escalated for consideration? 6. That the quality of Internal Audit work is adequate? / What does application of the Internal Audit Quality Assessment Framework tell us about the quality of the Internal Audit Department? 7. That there is appropriate co-operation between Internal Audit and the External Auditor? On the accounting policies, the accounts, and the annual report of the organisation, how do we know: 1. That the accounting policies in place comply with relevant requirements, particularly the Financial Reporting Manual? 2. That there has been due process in preparing the accounts and annual report and is that process robust? 3. That the accounts and annual report have been subjected to sufficient review by management and by the Managing Director and the Board of Directors? 4. That when new accounting issues arise, appropriate advice on accounting treatment is obtained? 5. That there is an appropriate anti-fraud policy in place and that losses are suitably recorded? 6. That suitable processes are in place to ensure accurate financial records are kept? That suitable processes are in place to ensure fraud is guarded against and regularity and propriety is achieved? 7. That financial control, including the structure of delegations, enables the organisation to achieve its objectives with good value for money? 8. If there are any issues likely to lead to qualification of the accounts? 9. If the accounts have been qualified, that appropriate action is being taken to deal with the reason for qualification? 10. That issues raised by the External Auditor are given appropriate attention? On the adequacy of management response to issues identified by audit activity, how do we know: 1. That the implementation of recommendations is monitored and followed up? 2. That there are suitable resolution procedures in place for cases when management reject audit recommendations which the External Auditor stands by as being important? On assurances relating to the corporate governance requirements for the organisation, how do we know: 1. That the range of assurances available is sufficient to facilitate the drafting of a meaningful Statement on Internal Control?
Audit Committee Handbook
2. That those producing the assurances understand fully the scope of the assurances they are being asked to provide, and the purpose to which they will be put? 3. That mechanisms are in place to ensure that assurances are reliable? 4. That assurances are ‘positively’ stated (i.e. premised on sufficient relevant evidence to support them)? 5. That the assurances draw appropriate attention to material weaknesses or losses which shall be addressed? 6. That the Statement on Internal Control realistically reflects the assurances on which it is premised? On the work of the Audit Committee itself, how do we know: 1. That we are being effective in achieving our terms of reference and adding value to corporate governance and control systems of the organisation? 2. That we have the appropriate skills mix? 3. That we have an appropriate level of understanding of the purpose and work of the organisation? 4. That we have sufficient time to give proper consideration to our business? 5. That our individual members are avoiding any conflict of interest? 6. What impact we are having on an organisation?
Audit Committee Handbook
Appendix I. Audit Committee Competency Framework
All members of the Audit Committee shall have, or acquire as soon as possible after appointment: • • • • • Understanding of the objectives of the organisation and current significant issues for the organisation; Understanding of the organisation’s structure, including key relationships; Understanding of the organisation’s culture; Understanding of any relevant law or other rules governing the organisation; Broad understanding of the organisation’s environment, particularly accountability structures and current major initiatives.
The Audit Committee shall corporately possess: • Knowledge / skills / experience (as appropriate and required) in: o Accounting; o Risk management; o Audit ; o Technical or specialist issues pertinent to the organisation’s business. • • Experience of managing similar sized organisations; Understanding of the wider relevant environments in which the organisation operates.
Audit Committee Handbook
Appendix J. Audit Committee Self Assessment Checklist
Composition, Establishment and Duties 1. Does the Audit Committee have written terms of reference that adequately and realistically define the Audit Committee’s role? 2. Have the terms of reference been adopted by the Board of Directors? 3. Are the terms of reference reviewed annually to take into account governance developments (including integrated governance principles) and the remit of other Committees within the organisation? 4. Has the Audit Committee established a plan for the conduct of its own work across the year? 5. Has the Audit Committee been provided with sufficient membership, authority and resources to perform its role effectively and independently? 6. Are changes to the Audit Committee’s current and future workload discussed and approved at Board of Directors level? 7. Are Audit Committee members independent of the management team? 8. Does the Audit Committee report regularly to the Board of Directors? 9. Are members, particularly those new to the Audit Committee, provided with training? 10. Does the Board ensure that members have sufficient knowledge of the organisation to identify key risk areas and to challenge both line management and the External Auditor on critical and sensitive matters? 11. Does at least one Committee member have a financial background? 12. Does the Audit Committee prepare an annual report on its work and performance in the preceding year for consideration by the Board of Directors? Compliance with Laws and Regulations 1. Does the Audit Committee have a mechanism to keep it aware of topical, legal and regulatory issues? Internal Control and Risk Management 1. Has the Audit Committee formally considered how it integrates with other Committees that are reviewing risk e.g. risk management? 2. Has the Audit Committee formally considered how its work integrates with wider performance management and standards compliance? 3. Has the Audit Committee been briefed on its assurance responsibilities with regard to internal control and risk management, particularly with regard to the Statement on Internal Control, the Assurance Framework and the Chief Audit Executive’s opinion? Audit Committee Handbook Page 42
4. Has the Audit Committee reviewed whether the reports it receives are timely and have the right format and content to ensure its internal control and risk management responsibilities are discharged? 5. Is the Audit Committee satisfied that the Board of Directors has been advised that assurance reporting is in place to encompass all the organisation’s responsibilities? 6. Is there clarity over the timing and content of the assurance statements received by the Audit Committee from the Chief Audit Executive? Internal Audit 1. Do formal terms of reference exist, defining Internal Audit’s objectives, responsibilities and reporting lines? 2. Are the terms of reference approved by the Audit Committee and routinely reviewed? 3. Do the terms of reference adequately specify the relationship between the Chief Audit Executive and the Audit Committee? 4. Are the key principles of the terms of reference set out in the Standing Financial Instructions? 5. Does the Audit Committee review and approve the Internal Audit plan at the beginning of the financial year? 6. Does the Audit Committee approve any material changes to the plan? 7. Are audit plans derived from clear processes based on risk assessment with clear links to the Assurance Framework? 8. Does the Audit Committee receive periodic reports from the Chief Audit Executive? 9. Has the Audit Committee established a process whereby it reviews any material objection to the plans and associated assignments that cannot be resolved through negotiation? 10. Does the Audit Committee effectively monitor the implementation of management actions arising from audit reports? 11. Does the Chief Audit Executive have a direct line of reporting to the Audit Committee and its Chairperson? 12. Are any scope restrictions placed on Internal Audit and, if so, what are they and who establishes them? 13. Is Internal Audit free from any operating responsibilities or conflicts of interest that could impair its objectivity? 14. Has the Audit Committee determined the appropriate level of detail it wishes to receive from Internal Audit? 15. Does the Audit Committee hold periodic private discussions with the Chief Audit Executive? 16. Does the Audit Committee review the effectiveness of Internal Audit and the adequacy of staffing and resources within Internal Audit? Audit Committee Handbook Page 43
17. Has the Audit Committee agreed a range of Internal Audit performance measures to be reported on a routine basis? 18. Is there appropriate cooperation with the External Auditor? 19. Are there any quality assurance procedures to confirm whether the work of Internal Audit is properly planned, completed, supervised and reviewed? External Audit 1. Do the External Auditor present their audit plans and strategy to the Audit Committee for approval? 2. Has the Audit Committee satisfied itself that work not relating to the financial statements work is adequate and appropriate? 3. Does the Audit Committee receive and monitor actions taken in respect of prior years’ reviews? 4. Does the Audit Committee review the External Auditor's annual audit letter? 5. Does the Audit Committee hold periodic private discussions with the External Auditor? 6. Does the Audit Committee assess the performance of the External Auditor? Annual Accounts 1. Is the Audit Committee's role in the approval of the annual accounts clearly defined? 2. Is a Committee meeting scheduled to discuss proposed adjustments to the accounts and issues arising from the audit? 3. Does the Audit Committee annually review the accounting policies of the organisation? Administrative Arrangements 1. Does the Audit Committee have a plan of matters to be dealt with over the coming year? 2. Are papers circulated in good time and are minutes received as soon as possible after the meetings? 3. Does the Audit Committee meet the appropriate number of times to deal with planned matters? 4. Are Committee papers distributed in sufficient time for members to give them due consideration? 5. Are Committee meetings scheduled prior to important decisions being made? 6. Is the timing of Committee meetings discussed with all the parties involved? Other Issues Audit Committee Handbook Page 44
1. Has the Audit Committee considered the costs that it incurs: and are the costs appropriate to the perceived risks and the benefits? 2. Does the Audit Committee assess its own effectiveness periodically? 3. Do the Annual Report and Financial Statements include a description of the Audit Committee's establishment and activities?
Audit Committee Handbook
Appendix K. Model of Corporate Governance Questionnaire
Audit Committee members, when carrying out their assessment of the effectiveness of the organisation’s corporate governance arrangements, may wish to consider (in addition to reviewing reports from both Internal Audit and the External Auditor) the following questions and any assurances they might deem appropriate. The questions are included for guidance only. They are not intended to be exhaustive and will need to be tailored to the particular circumstances of the organisation. The Board of Directors Composition and Balance 1. Has the Board of Directors taken steps to ensure that it is of sufficient size such that the balance of skills and experience is appropriate for the organisation, yet not so large as to become unwieldy? 2. Do the independent members of the Board of Directors form a majority for voting purposes? 3. Has the Board of Directors taken steps to ensure that power and information are not concentrated in one individual? 4. Does the Board of Directors meet regularly and are meetings well attended? 5. Has the Board of Directors defined its quorum requirements and what happens if it is not quorate at the outset of a meeting? Role and Responsibilities 1. Does the Board of Directors recognise its collective responsibility and accountability for the success of the organisation? 2. Does the Board of Directors recognise its collective responsibility for risk management, internal control and the governance of the organisation? 3. Is there a formal schedule of matters specifically reserved for decision by the Board of Directors? 4. Has the Board of Directors developed formal financial and operational procedures to regulate the organisation? 5. Are the roles of Chairperson of the Board of Directors clearly established, set out in writing and agreed by the Board of Directors? 6. Are there clearly defined roles and responsibilities for members of the Board of Directors and senior staff? 7. Is there a formal and transparent structure of delegated powers and authorities? Audit Committee Handbook Page 46
General Processes 1. Has the Board of Directors established appropriate procedures to ensure that all applicable laws and regulations are complied with? 2. Has the Board of Directors established procedures to ensure that funds are: properly safeguarded; used economically, efficiently and effectively; and used for the purpose they were intended? 3. Has the Board of Directors taken steps to ensure that its members conduct themselves in accordance with high standards of personal behaviour? Is there a formal definition of the standards of behaviour expected of members of the Board of Directors and senior staff? 4. Has the Board of Directors established procedures to identify, record and monitor conflicts of interest? 5. Is there an agenda item at the beginning of each Board of Directors meeting that requires members attending to declare any interest that any of them may have in the business of that meeting? Appointments to the Board of Directors and its Committees 1. Is there a formal, rigorous and transparent procedure for appointing new members to the Board of Directors and its Committees? 2. Has the Board of Directors appointed a nominations Committee, with a majority of independent members, to develop recommendations? 3. Are appointments to the Board of Directors made on merit and against objective criteria? 4. Does the Board of Directors have plans in place for the orderly succession of members of the Board of Directors and senior management, so as to maintain an appropriate balance of skills and experience within the organisation? 5. Are members of the Board of Directors and key Committees required to submit themselves for re-election at regular intervals, subject to continued satisfactory performance? 6. Are the duties, terms of office and remuneration (if any) of the members of the Board of Directors clearly defined? Information and Professional Development 1. Has the Board of Directors taken steps to ensure that it and its Committees are supplied in a timely manner with information in a form and of a quality appropriate to enable it to discharge its duties? 2. Does the Board of Directors take steps to ensure that its members, and any individuals co-opted to its Committees, receive an appropriate induction on joining the Board of Directors and its Committees?
Audit Committee Handbook
3. Does the Board of Directors take steps to ensure that its members, and any individuals co-opted to its Committees, continually update and refresh their skills and knowledge? 4. Are procedures in place to ensure that members of the Board of Directors have access to independent professional advice, at the organisation’s expense, where they judge it necessary to discharge their responsibilities as members of the Board of Directors? 5. Do all members of the Board of Directors have access to the impartial advice and services of the secretary to the Board of Directors (or equivalent)? Performance Evaluation 1. Does the Board of Directors undertake a formal and rigorous regular evaluation of its own performance and that of its Committees and individual members of those bodies? Remuneration and Reward Arrangements 1. Has the Board of Directors established a formal, transparent procedure (such as a remuneration Committee) for making recommendations on the remuneration and terms of employment of the Directors and other senior officers? 2. Does the Board of Directors take appropriate action to ensure that the remuneration Committee (or equivalent) comprises individuals with the necessary skills, experience and independence? 3. Are procedures in place to ensure that remuneration is sufficient to attract and retain appropriate senior staff, but not more than is necessary for this purpose? 4. Are procedures in place to ensure that the organisation discharges its duties regarding the remuneration of staff, including union recognition, termination of employment and similar matters? Dialogue with Stakeholders 1. Has the Board of Directors established clear channels of communication with the organisation’s major stakeholders? 2. Has the Board of Directors established processes to ensure that communication channels are fit for purpose and working as intended? 3. Are the names of all members of the Board of Directors made publicly available along with the process for making appointments to the Board of Directors?
Audit and Accountability
Financial Reporting 1. Is the annual report produced by the Board of Directors a balanced and understandable assessment of the organisation’s position and prospects? 2. Does the Board of Directors include in the annual report an explanation of its responsibility for preparing the organisation’s accounts? 3. Does the Board of Directors include a statement confirming compliance with the principles of corporate governance in the annual report? Audit Committee Handbook Page 48
Internal Control 1. Does the Board of Directors, at least annually, conduct a review of the effectiveness of the organisation’s system of risk management and internal controls, covering all risks and controls including financial, operational and compliance? 2. Does the Board of Directors include a statement on the effectiveness of the system of risk management, internal control and governance within the annual report? Audit Committee and Auditors 1. Is the Audit Committee set up in accordance with the requirements of the Board of Directors? 2. Does the Board of Directors take appropriate action to ensure that the Audit Committee comprises individuals with the necessary skills, experience and independence? 3. Have the role and responsibilities of the Audit Committee been agreed by the Board of Directors and set out in sufficiently detailed written terms of reference? 4. Has the Board of Directors taken steps to ensure that it receives independent, objective advice as to the arrangements for adequate and effective risk management, control and governance, and for the economy, efficiency and effectiveness of the organisation’s activities? 5. Does the Audit Committee review arrangements by which employees may, in confidence, raise concerns about possible improprieties in matters of financial reporting or other matters? 6. Has the Board of Directors taken steps to establish and maintain an effective Internal Audit function, whether in-house, co-sourced or outsourced? 7. Has the Board of Directors taken steps to establish and maintain an objective relationship with the External Auditor?
Audit Committee Handbook
Appendix L. Model of Audit Committee Annual Report
The Audit Committee is required to prepare an annual report for submission to the Board of Directors. The Audit Committee annual report should be supported by the Internal Audit annual report, which would therefore normally accompany it. The annual report should be prepared as early as possible after the end of each financial year, with the aim of it being available before the annual financial statements are signed. The report should be signed and dated by the Chairperson of the Audit Committee. This model indicates what could be included in the annual report. Title Full name of organisation, Audit Committee Annual Report, financial year. Addressed to Board of Directors. Introduction Period covered; this should relate specifically to the Audit Committee’s work on the relevant financial year. However, any additional issues should be covered where appropriate, particularly if they affect the opinion (for example, where the previous year’s annual report could not include something because of timing, or issues have arisen since the year end). Membership Names; details of changes and dates thereof; terms of office; identity of Chairperson; also separately give details of the Secretary to the Audit Committee. Meetings Dates of meetings, note of members attending, and a general statement about who else is normally in attendance. Terms of Reference If applicable, details of changes and their effect on the work of the Audit Committee. Internal Audit 1. Name of provider; details of any changes made or due; fee basis; Audit Committee’s assessment of performance for the year (including the use of performance measures and obtaining the views of the External Auditor). 2. Review of appointment; when market testing is due for consideration. 3. Review of Chief Audit Executive annual report (which may be attached to the Audit Committee annual report); achievement of planned work; consideration of and Audit Committee Handbook Page 50
comment on Internal Audit overall opinion of risk management, control and governance arrangements, as necessary. 4. Review of audit risk assessment and strategy as appropriate. Number of audit days last year/next year. Details of any restrictions placed on the work of Internal Audit. 5. Review of audit reports (may appropriately focus on only the more significant issues); Audit Committee’s view of management responses to audit findings and recommendations; resolution of issues arising. 6. Review of unplanned or special reports; Audit Committee’s view of management responses to the findings and recommendations; details of any significant recommendations outstanding. 7. Summary of important findings and recommendations. 8. Confirmation that the Audit Committee has held one or more closed meetings with the Chief Audit Executive during the course of the year. External Audit 1. Name of provider; details of any changes made or due; fee basis; Audit Committee’s assessment of performance for the year (for example, audit planning, timetable set and met); confirmation to the Board of Directors of recommendation of annual reappointment (or deferral to next meeting); when market testing is due for consideration. 2. Details of any non-audit services provided. 3. Review of the External Auditor’s management letter (draft and final versions where appropriate); significant points arising; Audit Committee’s view of management responses to the findings and recommendations. 4. Confirmation that the Audit Committee has held a closed meeting with the External Auditor following completion of the external audit. Other Work Done 1. Where undertaken, review of specific parts of the annual accounts (preferably between Finance Committee and Board of Directors), including members’ responsibility and Statement on Internal Control, any relevant issue raised in Management Letter, and the External Auditor’s formal annual opinion. 2. Review of assurances received from management and other significant assurance providers. 3. Review of the organisation’s risk management strategy. 4. Other work, including reports, letters and other requirements (such as review or changes to codes of audit practice); special reports or investigations not dealt with elsewhere (e.g. on major fraud or irregularity); significant changes to the organisation’s risk management, internal control and governance systems, other formal certificates or returns seen; review of financial regulations, including amendments, communication or recommendations made; issues arising on, joint ventures, subsidiary or associated companies. Recommendations made not dealt with elsewhere. Audit Committee Handbook Page 51
Other 1. Issues not relevant to the reporting year, such as forthcoming events and issues relating to prior years. Opinion 1. Audit Committee’s opinion on the adequacy and effectiveness of organisational arrangements (up to date of its report) for the following: • Risk management, control and governance (risk management element includes accuracy of Statement on Internal Control included with annual statement of accounts) Economy, efficiency and effectiveness (value for money).
2. These opinions should be based on the information presented to the Audit Committee. 3. New arrangements coming into effect in 2009 may require Audit Committees to consider whether quality control of their organisational returns is adequate.
Audit Committee Handbook
Appendix M. Model of a Whistle-blowing Policy
Introduction All employees are encouraged to raise genuine concerns about possible improprieties in accounting, auditing or other matters, and other malpractices, at the earliest opportunity and in an appropriate way. This policy is designed to: • • • Support our values. Ensure that staff can raise concerns without fear of suffering retribution. Provide a transparent and confidential process for dealing with concerns.
The policy not only covers possible improprieties in matters of financial reporting, but also: • • • • • • • • Fraud. Corruption, bribery or blackmail. Criminal offences. Failure to comply with a legal or regulatory obligation. Failure to properly safeguard assets. Miscarriage of justice. Endangering the health and safety of an individual. Concealment of any of the above.
Principles • • • • • All concerns raised will be treated fairly and properly. We will not tolerate the harassment or victimisation of anyone raising a genuine concern. Any individual making a disclosure will retain their anonymity unless they agree otherwise. We will ensure that any individual raising a concern is aware of who is handling the matter. We will ensure that no one will be at risk of suffering some form of retribution as a result of raising a concern, even if they are mistaken. We do not, however, extend this assurance to someone who maliciously raises a matter they know to be untrue.
Audit Committee Handbook
Grievance Procedure If any employee believes reasonably and in good faith that malpractice exists in the workplace, then they should report this immediately to their Head of Department. However, if for any reason they are reluctant to do so, they should report their concerns to the Director of Human Resources. Employees concerned about speaking to a member of staff can speak, in confidence, to an independent third party by calling the whistle-blowing hotline on (tel). This is provided through the independent party which supplies a counselling and legal advice service. Employees’ concerns will be reported to the organisation without revealing their identity. If these channels have been followed and employees still have concerns, or feel that the matter is so serious that it cannot be discussed with any of the above, they should contact the Chairperson of the Audit Committee on (tel). Individuals who raise concerns internally will be informed of who is handling the matter, how they can make contact with them, and if any further assistance is required. We will give as much feedback as we can without any infringement of a duty of confidence owed by us to someone else. An individual’s identity will not be disclosed without prior consent. Where concerns are unable to be resolved without revealing the identity of the person raising the concern (e.g. if that person’s evidence is required in court), we will enter into a dialogue with the individual concerned as to whether and how we can proceed.
Audit Committee Handbook
Appendix N. Model Policy on Using External Auditor for Non-audit Services
This document sets out the policy for the appointment and remuneration of the External Auditor for any work undertaken on behalf of the organisation. It outlines the control processes that will be put in place to ensure compliance with the policy. Statutory Audit The Chief Financial Officer will recommend the overall fee for statutory audit to the Audit Committee. It is the responsibility of the Audit Committee to review the proposed audit fee and recommend it to the Board of Directors for approval. The Audit Committee will review the independence and effectiveness of the External Auditor on an annual basis. Other Work as Auditor or Reporting Accountants While it is difficult to be precise about the definition of other work the External Auditor may undertake as Auditor, it includes the following: • • • • Any other review of the accounts for regulatory purposes; Assurance work related to compliance and corporate governance, including high-level controls; Regulatory reviews commissioned by the Audit Committee; Accounting advice and reviews of accounting standards.
The Chief Financial Officer must clear the appointment of the External Auditor for any such work in advance with the Chairperson of the Audit Committee. The Audit Committee will receive a quarterly report analysing fees paid for non-audit services, with additional commentary on assignments agreed during the quarter. Tax Advisory Services The External Auditor may provide tax advisory services, including tax planning and compliance, provided such advice does not conflict with the External Auditor’s statutory responsibilities and ethical guidance. The Audit Committee will determine whether the appointment of the External Auditor for any tax work would conflict with the External Auditor’s statutory duties. Any tax assignment in excess of (€x) requires the approval of the Chief Financial Officer, who will consult with the Chairperson of the Audit Committee in respect of any assignment over (€y). The Audit Committee will receive a quarterly report on the tax advisory services provided by the External Auditor.
Audit Committee Handbook
Merger/Acquisition Support It is permissible for the External Auditor to be appointed to undertake specific merger / acquisition activities on behalf of the organisation. However, the External Auditor cannot be appointed to undertake such work without the prior approval of the Chief Financial Officer, who will consult with the Chairperson of the Audit Committee regarding any assignment that could involve fees in excess of (€x). Any fees paid in respect of merger / acquisition activity will be reported quarterly to the Audit Committee. Other Accounting Advisory and Consultancy Work There may be occasions when the External Auditor is best placed to undertake other accounting, investigatory, advisory and consultancy work on behalf of the organisation, because of the External Auditor’s in-depth knowledge of the organisation. However, the following are specifically prohibited: • • • • • Work related to accounting records and financial statements that will ultimately be subject to external audit; Management of, or significant involvement in, Internal Audit; Secondments to management positions that involve any decision-making; Any work where a mutuality of interest is created that could compromise the independence of the External Auditor; Any other work which is prohibited by ethical guidance.
Any assignment in excess of (€x) can only be awarded to the External Auditor after competitive tender. The inclusion of the External Auditor on a tender list requires the prior approval of the Chief Financial Officer. The Chief Financial Officer will consult with the Chairperson of the Audit Committee regarding any tender for work in excess of (€y). Details of all such work and fees paid will be reported quarterly to the Audit Committee.
Audit Committee Handbook
Appendix O. Model Policy on Employing Former Employees of the External Auditor
The Audit Committee has adopted the following policy regarding the employment of former employees of the organisation’s External Auditor. For the purposes of this policy, the “External Auditor” means any partner, director, manager, staff, reviewing actuary or reviewing tax professional associated with the organisation’s External Auditor who works on any aspect of the annual audit of the organisation’s financial statements. For the purposes of this policy, “employee of the organisation’s External Auditor” includes any person regularly providing professional services on behalf of the External Auditor, regardless of whether that person is legally an employee of the firm. For example, if the External Auditor is a partnership, a partner would be deemed an “employee of the organisation’s External Auditor”. For the purposes of these guidelines, ‘organisation’ includes ABC Company and its subsidiaries. No employee of the External Auditor can be hired to a financial reporting oversight role within two years of their association with the audit. A financial oversight role is any position that has direct responsibility for overseeing those who prepare the organisation’s financial statements. No former employee of the organisation’s External Auditor may be an officer of the organisation within two years of the termination of their employment with the organisation’s External Auditor. No former employee of the organisation’s External Auditor may join the senior executive team without the approval of the Director of Human Resources and the Chairperson of the Audit Committee. Each year, the Director of Human Resources shall inform the Audit Committee of any former employees of the External Auditor employed by the organisation in the preceding year.
Audit Committee Handbook
Appendix P. Evaluation of the External Auditor
The following is a suggested checklist framework for the Audit Committee to carry out a formal review of the effectiveness and efficiency of the External Auditor. It provides the Audit Committee with a disciplined approach to keeping the External Auditor’s performance under review. It will also help to ensure that the External Auditor remains alert to the organisation’s needs and to maintaining an appropriate relationship with the executive management, the Audit Committee and the Board of Directors as a whole. This is not an exhaustive list of questions. The Audit Committee should tailor and adapt the questions to the specific circumstances. In carrying out its assessment, the Audit Committee should also consider the views of other parties who come into contact with the external audit team, such as the Chief Financial Officer and Internal Audit. Calibre of External Auditor 1. What is the reputation of the External Auditor? Are there recent or current litigation cases against the firm? 2. What is the reputation and presence of the External Auditor in the organisation’s sector? 3. Does the External Auditor have the required resources to audit the organisation? Quality Processes 1. What quality control processes does the External Auditor operate? (Factors to be considered include the level and nature of review procedures, the approach to audit judgements and issues, independent quality control reviews and the External Auditor’s approach to risk.)? 2. How are partners and key members of the engagement team rewarded? Do these compensation arrangements threaten the External Auditor’s independence? 3. What is the External Auditor’s process for internal review of accounting judgements, including an understanding of the key issues? 4. What relevant specialists does the External Auditor employ and how are these deployed to the audit process? Audit Team 1. Do the individuals assigned to the external audit team have the requisite expertise regarding the higher education sector? 2. Are sufficient resources allocated to the audit? Audit Committee Handbook Page 58
3. What is the scope of the engagement partner’s/other senior personnel’s involvement in the audit process and is this sufficient? 4. Does the External Auditor have adequate succession plans in place for key team members? Do these plans meet the relevant audit partner rotation requirements and facilitate the maintenance of objectivity? Scope of External Audit 1. Is the scope of external audit adequate to address all of the financial reporting risks facing the organisation? 2. Does the External Auditor agree the audit scope and plan with the Audit Committee? 3. Is specialist input to the external audit in areas such as taxation and pensions at an appropriate level? 4. Are all the organisation’s key subsidiaries and business ventures covered by the external audit? 5. What is the External Auditor’s approach to seeking and assessing management representations? 6. Does the External Auditor have an effective working relationship with Internal Audit? Audit Fee 1. Is the external audit fee reasonable given the scope of the external audit, and how does it compare with that for other similarly sized organisations? 2. How are differences between actual and budgeted fees handled? Are overruns reasonable and explained to the Audit Committee? 3. Is the quantum of non-audit fees likely to have an impact on audit objectivity? Audit Communications 1. Does the External Auditor advise the Audit Committee on a timely basis about significant issues and new developments regarding risk management, corporate governance, financial accounting and related risks and controls? 2. Does the External Auditor discuss the critical accounting policies and whether the accounting treatment is conservative or aggressive? 3. Does the External Auditor contribute positively in Audit Committee meetings (and private sessions)? Are the External Auditor’s papers and oral communications clear, concise, open, focused and robust? 4. Does the External Auditor resolve accounting issues in a timely manner and keep management and the Audit Committee apprised of progress as appropriate? 5. Does the External Auditor seek feedback on the quality and effectiveness of the service it provides? Does it listen and take appropriate action to remedy any issues?
Audit Committee Handbook
Audit Governance and Independence 1. Does the External Auditor employ open lines of communication/reporting with the Audit Committee? 2. Are unadjusted audit differences and significant weaknesses in internal controls clearly communicated on a timely basis? 3. Do the individuals assigned to the audit demonstrate a high degree of integrity in their dealings with the Audit Committee? 4. Does the External Auditor discuss with the Audit Committee its internal process for ensuring independence? 5. Does management hold the External Auditor in high regard? Does it consider the audit process to be objective and challenging?
Audit Committee Handbook
Appendix Q. External Audit: Model of the Terms of Reference
(The Board of Directors should be notified of any material difference between this model letter and the External Auditor’s letter.) To the members of the Board of Directors of (organisation) Appointment and Qualification 1.As appointed Auditor of (organisation) we agree to the following basis on which we shall perform our duties. 2.We understand that the Board of Directors (this will require modification where the Board of Directors does not appoint the Auditor) will assess the Auditor’ work in each year and undertake a detailed review of the appointment at least every three years. Remuneration will be fixed by the Board of Directors on the advice of the Audit Committee. 3.We confirm that we are qualified as Auditor in accordance with relevant legislation. Responsibilities of the Organisation 4.We recognise that the Board of Directors is responsible on behalf of the organisation for:
a.Establishing and maintaining a system of controls – financial and otherwise – in order to
carry on the operation of the organisation in an orderly and efficient manner, ensure adherence to management policies, safeguard the assets and secure, as far as possible, the completeness and accuracy of the records.
b.Preparing financial statements that: i.Comply with the organisation’s charter and statutes, all statutory requirements
relating to the organisation’s financial affairs, the financial memorandum (dated ...................) with the Board of Directors, and other regulations relating to the constitution and activities of the organisation and which are relevant to its financial affairs
ii.Show a true and fair view of the state of the organisation’s affairs at 31 December,
and of the cash flows and income and expenditure for the year then ended, taking into account where relevant and appropriate all required statutory and other disclosure requirements. Standards of Audit 5.We will undertake the audit of the organisation’s financial statements and such other matters as the Board of Directors requires in accordance with Generally Accepted Auditing Standards, having regard to applicable auditing guidelines and auditing standards issued by the relevant authorities.
Audit Committee Handbook
a.We as Auditor, are responsible for making a report to the Board of Directors on the
financial statements which are to be laid before the Board of Directors during our tenure of office. 6.Our report will state whether in our opinion the financial statements show a true and fair view of the organisation’s affairs at 31 December, and of the cash flow and income and expenditure for the year then ended. 7.In arriving at our opinion we are required to consider the following matters and to report on any aspect where we are not satisfied, namely whether: • • • • Proper records are being kept by the organisation; The financial statements agree with the accounting records; We have obtained all the information and explanations we think are necessary for the purpose of our audit; The financial statements comply with all legislative or regulatory requirements.
8.We will also report to the Board of Directors as to whether, in all material respects, monies expended from whatever source, administered by the organisation for specific purposes, have been properly applied to those purposes and, if appropriate, managed in compliance with any relevant legislation. 9.We agreed with the organisation the wording of an unqualified audit report at the time of our appointment. Any subsequent modifications or qualifications will be based on our professional judgement, but will comply with Generally Accepted Auditing Standards. 10.We undertake to report to the Board of Directors any significant matters arising from the audit which might lead to material errors or have an impact on future audits. This could include areas where economies might be made or resources could be used more effectively, with advice for improvement. The management letter could include: • • Weaknesses in the structure of accounting systems and internal control; Deficiencies in the operation of accounting systems and internal control, including Internal Audit; That the work of Internal Audit has been assessed, and the extent to which reliance can be placed on the work of Internal Audit in support of external audit work; Inappropriate accounting practices and regulations; Non-compliance with legislation, accounting standards, Board of Directors requirements or other regulations.
Irregularities, Including Fraud
Audit Committee Handbook
11.The Board of Directors is responsible for ensuring the establishment and maintenance of adequate risk management, control and governance arrangements. It is also responsible for ensuring compliance with statutory, taxation and other regulations and for the prevention and detection of irregularities, including fraud. We are not required to search specifically for such matters and our audit should not therefore be relied on to disclose them. However, we will plan and conduct our audit so that we have a reasonable expectation of detecting material misstatements in the accounts resulting from irregularities, including fraud or breach of regulations. 12.We will report in writing to the Board of Directors any serious weaknesses, fraud, irregularities or accounting breakdowns we come across in the normal course of our duties. Other Work 13.We may be asked from time to time to provide additional services beyond the scope of the audit described above. This could involve investigation work and value for money reviews. Precise requirements will be agreed between the Board of Directors and ourselves in a separate engagement letter before any work is undertaken. Any systems development or consultancy work will be the responsibility of separate staff. Access 14.We shall have rights of access at all times to the books, accounts and vouchers of the organisation and to such information and explanations as we think necessary to perform our duties. We also expect to have access to Internal Audit files and working papers. We, in turn, agree to comply with any requests from Internal Audit and the Board of Directors for access to any information, files or working papers obtained or prepared during our audit which they need to discharge their responsibilities. Where necessary, the Board of Directors will exchange letters dealing with confidentiality and the terms under which access is given with both parties. 15.We shall have the right of access to the Chairperson of the Audit Committee, the right to ask the Chairperson to convene a meeting of the Audit Committee if necessary, and the right to attend Audit Committee meetings where relevant business is to be discussed. Annual Meetings 16.We will be entitled to attend the meeting of the Board of Directors to which the organisation’s annual reports and financial statements of accounts are presented. We will also be entitled to receive all notices of and other communications relating to that meeting which any member of the Board of Directors is entitled to receive, and to be heard at any such meeting on any part of the business which concerns us as External Auditor. Termination of Appointment 17.We understand that if there are serious shortcomings on our part the Board of Directors may pass a resolution to remove us before the expiry of our term of office, notwithstanding any agreement between us and the organisation.
Audit Committee Handbook
Fees 18.(A paragraph setting out the External Auditor’s terms for charging and collecting fees should be included.) Other Terms 19.(The External Auditor may include certain additional paragraphs for internal purposes, for example on confidentiality, conflicts of interest, quality of service, complaints procedure and legal jurisdiction.) Agreement of Terms 20.If the contents of this letter are not in accordance with your understanding of the arrangements made, we shall be pleased to receive your observations and give you any further information you require. Otherwise we shall be grateful if you would confirm in writing your agreement to the terms of this letter by signing the enclosed copy and returning it to us. Once agreed, this letter will remain effective from one audit appointment to another until it is replaced. Yours Sincerely (Signed by the External Auditor) On behalf of the Board of Directors of (organisation), I confirm that the above terms are satisfactory. Signed Position Date
Audit Committee Handbook
Appendix R. Guidelines for Hiring the Chief Audit Executive (CAE)
The Internal Audit function is a key mechanism in the internal control structure, so careful efforts must be taken in hiring the right Chief Audit Executive (CAE), one that fits the needs of the organisation with the necessary technical expertise, but also one that meets other requirements (industry experience, temperament, integrity, management and human relationship skills, etc.). Role of the Chief Audit Executive A critical activity of the Audit Committee is to be involved in the hiring of the CAE of the organisation. The CAE will have a high degree of interaction with the Audit Committee, so the Audit Committee should be comfortable working with this person. In many companies, the CAE will report functionally to the Audit Committee and administratively to a senior executive of the company. CAE Qualifications In general, candidates for a CAE position should have distinguished themselves professionally by earning a CPA or certified Internal Auditor (CIA) credential, significant experience (10 years or more) in a management role, and strong technical skills in accounting and auditing. In addition, because of the breadth of experience it offers, the Audit Committee should seek candidates that have experience in public accounting (or its equivalent) and possibly an advanced business degree such as an MBA. The following questions are ones the Audit Committee should consider asking candidates that have passed the initial employment screening by either the organisation’s human resources department or an outside recruiting firm. Note that some sample questions may not be appropriate for your organisation or the candidate. 1. What do you consider to be Internal Audit’s role within the business? 2. What do you see as the biggest challenges for an Internal Audit team in the short run (3 to 6 months), medium term (6 to12 months) and over the next 2 to 3 years? 3. What experience do you have in our industry, and how do you plan to keep abreast of the significant developments relevant to Internal Audit in this industry? What is your experience in addressing different business practices in different countries? 4. Have you ever been offered a gratuity or a payment that could be construed as a bribe? What were the circumstances, and how did you handle the situation? 5. Have you worked with Audit Committees in the past? What processes have you put in place to keep the Audit Committee fully and appropriately informed? In the course of a year, what is the typical number of meetings/communications between the CAE and the Audit Committee (chair)? 6. In your previous company, what type of technology platform was used? Have you been involved in an enterprise resource planning (ERP) system implementation? What Audit Committee Handbook Page 65
role did you play in the process and how did you make sure that the proper controls were in place when the system went live? 7. Give some examples of situations you have faced that required special meetings with the Audit Committee in executive session as a result of disagreements with management. How were these situations resolved with management? Have there been situations in which management has tried to squash your recommendations or discredit your findings, and how did you respond to this? In retrospect, would you now handle these situations differently? 8. Have you worked with the Audit Committee of Sponsoring Organisations (the Treadway Commission) Internal Control Framework? How has the framework influenced your process in evaluating the adequacy of internal controls? How is this framework used to design your Internal Audits? 9. Have you used technology in conducting Internal Audits, and how has it enhanced conducting of the Internal Audit? How would you recognise a problem that might exist either in the Internal Audit data, or in the company’s records? What would you do about it? 10. Do you use a formal project planning process, which is applied consistently, for all Internal Audits? If so, what benefits have you derived in meeting your team’s goals and objectives? What is your average report cycle time from the end of fieldwork? 11. How would you or the Internal Audit team ensure the identification of all locations required to be audited under the rules of the Sarbanes-Oxley Act with respect to section 404 on internal control? Have you ever conducted a formal risk assessment, and how have you incorporated the results into setting up an audit plan? 12. What role have you played in assisting divisions, subsidiaries, or locations in the implementation of recommendations? 13. When you or your team conducts an internal audit, do you have a service orientation to your audit process? Do you work to improve the effectiveness and efficiency of the operations and controls in each audit area? How would you make your recommendations to management? What process would you use to resolve differences of opinion? 14. Would you use a process for conducting a “customer satisfaction” survey after an internal audit is completed? How would you integrate this feedback into future audits? 15. How would you ensure that the personnel in Internal Audit have the necessary skills to ensure an adequate understanding of divisional or departmental business? 16. What roles do the organisation’s strategic and technology plans play in the development of an audit plan? 17. Have you gone out to divisions, subsidiaries, or locations to ensure that they have significant input into audit objectives and scopes? How is this achieved? How have you resolved differences of opinion in this area without compromising the goals you have established for an audit? 18. How many people have you managed, either as direct reports, or within an organisation that you might have overseen? How would you describe your management style? Have you ever participated in a 360-degree assessment process? If Audit Committee Handbook Page 66
so, what did you learn about yourself that surprised you? How did the results of the assessment change your behaviour?
Audit Committee Handbook
Appendix S. Internal Audit: Model of the Terms of Reference
The Internal Audit Department is responsible for providing an objective, independent appraisal of all the organisation’s activities, financial and otherwise. It should provide a service to the whole organisation, including the Board of Directors and all levels of management. It is not an extension of, nor a substitute for, good management, although it can have a role in advising management. The Internal Audit Department is responsible for evaluating and reporting to the organisation’s Audit Committee and Board of Directors, thereby providing them with assurance on the arrangements for risk management, control and governance. It remains the duty of management, not Internal Audit, to operate these arrangements. Scope The entire organisation’s activities fall within the remit of the Internal Audit Department. The Internal Audit Department will consider the adequacy of controls necessary to secure propriety, economy, efficiency and effectiveness in all areas. It will seek to confirm that management has taken the necessary steps to achieve these objectives and manage the associated risks. The scope of Internal Audit work should cover all operational and management controls, and should not be restricted to the audit of systems and controls necessary to form an opinion on the financial statements. This does not imply that all systems will be subject to review, but rather that all will be included in the audit risk assessment and hence considered for review following the assessment of risk. It is not within the remit of the Internal Audit Department to question the appropriateness of policy decisions. However, Internal Audit is required to examine the arrangements by which such decisions are made, monitored and reviewed, and related risks identified and managed. The Internal Audit Department may also conduct any special reviews requested by the Board of Directors, Audit Committee or Management, provided such reviews do not compromise its objectivity or independence, or achievement of the approved audit plan. Responsibilities The Chief Audit Executive is required to give an annual opinion to the Board of Directors, through the Audit Committee, on the adequacy and effectiveness of the arrangements for risk management, control and governance and for economy, efficiency and effectiveness (value for money) within the organisation, and the extent to which the Board of Directors can rely on these. The Chief Audit Executive should also comment on other activities for which the Board of Directors is responsible, and to which the Internal Audit Department has access. To provide the required assurance, the Internal Audit Department will undertake a programme of work, based on a strategy authorised by the Board of Directors or the Audit Committee.
Audit Committee Handbook
The programme will evaluate the arrangements in place to: • • • • • Establish and monitor the achievement of organisational objectives Identify, assess and manage risks to the achievement of those objectives Assess compliance with policies, laws and regulations Ascertain the integrity and reliability of financial and other information provided to management and stakeholders, including that used in decision-making Ascertain that systems of control are laid down and operate to promote the economic, efficient and effective use of resources and to safeguard assets.
Standards and Approach The Internal Audit Department’s work will be performed with due professional care, in accordance with Generally Accepted Auditing Standards. In achieving its objectives, the Internal Audit Department will develop and implement an audit strategy that assesses the organisation’s arrangements for risk management, control and governance and for achieving value for money. The Chief Audit Executive will implement measures to monitor the effectiveness of the Department and compliance with standards. The Audit Committee will consider and approve these performance measures and may also ask the External Auditor to provide an independent assessment of Internal Audit’s effectiveness. Independence The Internal Audit Department has no executive role, nor does it have any responsibility for the development, implementation or operation of systems. However, it may provide independent and objective advice on risk management, control and governance, value for money and related matters, subject to resource constraints. Within the organisation, responsibility for risk management, control and governance arrangements and the achievement of value for money rests with the Board of Directors and the Management, who should ensure that appropriate and adequate arrangements exist without reliance on the organisation’s Internal Audit Department. Where there are differences of opinion between Internal Audit and the Management, the Board of Directors (on the advice of the Audit Committee) should ultimately determine whether or not to accept audit recommendations, recognise and accept the risks of not taking action, and instruct management to implement recommendations. Access The Internal Audit Department has rights of access to all the organisation’s records, information and assets which it considers necessary to fulfil its responsibilities. The Chief Audit Executive has a right of direct access to the Chairperson of the Board of Directors and the Chairperson of the Audit Committee. In turn, the Internal Audit Department agrees to comply with any requests from the External Auditor for access to any information, files or Audit Committee Handbook Page 69
working papers obtained or prepared during audit work which they need to discharge their responsibilities. Reporting The Chief Audit Executive must submit an annual report to the Board of Directors through the Audit Committee. This report must relate to the organisation’s financial year, and include any significant issues affecting the opinion up to the date of preparing the report. The report should give an opinion on the adequacy and effectiveness of the organisation’s arrangements for: • • • Risk management, control and governance; Economy, efficiency and effectiveness; and The extent to which the Board of Directors can rely on them.
The Chief Audit Executive should also prepare, before the beginning of the year, an audit risk assessment and audit plan supported by an assessment of resource needs. These should be submitted to the Board of Directors for approval following consultation with relevant managers, and after consideration by the Audit Committee. The Chief Audit Executive is accountable to the Board of Directors through the Audit Committee for the performance of the service. The Chief Audit Executive should also report audit findings to relevant managers and draw the attention of the Audit Committee to key issues and recommendations. This may be done by providing the Audit Committee with copies of all reports, or by reporting on an exception basis, or by providing a summary of key issues. The Internal Audit Department should usually produce its reports, in writing, within one month of completing each audit, giving an opinion on the system reviewed and making recommendations to improve systems where appropriate. Such reports should be copied to the Audit Committee and to the External Auditor, entirely or in summary. Managers will be required to respond to each audit report, usually within one month of issue, stating their proposed action with a timetable for implementing agreed recommendations. Material recommendations will usually be followed up within a defined timescale. In addition, the Audit Committee will monitor the implementation of audit recommendations. The Chief Audit Executive should report to the Management any serious weaknesses, significant fraud or major accounting breakdown discovered during the normal course of audit work. If the Management refuses to report the matter to the Chairperson of the Audit Committee and to the Chairperson of the Board of Directors, then the Chief Audit Executive must report to them directly. Liaison The Chief Audit Executive will liaise with the External Auditor to optimise the audit services provided to the organisation.
Audit Committee Handbook
Appendix T. Engaging Independent Counsel and Other Advisers
When selecting independent counsel or other advisers (expert/adviser) for an engagement within the company, the Audit Committee should not only consider the education, training, and experience of the specialists and staff assistants actually performing the work, but it should determine that the service provider: (1) maintains integrity and objectivity; (2) is free of conflicts of interest with respect to the members of the Audit Committee and the organisation; (3) has the expertise and resources necessary to do the work it is under consideration to do; and (4) has a reputation for reliability, among other considerations. Although the nature of every engagement will be different, the initial steps the Audit Committee (or its designee) should undertake when engaging external resources include the following: 1. Determine that the expert/adviser has the competence and experience to perform the requested service. Check references with other clients of the service provider. 2. Determine whether the expert/adviser has a conflict of interest with respect to the organisation. Such a conflict might arise if the expert/adviser has a relationship with the External Auditor, or if they provide service to a competitor. Depending on the nature of the service to be offered, a conflict could arise if the expert/adviser has a relationship with a member of the Board of Directors, or a member of the organisation’s management. Be aware of other potential conflicts of interest that may distract, or undermine, the work to be done. 3. Determine if the expert/adviser has sufficient resources to perform the work in the time frame specified by the Audit Committee. 4. Evaluate the scope of work to be performed and other issues, including the proposed plan for payment of fees and expenses. 5. Make sure all parties (including management and the expert/adviser) understand that the Audit Committee is the owner of the service relationship. Make sure that management understands that the expert/adviser is working on behalf of the Audit Committee and the Audit Committee expects management to be fully cooperative and forthcoming with respect to any information that may be requested. 6. Determine the criteria that will be used to measure the expert’s/adviser’s work and document those criteria in an agreement with the service provider.
Audit Committee Handbook
Appendix U. Model of an Internal Audit Plan
The role of Internal Audit is to provide an independent, objective opinion on an organisation’s risk management, internal control and governance and the processes in place for ensuring effectiveness, efficiency and economy. Each audit plan will be different and tailored to the organisation’s needs. However, there are common elements that the Audit Committee should expect to see when reviewing the audit plan, albeit in practice these elements might be presented in many different ways. These elements are as follows. Overview of the Audit Approach The Audit Committee should expect the audit planning document to set out that the audit plan has been developed by: • • • Taking account of the risks identified by the organisation in its risk register and other documents; Using Internal Audit’s experience of the organisation and the sector more generally to identify other areas of risk which may warrant attention; Discussing all identified risks and other relevant issues with the organisation’s management to identify the potential scope of Internal Audit.
Risk-focused Internal Audit Coverage Where the organisation’s risk management policy allocates each risk a likelihood and impact rating between ‘high’ and ‘low’, the audit plan might for example focus on ‘high’ and ‘medium’ priority risks over (say) a three-year period. However the Internal Audit is focused, the Audit Committee should be fully informed of: • • • • Which areas are being addressed; How many audit days have been allocated to each area; When the fieldwork is being undertaken; When Internal Audit will report their findings.
Other Reviews The Internal Audit strategy may address some areas that do not feature as a high or medium risk. These are nevertheless areas where the organisation would benefit from an Internal Audit review, or they are being reviewed to provide assurance to the Audit Committee and to the External Auditor regarding operation of the key financial and management information systems. The audit days, fieldwork and reporting expectations for these areas should also be identified in the audit plan. Contingencies Audit Committee Handbook Page 72
It is important to adopt a flexible approach in determining Internal Audit resources, in order to accommodate any unforeseen audit needs. The audit plan should give an indication as to how many ‘man days’ have been allowed for contingencies. Follow-up For Internal Audit to be as effective as possible, its recommendations need to be implemented. Specific resources should be included within the plan to provide assurance to the organisation and the Audit Committee that agreed audit recommendations have been implemented effectively and on a timely basis. Planning, Reporting and Liaison The Audit Committee should expect the Internal Audit plan to identify a number of audit days relating to the following: • • • • • • Quality control review by the audit manager; Production of reports, including the strategic plan and annual Internal Audit report; Attendance at Audit Committee meetings; Regular contact with the organisation’s management; Liaison with the External Auditor; Internal quality assurance reviews.
The Internal Audit Team Where the Internal Audit is outsourced, the Audit Committee (and management) should expect a brief introduction to the key individuals working on the audit. This might include partners, managers and any specialist advisers. Timing The audit plan should set out the timing of the fieldwork and confirm the form and timeliness of reports to management and to the Audit Committee. For example: • • • A report for each area of work undertaken within X days of finishing the fieldwork; A progress report for each Audit Committee meeting; An annual report on Internal Audit coverage to the Audit Committee (reporting to fit in with the Audit Committee meeting dates).
Internal Audit Performance Indicators Internal Audit might propose a series of performance indicators against which management and the Audit Committee can measure the audit’s performance.
Audit Committee Handbook
Appendix V. Model of an Internal Audit Report
The role of Internal Audit is to provide an independent, objective opinion on an organisation’s risk management, internal control and governance and the processes in place for ensuring effectiveness, efficiency and economy. Each audit report will be different and tailored to the organisation’s needs. However, there are common elements that the Audit Committee should expect to see when reviewing the audit reports, or a summary of those reports, albeit in practice these elements might be presented in many different ways. These elements are as follows: Background and introduction - Places the audit report within the context of the overall audit plan. Definitions - Defines any ‘priority’ or ‘risk’ terminology used in the report. For example: • High - Inadequate systems and controls which if not addressed could expose the organisation to significant financial, operational or reputational risk and adversely impact on implementation of its strategic plan. Medium - Systems and controls which are not fully effective, and failure to improve them could adversely affect operational plans at departmental level. Low - Good practice dictates that some enhancements to existing systems and controls are desirable.
Objectives - Describes the purpose of the audit. Executive summary - A summary of the key observations, findings and recommendations. This section might deal only with those findings deemed high risk or priority. Observations and findings – Details of the control weaknesses identified during the audit, together with any other observations. Opinion - Sets out the Auditor’s opinion of the systems being audited. Summary - Sets out: • • • • • • Risk management and control weaknesses. Recommendations to enhance risk management and controls. The priority of the recommendation. Management’s response. Responsibility for action. Implementation timetable.
Audit Committee Handbook
It is particularly important for the Audit Committee to ensure follow-up on Internal Audit recommendations, to make sure that management is taking effective corrective action in a timely manner.
Audit Committee Handbook
Appendix W. Evaluation of Internal Audit
The following is a four-part checklist of questions to consider as part of a complementary framework for assessing the Internal Audit function. Section A addresses the Audit Committee’s own perceptions of the Internal Audit function. Where appropriate, Sections B, C and D can be used to record the views of management, the External Auditor and, where the organisation has its own in-house Internal Audit function, the Chief Audit Executive (i.e. selfassessment). Section A This part of the checklist should be completed by the Audit Committee prior to feedback from other areas of the organisation. Understanding 1. How well does Internal Audit demonstrate that it: • • • • Recognises its direct reporting responsibility to the Board of Directors and to the Audit Committee? Has a strong understanding of the responsibilities and operation of the Audit Committee? Understands the expectations of the Audit Committee and the Board of Directors? Understands the organisation’s business and risk environment?
Charter and Structure 1. Do the terms of reference for Internal Audit define: • • • • Roles and responsibilities, including those in relation to other internal functions? Expectations of management? Scope of Internal Audit work? Access to information?
2. Evaluate Internal Audit’s terms of reference in light of the organisation’s current and future needs. 3. Are Internal Audit’s terms of reference visible to all appropriate people within the organisation? Skills and Experiences 1. How well does Internal Audit’s staffing reflect its roles and responsibilities?
Audit Committee Handbook
2. On the basis of the work performed by Internal Audit over the past 12 months, does it appear to have the right staff mix and competences in any specialist areas? 3. Evaluate Internal Audit’s independence from the activities it audits. 4. How would you assess the Audit Committee’s confidence in Internal Audit? Communication 1. Has Internal Audit attended all the Audit Committee meetings it was scheduled to attend? 2. Has Internal Audit made itself available for consultation outside of Audit Committee meetings? 3. Evaluate Internal Audit’s responsiveness to requests from the Audit Committee, including requests for special investigations. 4. Evaluate Internal Audit’s frankness and candour with the Audit Committee. 5. Evaluate Internal Audit’s handling of difficult or contentious issues. 6. Does Internal Audit ensure that the Chairperson of the Audit Committee is fully briefed on significant findings or developments prior to Audit Committee meetings? 7. Evaluate the usual level of preparation for Audit Committee meetings demonstrated by Internal Audit. 8. Evaluate the quality, relevance and clarity of Internal Audit reports/papers tabled with the Audit Committee. 9. Have reports been received from Internal Audit on a timely basis? 10. Does Internal Audit promptly advise the Audit Committee about significant issues and developments, including on special projects such as fraud investigations? 11. Does Internal Audit promptly advise the Audit Committee about significant changes to the Internal Audit plan? 12. Evaluate the strength of Internal Audit’s process for monitoring the status of open matters / recommendations. 13. Has Internal Audit contributed to the Audit Committee’s understanding of the overall assurance framework within the organisation and the role that Internal Audit plays in this framework? Performance 1. Assess the quality of the Internal Audit plan in terms of its: • • Comprehensiveness, clarity and timeliness. Coverage of priority and high-risk areas.
2. Did the original Internal Audit plan leave unanswered any significant issues of concern to the Audit Committee? 3. Is it clear from its reporting to the Audit Committee that Internal Audit: • Has delivered the services outlined in the plan? Page 77
Audit Committee Handbook
Has been in accordance with the agreed timetable? Has performed the audit work necessary to reach its opinions/conclusions?
4. Is there evidence of effective co-ordination of internal and external audit work? 5. Are success measures (or key performance indicators) used for evaluating the performance of the Internal Audit function and, if so, have they been achieved? 6. Do you consider that Internal Audit has added value to the organisation? 7. In what way has Internal Audit added value to the organisation? 8. How would you assess Internal Audit’s overall performance? Section B This part of the checklist should be completed by the Chief Financial Officer and/or other senior managers and officers who have regular contact with Internal Audit. Planning 1. Are Internal Audit’s terms of reference sufficiently visible to everyone within the organisation? 2. Has there been sufficient pre-planning and co-ordination by Internal Audit before the start of each phase of the Internal Audit or special project? 3. Has Internal Audit discussed its approach and major areas of audit focus with you? 4. Have you raised any major areas of concern that have not been reviewed by the Internal Audit team? Skills and Experience 1. Do you consider that the Internal Audit team have sufficient expertise, professional experience, project management ability, interpersonal skills and seniority to effectively carry out the work required? 2. Assess the strength of Internal Audit’s understanding of the organisation and its risk involvement. 3. How strongly have the members of the Internal Audit team demonstrated an appreciation of the issues key to your role and responsibilities? 4. Have members of the Internal Audit team consistently demonstrated independence in all their deliberations? 5. Have members of the Internal Audit team been adequately supervised? Work Programme 1. Has effective co-operation been achieved between Internal Audit and your department, including avoidance of undue disruption to normal activities?
Audit Committee Handbook
2. Is there a formal process to ensure that Internal Audit keeps you up to date with audit/project progress? 3. Has Internal Audit provided early identification and advice regarding contentious issues, problem areas and delays? 4. Has Internal Audit suggested how such issues could be resolved? 5. Were such suggestions realistic, robust and presented clearly and on a timely basis? 6. How responsive has Internal Audit been to the organisation’s needs, including requests for special investigations? 7. Are Internal Audit reports: • • • • Relevant, clear and constructive? Sufficiently detailed to provide assurance that the necessary audit work has been carried out to support the opinions/conclusions? Sufficiently detailed to enable effective management action? Issued on a timely basis?
8. Have Internal Audit findings been discussed with you prior to being tabled with the Audit Committee? 9. Has Internal Audit followed up recommendations to see if they have been implemented? 10. Do you have any major unresolved disagreements with Internal Audit? Overall Performance 1. Has Internal Audit added value to the organisation? 2. In what ways has Internal Audit added value to the organisation? Section C This checklist should be completed by the External Auditor. Terms of Reference 1. Evaluate Internal Audit’s current terms of reference given your understanding of the organisation, its risk environment and current developments in Internal Audit. 2. From your knowledge of Internal Audit and industry best practice, do you consider that Internal Audit’s current terms of reference are maintained at a high-quality level? Skills and Experience 1. Do you consider the Internal Audit team to have the professional experience, technical skills, interpersonal skills and seniority to effectively carry out the Audit Committee Handbook Page 79
Internal Audit work required? 2. Evaluate the senior members of the Internal Audit team’s understanding of the organisation, its business and its risk environment. 3. From your dealings with members of the Internal Audit team and your knowledge of Internal Audit and industry best practice, evaluate the sufficiency of Internal Audit’s resources to adequately deliver the services outlined in its Internal Audit plan within the timeframes identified. 4. Does Internal Audit’s staffing appear to adequately reflect its roles and responsibilities? 5. In your assessment, is the Internal Audit methodology robust and does it reflect the latest thinking in Internal Audit? Work Programme 1. Are there regular discussions between internal and external audit on strategies for internal and external audit, assessment of risks and the implications of audit findings/audit work? 2. Has progress against the plan been monitored jointly by internal and external audit regularly throughout the year? 3. Have you received copies of all Internal Audit reports issued by Internal Audit? 4. Have copies of Internal Audit reports been received on a timely basis? 5. Are Internal Audit reports of a standard comparable to best practice in other organisations? 6. To the best of your knowledge, are there any major areas of risk or concern that Internal Audit has not appeared to cover? Section D Where the organisation has its own in-house Internal Audit function, the Audit Committee might ask the Chief Audit Executive to complete this checklist (i.e. self assessment). Understanding 1. Evaluate Internal Audit’s understanding of: • • • • The responsibilities and operation of the Audit Committee. The organisation. The organisation’s risk environment. The organisation’s control framework.
Charter and Structure
Audit Committee Handbook
1. Do the terms of reference for Internal Audit define in sufficient detail for the purposes of directing Internal Audit: • • • • Roles and responsibilities, including those in relation to other internal functions? Expectations of the Board of Directors/Audit Committee, officers and management? Scope of Internal Audit work? Access to information?
2. Evaluate Internal Audit’s current terms of reference in light of the organisation’s current and future needs. 3. Assess the structure of Internal Audit in terms of enhancing its: • • • Objectivity. Understanding of the organisation’s business issues. Ability to respond to the organisation’s needs.
Skills and Experience 1. Assess the staff mix and competences of the Internal Audit team. 2. Evaluate Internal Audit’s independence from the activities it audits. Communication 1. Evaluate Internal Audit’s responsiveness to requests from the Audit Committee, including requests for special investigations. 2. Evaluate Internal Audit’s frankness and candour with the Audit Committee. 3. Evaluate Internal Audit’s handling of difficult or contentious issues. 4. Over the last 12 months, has the Chairperson of the Audit Committee been fully briefed on significant findings or developments prior to Audit Committee meetings? 5. Evaluate Internal Audit’s process to monitor the status of open matters / recommendations. Performance 1. In what way has Internal Audit added value to the organisation? 2. How would you assess Internal Audit’s overall performance?
Audit Committee Handbook
Appendix X. Self-Assessment of the Audit Committee
This self-assessment has been prepared for Audit Committee members. It is intended that each Audit Committee member will complete it independently. The assessment exercise could be carried out at a special meeting of the Audit Committee or at some form of away-day. The Chairperson of the Audit Committee or an external facilitator should, after collating the responses, lead a discussion on the key points arising from the questionnaire and feed back any matters of interest, focusing on those areas which clearly need improvement or where there is great variation in answers. When using a facilitator, care needs to be taken if this person is in some way conflicted because of the closeness of his or her relationship with the Audit Committee; for example, a degree of circularity is involved in using internal or External Auditor, as the Audit Committee has a responsibility to review the Auditor’s performance. The results of the self-assessment and any action plans arising should be reported to the Board of Directors after discussion with the Chairperson of the Board of Directors. The Chairperson of the Audit Committee may wish to tailor this checklist to the specific circumstances of their organisation, giving more weight to some aspects of the selfassessment than others. Appropriate weighting will be influenced by a number of factors including, but not limited to: • • • • • • • The Audit Committee’s terms of reference. The organisation’s strategies and risk assessments. The organisation’s risk and control environment. The outcomes of previous self-assessments. The stage of maturity of the Audit Committee. The views of stakeholders on the organisation’s corporate governance performance. Current and emerging trends and factors.
The Chairperson of the Audit Committee may wish to adapt the questionnaire such that the full version is carried out on a cyclical basis, say every three to five years. In the intervening years, they may choose to evaluate the Audit Committee’s effectiveness by means of a general discussion around the Audit Committee table, or by using a curtailed form of the questionnaire. Creating an effective Audit Committee 1. Have the Audit Committee’s terms of reference been approved by the Board of Directors? 2. Does the Audit Committee review annually its terms of reference and recommend any necessary changes to the Board of Directors? 3. Is there clarity around what is expected of the Audit Committee (e.g. how the Audit Committee supports the Board of Directors in discharging its responsibility for governance, risk and control)? Audit Committee Handbook Page 82
4. Are Committee members independent of the organisation’s management, and do they exercise their own judgement, voice their own opinions and act freely from any conflicts of interest? 5. Are Committee members appointed by the Board of Directors on the basis of agreed criteria, and are appropriate succession plans in place? 6. Does the Audit Committee have sufficient skills, experience, time and resources to undertake its duties, including at least one member with recent and relevant experience in finance, accounting or auditing? 7. Is the Audit Committee over-reliant on any individual member (e.g. the member with recent and relevant experience in finance, accounting or auditing)? 8. Does the Audit Committee have sufficient understanding of the organisation and the industry (e.g. how the organisation operates within the industry)? 9. Do all Committee members demonstrate the highest level of integrity (including maintaining utmost confidentiality and identifying, disclosing and managing conflicts of interest) 10. Does the Audit Committee have access to appropriate secretarial services? 11. Are funds available to enable the Audit Committee to take independent legal, accounting or other advice when it reasonably believes it necessary to do so? Running an Effective Audit Committee 1. Does the Chairperson of the Audit Committee have an effective leadership style (e.g. decisive, open-minded, courteous, sets a good example, allows members to contribute, holds members to high standards)? 2. Does the Chairperson of the Audit Committee ensure a healthy dynamic (e.g. relates well to other members/attendees, deals effectively with dissent and works constructively towards consensus)? 3. Does the Chairperson ensure that the Audit Committee’s workload is dealt with effectively? 4. Does the Audit Committee work constructively as a team? 5. Does the Audit Committee maintain constructive working relationships with those individuals who attend its meetings? 6. Does the relationship between the Audit Committee and a) the chief executive and b) members of the senior management team strike the right balance between challenge and mutuality? 7. Do the Audit Committee’s discussions enhance the quality of management’s decisionmaking (e.g. does the Audit Committee engage those reporting to it in dialogue that stimulates and enhances their thinking and performance)? 8. Does the Audit Committee provide effective support to the Board of Directors in fulfilling its responsibilities and adding value to the organisation? 9. Does the Audit Committee have a comprehensive work plan that covers its main responsibilities and maps across to the requirements of the Board of Directors? Audit Committee Handbook Page 83
10. Do the meeting arrangements enhance the Audit Committee’s effectiveness (e.g. frequency, timing, duration, venue and format)? 11. Do Audit Committee meetings allow sufficient time for the discussion of substantive matters? 12. Are meeting agendas and related background information circulated in a timely manner to enable full and proper consideration to be given to the issues? 13. Are the papers provided to the Audit Committee appropriate (e.g. not overly lengthy and clearly explaining the key issues and priorities)? 14. Is sufficient time allowed between Audit Committee meetings and meetings of the Board of Directors to allow any work arising to be carried out and reported to the Board of Directors as appropriate? 15. Is the Audit Committee free from inappropriate management influence during meetings? 16. Are meeting attendees (e.g. officers and External Auditor) appropriately involved in Audit Committee meetings? 17. Are arrangements in place for the Audit Committee to meet with the External and Internal Auditors during the year without the presence of management? 18. Are the meeting minutes clear, accurate, consistent, complete and timely, and do they include key elements of debates, appropriate details of recommendations and any follow-up action? 19. Does the follow-up process for outstanding actions arising from Audit Committee meetings work well? 20. Do the Auditors (internal and external) co-operate appropriately to ensure the completeness of assurance coverage? 21. Is the dialogue with Internal and External Auditors and management appropriate given the work the Audit Committee undertakes? Is ‘bad news’ communicated to the Audit Committee in a timely manner? 22. Is the Audit Committee kept fully informed on all material matters between meetings, including appropriate external information (e.g. emerging risks and material regulatory changes)? 23. Does the Audit Committee report to the Board of Directors on a timely and accurate basis, and are such communications comprehensive, meaningful and focused? Professional Development 1. Is an induction programme provided for new Audit Committee members (e.g. the Audit Committee’s role, terms of reference and expected time commitment by members; overview of the organisation; and the main operational and financial dynamics and risks)? 2. Do Audit Committee members receive appropriate and timely ongoing professional development (e.g. regulatory matters, accounting and financial reporting, audit and risk)?
Audit Committee Handbook
3. Do Audit Committee members have the opportunity to attend formal courses and conferences, internal talks and seminars, and briefings by external advisers such as the organisation’s auditor and lawyers? 4. Do the induction and professional development programmes adequately equip Audit Committee members to understand the organisation’s industry (e.g. operational and financial risks facing organisations within the industry) Overseeing Financial Reporting 1. Does the Audit Committee have effective mechanisms to understand and gain confidence over the: • • • • Appropriateness of the organisation’s critical accounting policies, estimates and judgements? Clarity and completeness of disclosures in the financial statements? Impact on the financial statements of any developments in accounting standards or generally accepted accounting practice? Statement on Internal Control included in the financial statements and the basis on which it is given?
2. If the Audit Committee were not satisfied with any aspect of the proposed financial reporting, would it report such views to the Board of Directors and seek changes? 3. Does the Board of Directors publish a balanced, comprehensive annual report on a timely basis? Overseeing Governance, Risk Management and Internal Control 1. Is the Audit Committee satisfied that appropriate processes are in place to: • • • • • • Ensure that the Board of Directors and the management conduct themselves in accordance with high standards of behaviour? Ensure compliance with applicable regulation and best practice recommendations? Ensure the appointment of appropriate individuals to the Board of Directors, key Committees and senior management positions? Ensure appropriate communication with the organisation’s stakeholders, including the Board of Directors? Clearly articulate the organisation’s risk appetite for each material category of risk? Identify, evaluate and monitor key risks facing the organisation (including financial, strategic and operational – such as failure to attract and retain highquality managers, maintaining excellence in management, and unpredictable government policy – as well as reputational)? Enable it to understand how each material risk may impact on the organisation’s operations and financial condition? Page 85
Audit Committee Handbook
• • • •
Monitor changes in the organisation’s risk profile? Provide it with suitable reports on the effectiveness of the systems of internal control? Ensure that the system of key controls is fit for purpose and working as intended? Ensure that funds are properly safeguarded?
Overseeing Value for Money 1. Are appropriate processes and procedures in place to ensure: • • That company funds are spent for their intended purpose? The economy, efficiency and effectiveness of the organisation’s operations?
Overseeing External Audit 1. Does the External Auditor dedicate appropriately qualified and experienced staff and resources to the organisation’s audit? 2. Does the external audit partner make appropriate use of their direct access to the Audit Committee? 3. Are the independence and objectivity of the External Auditor compromised in any way? 4. Are the nature and extent of non-audit services provided by the Auditor appropriate? 5. Does the external audit plan focus on the organisation’s key risks and controls? 6. Is the external audit plan reviewed and approved by the Audit Committee? 7. Does the Audit Committee have an appropriate dialogue with the External Auditor regarding major issues arising during the course of the audit, the key accounting and audit judgements and the levels of errors identified during the audit? 8. Does management respond to external audit recommendations in a timely and appropriate manner? 9. Does the Audit Committee regularly review the effectiveness of the external audit? Overseeing Internal Audit 1. Is the organisation’s Internal Audit function appropriately resourced (whether inhouse, co-sourced or outsourced)? 2. Is the Audit Committee comfortable with the quality of Internal Audit work? 3. Does the Chief Audit Executive make appropriate use of his/her direct access to the Audit Committee? 4. Are the independence and objectivity of Internal Audit compromised in any way? 5. Does the Internal Audit plan focus on the organisation’s key risks and controls? Audit Committee Handbook Page 86
6. Is the Internal Audit plan reviewed and approved by the Audit Committee? 7. Does management respond to Internal Audit’s recommendations in a timely and appropriate manner? 8. Does the Audit Committee regularly review the effectiveness of the Internal Audit function?
Audit Committee Handbook