or private meetings
It is good practice to at least once a year hold part oI an audit committee meeting with only the audit
committee members present (i.e. no executives or auditors in attendance). Holding such meetings
gives the audit committee members a good opportunity to discuss any issues or concerns among
themselves, and positions them to better understand and challenge management and the auditor. It is also
good practice to hold separate or private meetings with the internal and external auditors.
Typically, there should be Iew matters to discuss all key matters related to risk management,
Iinancial reporting and internal control should usually be reviewed in a candid, robust manner with the
executives, audit committee and auditor during the Iormal audit committee meeting. However, the audit
committee can use the private session to address other matters (such as issues relating to the
attitude oI management, resources and relationships) or to probe Ior additional assurance where members
were not satisIied with the answers given at the committee meeting, or iI they thought the discussions
were too guarded or uneasy.
AudIt CommIttee CuIdance
14
Reporting to the board on audit committee activities
The audit committee chair should report to the board aIter every audit committee meeting, in suIIicient
depth to enable the board to IulIil its oversight responsibilities. The minutes oI each audit committee
meeting should be prepared on a timely basis and draIted in such a manner so as to clearly:
summarise the work undertaken by the audit committee, explaining iI necessary the importance oI
the work and any conclusions drawn or actions taken; and
advise the chairman oI the board on any relevant matters, including any matter on which the audit
committee believes the board should be taking action.
Practical diIIiculties can arise when the audit committee meeting and board meeting are held such that
there is little time to prepare Iormal minutes. In such circumstances it is normal Ior the chairman oI the
audit committee to report orally to the board with the Iormal report sent to board members at a later date.
Audit committee minutes are normally copied to the head oI internal audit and the external audit partner.
Audit committee resources
The audit committee should be provided with suIIicient resources to undertake its duties and make
eIIective use oI its time. It should have access to the services oI the company secretary, in-house legal
counsel (or equivalent) on all audit committee matters including supporting the chair in planning the
committee`s work and drawing up meeting agendas, maintaining minutes, draIting material about the
committee`s activities Ior the annual report (iI applicable), co-ordinating the timely collection oI
supporting papers and distributing them, and other support as needed.
The audit committee should also be able to draw on other expertise within the organisation as
appropriate. This might include tax specialists, risk specialists or the head oI compliance.
The board should also make Iunds available to the audit committee to enable it to take independent legal,
accounting or other advice when the audit committee reasonably believes it necessary to do so.
Induction and professional development
The company should provide an induction programme Ior new audit committee members. This should
cover the role oI the audit committee, including its terms oI reIerence and expected time commitment by
members; and an overview oI the company`s business, identiIying the main business and Iinancial
dynamics and risks. It should also include meeting some oI the company staII.
ProIessional development should also be provided to members oI the audit committee on an ongoing and
timely basis and should include an understanding oI the principles oI and developments in Iinancial
reporting and related company law. In appropriate cases, it may also include, Ior example, understanding
Iinancial statements, applicable accounting standards and recommended practice; the regulatory
Iramework Ior the company`s business; the role oI internal and external auditing and risk management.
Belgium: The Belgian Act requires that: 'the audit committee shall report regularly to the board on
the exercise oI its duties, and at least when the board sets up the annual accounts, the consolidated
accounts, and where applicable the condensed Iinancial statements intended Ior publication.
(Condensed Iinancial statements are obligatory Ior Iinancial institutions.)
AudIt CommIttee CuIdance
15
Assessing the audit committee
The audit committee (and/or board/supervisory body) should consider the regular assessment oI audit
committee eIIectiveness and the adequacy oI the committee`s terms oI reIerence, work plans, on-going
practices and communication. Regular assessment may identiIy areas in which the committee and its
processes might be more eIIective, or may highlight skills and/or knowledge gaps in the committee.
Assessment oI the audit committee may lead to a request Ior additional development (Ior its members),
reIinements to committee processes and procedures or, in exceptional circumstances, require the audit
committee chairman to begin discussions on the possible recruitment oI a new member with the
chairman oI the board or nomination committee. The audit committee chairman needs to ensure that the
committee has the requisite knowledge to discharge its responsibilities at all times. For this to be
achieved, the audit committee chairman, working with the chairman oI the board or nomination
committee, should annually review the status oI succession to the audit committee and aim to ensure that
there is continuous access to suitable candidates.
When assessing its perIormance, the audit committee should consider:
o ascertaining whether the board/supervisory body is satisIied with the committee`s perIormance;
o comparing the committee`s activities to any relevant national/international guidelines or
recommendations;
o comparing the committee`s activities to leading practices adopted by other organisations;
o comparing the committee`s activities to any previously established success` criteria;
o comparing the committee`s activities to any previously identiIied shortcomings; and
o comparing the committee`s activities to the terms oI reIerence, the committee`s aspirations and
any objectives set by the board/supervisory body.
The committee should also consider requesting Ieedback on its perIormance Irom management, internal
and external auditors and other stakeholders.
Luxembourg: A recommendation Irom the Luxembourg Stock Exchange is that Ior new members oI
the audit committee, the training programme should include an overview oI the company`s internal
control and risk management systems. In particular, they should receive comprehensive inIormation
on accounting, Iinancial and operational matters and have contact with the external and internal
auditor.)
France: The French Corporate Governance Code ('AFEP/MEDEF Code) sets out that the board
should, Irom time to time, review its membership, organisation and operation - which suggests a
corresponding review oI the board`s committees. Accordingly, each board should think about the
desirable balance in its membership and that oI its committees; and consider the adequacy oI its
organisation and operation Ior the perIormance oI its tasks.
AudIt CommIttee CuIdance
16
Questionnaires are one mechanism that audit committees can use to Iacilitate the assessment. However,
Iace-to-Iace discussions including inIormal meetings and sessions with the auditors during
regular audit committee meetings can enrich the assessment process and ensure the process Iocuses on:
o what the committee is Ior and what success looks like;
o whether others within the company understand what the audit committee is supposed to do;
o outcomes rather than activities not what the committee did, but how it did it;
o whether time is spent in the right areas;
o what impact the committee has had; and
o whether the committee has added value to the governance process.
The output Irom the assessment process and any recommendations arising should be reported to the
board/supervisory body.
AudIt CommIttee CuIdance
17
Chapter 3: Monitoring the financial reporting process
It is the role oI management to prepare complete and accurate Iinancial statements in accordance with
Iinancial reporting standards and applicable rules and regulations. The audit committee plays an
important oversight` role in providing the board/supervisory body with assurance as to the propriety oI
the Iinancial reporting process.
To perIorm their role eIIectively, the audit committee needs to understand the context Ior Iinancial
reporting, and in particular:
o management`s responsibilities and their representations to the committee;
o management`s remuneration plan, especially any incentive arrangements;
o the external auditor`s responsibilities under generally accepted auditing standards;
o the nature oI critical accounting policies, judgements and estimates; and
o any signiIicant or unusual transactions where the accounting is open to diIIerent approaches.
Audit committees should be conIident that they are being made aware oI any relevant accounting policy
or disclosure issues or changes, and that this inIormation is communicated to them early enough to
enable appropriate action to be taken. A regular two-way dialogue between the audit committee and the
CFO should take place. The audit committee should also look to the statutory auditor Ior support, using
the auditor`s insights to help to identiIy potential issues early and assist the committee to oversee the
quality and reliability oI Iinancial inIormation.
At the core oI the audit committee`s discussions with management and the statutory auditor should be its
assessment oI the appropriateness oI the institution's accounting policies, underlying judgements and
estimates, and the transparency oI the Iinancial disclosures in reIlecting Iinancial perIormance.
Critical accounting policies, judgements and estimates
In order to properly understand and assess the quality oI critical accounting policies, judgements and
estimates the audit committee should:
o consider the appropriateness oI management`s selection oI accounting principles and critical
accounting policies. Have they changed in the current period? Why have they changed? How
might the changes aIIect current and Iuture Iinancial statements?
o assess management`s judgements and critical accounting estimates. What are the key
assumptions behind those estimates? How sensitive are current and Iuture Iinancial statements
to changes in those assumptions?
o question the degree oI aggressiveness or conservatism surrounding management`s judgements
and estimates. Is there potential Ior management bias in developing the estimates?
o consider any alternative accounting treatments. What are other companies doing in similar
circumstances?
Without prejudice to the responsibility oI the members oI the administrative, management or
supervisory bodies, or oI other members who are appointed by the general meeting oI shareholders oI
the audited entity, the audit committee shall, inter alia....
(a) monitor the Iinancial reporting process.
Article 41(2) 8
th
Company Law Directive of the European Union
AudIt CommIttee CuIdance
18
o ensure the statutory auditor is satisIied that managements accounting policies, judgements and
estimates reIlect an appropriate application oI generally accepted accounting practice.
When considering the impact on the Iinancial statements oI any changes to accounting standards or
generally accepted accounting practices, the audit committee should satisIy itselI that:
o management has suIIicient resources devoting appropriate attention to understanding recent
developments in Iinancial reporting; and
o the application oI new requirements is appropriate in light oI the nature oI the institution`s
operations and signiIicant transactions.
The preparation oI Iinancial statements requires numerous judgements and estimates. Each judgement or
estimate can signiIicantly impact a company`s Iinancial statements and each estimate has a range oI
possible and supportable results. Understanding the company`s business, as well as the industry in which
it operates, will help the audit committee to Iocus on the appropriateness oI the company`s approach.
Audit committees should understand the circumstances in which management may Ieel pressure to
engage in inappropriate earnings management. It could be that: market expectations are unrealistic;
targets are not being met; or management remuneration incentives are heavily weighted to earnings
measures. The audit committee should recognise when these conditions are present and where necessary
receive what they hear with proIessional scepticism.
Unusual and complex transactions
The audit committee should assess the treatment oI any unusual or complex transactions. In addition to
the considerations with respect to critical accounting policies, judgements and estimates, the audit
committee should understand:
o the business rationale Ior the transaction;
o how the transaction disclosed in the Iinancial statements and whether such disclosure is
appropriate;
o the impact on the comparability oI Iinancial position and perIormance with respect to past and
Iuture periods; and
o any Iactors surrounding the accounting Ior any unusual transaction.
Completeness, clarity and transparency
The audit committee should assess the completeness, clarity and transparency oI the Iinancial statements
and related disclosures, by considering and making enquiries as to whether the Iinancial disclosures
Luxembourg: A recommendation Irom the Luxembourg Stock Exchange states that each director
should consult the chairman oI the audit committee or, iI not, the chairman oI the board in the event
oI uncertainty as to the nature oI an operation or transaction likely to result in a conIlict oI interest. In
the event oI a declared conIlict oI interest, the operation or transaction concerned should be submitted
by the director concerned, aIter the chairman oI the board, the audit committee, the auditor or an
external expert have been inIormed, iI possible prior to its realisation. The opinion oI the latter
should be communicated to the board.
AudIt CommIttee CuIdance
1
consistently reIlect the institution`s Iinancial position and perIormance; and whether the Iinancial
statement note disclosures are clear and complete?
Management and the external auditor can greatly assist the audit committee in understanding and
assessing these matters by providing the committee with clearly written communications, augmented
with Iace-to-Iace discussions.
In addition to the Iinancial statements, the audit committee should review, wherever practicable, other
statements containing Iinancial inIormation where supervisory board approval is required (Ior example,
summary Iinancial statement, signiIicant Iinancial returns to regulators and release oI price sensitive
inIormation such as analysts presentations). The audit committee should adopt the same approach to
reviewing these disclosures as it does to assessing the Iinancial statements.
The French Stock Exchange Authority (AMF) clariIied the nature oI the inIormation
included in the Company`s 'Iinancial communication. It notably includes inIormation to regulators,
press releases and accompanying presentations on interim inIormation or on sensitive/signiIicant
operations, Iorecasts, inIormation about the risks whatever the document is.
According to this clariIication, the audit committee should check the existence oI preparation
procedures relating to the issuance oI press releases on interim Iinancial inIormation. The Board
might request the audit committee to review the releases. In this case, the audit committee should
check the consistency oI the released Iinancial inIormation with the Iinancial statements. The Board
might also ask the audit committee Ior its opinion on the content oI the diIIerent documents (MD&A,
report oI the chairman oI the board on the operations oI the Board and on internal controls), where
inIormation about the risks are disclosed. The audit committee should check the consistency oI the
inIormation Irom one document to another. On other statements, the Board might submit them to the
audit committee Ior the purpose oI its tasks.
AudIt CommIttee CuIdance
20
Chapter 4: Monitoring the effectiveness of internal control and risk
management systems
It is important that risk management and control are not seen as a burden on the institution, but rather the
means by which opportunities are maximised and potential losses associated with unwanted events
reduced.
Risks maniIest themselves in a range oI ways and the eIIect oI risks crystallising may have a positive as
well as a negative outcome Ior the institution. It is vital that those responsible Ior the stewardship and
management oI an institution be aware oI the best methods Ior identiIying and subsequently managing
such risks.
Internal controls are one oI the principal means by which risk is managed. Other devices used to manage
risk include the transIer oI risk to third parties, sharing risks, contingency planning and the withdrawal
Irom unacceptably risky activities. Institutions can accept risk, but need to do so objectively and
transparently and within the governing body`s policy regarding risk appetite.
The risks Iacing institutions are continually changing and the system oI internal control should be
responsive to such changes. EIIective risk management and internal control are thereIore reliant on a
regular assessment oI the nature and extent oI risks.
Reviewing the eIIectiveness oI internal control and risk management systems is an essential part oI the
board's/supervisory body`s responsibility. The audit committee can and, as required by the Directive,
should assist the board in IulIilling that responsibility.
Traditionally, audit committees have been concerned with the oversight oI internal Iinancial controls.
However, the requirement in the Directive is drawn much wider in that it imposes a duty on the audit
committee to monitor the eIIectiveness oI internal control and risk management systems in their entirety.
This goes beyond the Iinancial reporting process and encompasses the system oI risk and control
associated with other areas such as operational matters and compliance with laws and regulation.
The precise role oI the audit committee in the review process should be Ior the board / supervisory body
to decide and will depend upon Iactors such as the size and composition oI the board; the scale, diversity
and complexity oI the company's operations; and the nature oI the signiIicant risks that the company
Iaces. In practice many boards create risk committees to look at aspects oI risk management. OIten this is
an executive (or management) committee reporting directly to the board or audit committee; but non-
executive board/supervisory board committees are becoming more common in some Member States. In
such circumstances it is usual Ior the board risk committee to (on behalI oI the board) concern itselI with
issues associated with risk strategy and risk appetite; whereas the audit committee would continue to
provide oversight over the systems and processes providing assurance over the systems oI risk
management and internal control. Whatever the precise arrangements are, it is important that the audit
committee liaises closely with any risk committee or other relevant body such as a compliance
committee or credit committee etc.
Without prejudice to the responsibility oI the members oI the administrative, management or
supervisory bodies, or oI other members who are appointed by the general meeting oI shareholders oI
the audited entity, the audit committee shall, inter alia...
(b) monitor the eIIectiveness oI the company's internal control, internal audit where applicable, and
risk management systems.
Article 41(2) 8
th
Company Law Directive of the European Union
AudIt CommIttee CuIdance
21
To the extent that the audit committee does monitor the eIIectiveness oI the company's internal control
and risk management systems on behalI oI the board, the results oI the committee`s deliberations should
be reported to, and considered by, the board. The board will need to Iorm its own view on eIIectiveness
based on the inIormation and assurances provided to it by the audit committee, exercising the standard oI
care generally applicable to directors in the exercise oI their duties.
The company`s management is responsible Ior the identiIication, assessment, management and
monitoring oI risk, Ior developing, operating and monitoring the system oI internal control and Ior
providing assurance to the board that it has done so. The audit committee`s role as set out in the
Directive is to monitor the eIIectiveness oI the company's internal control and risk management systems
this is not an executive Iunction that properly belongs to management; rather the committee is aiming
to satisIy itselI that management has properly IulIilled its responsibilities.
The audit committee should, on a regular basis, receive reports Irom management on the eIIectiveness oI
the systems they have established and the conclusions oI any testing carried out by internal and external
auditors. In assessing the adequacy oI such arrangements, the audit committee needs to establish:
o the degree to which management has assumed ownership Ior risk and control;
o how key business risks are identiIied, evaluated and managed;
o whether the controls are Iit Ior purpose and working as intended; and
o the rigour and comprehensiveness oI the review process.
By asking probing questions about risk management, the audit committee can help bring clarity to the
process used to manage risk and the assignment oI accountabilities to monitor and react to changes in the
organisation's risk proIile.
Monitoring the effectiveness of internal control and risk management systems
The audit committee should deIine the process to be adopted Ior its review oI the eIIectiveness oI
internal control and risk management systems. This should encompass both the scope and Irequency oI
the reports it receives Irom management, internal audit and the statutory auditor.
The reports Irom management should, in relation to the areas covered by them, provide a balanced
assessment oI the signiIicant risks and the eIIectiveness oI the system oI internal control in managing
those risks. Any signiIicant control Iailings or weaknesses identiIied should be addressed, including the
impact that they have had, or may have, on the company and the actions being taken to rectiIy them. It is
essential that there be openness oI communication by management with the audit committee on matters
relating to risk and control.
When reviewing reports Irom management the audit committee should consider:
o what the signiIicant risks are and assess how they have been identiIied, evaluated and managed;
o the eIIectiveness oI the related system oI internal control in managing the signiIicant risks,
having regard in particular to any signiIicant Iailings or weaknesses in internal control that have
been reported;
o whether necessary actions are being taken promptly to remedy any signiIicant Iailings or
weaknesses;
o whether the Iindings indicate a need Ior more extensive monitoring oI the system oI internal
control; and
o the extent and Irequency by which matters are communicated to the committee and whether it
enables the committee to build up a cumulative assessment oI the state oI control in the company
and the eIIectiveness with which risk is being managed.
AudIt CommIttee CuIdance
22
The committee should also consider the incidence oI signiIicant control Iailings or weaknesses that have
been identiIied at any time during the period whether by management, auditors or other - and the extent
to which they have resulted in unIoreseen outcomes or contingencies that have had, could have had, or
may in the Iuture have, a material impact on the company's Iinancial perIormance or condition.
Should the audit committee become aware oI any such signiIicant Iailing or weakness in the internal
control or risk management systems, it should (unless the expressly addressed by the board/supervisory
body or other relevant board committee) determine how the Iailing or weakness arose and reassess the
eIIectiveness oI management's ongoing processes Ior designing, operating and monitoring the internal
control and risk management systems.
Assurance
As well as receiving reports Irom management, the audit committee should ensure that appropriate
assurance exists in respect oI the eIIectiveness oI material aspects oI the internal control and risk
management systems - here the audit committee will look to internal audit, the statutory auditor and other
assurance providers.
Fraud and whistleblowing
As part oI its wider remit to monitor the eIIectiveness oI internal control and risk management systems,
the audit committee should review arrangements by which employees (and others) may, in conIidence,
raise concerns about possible improprieties in matters oI Iinancial reporting or other matters. The audit
committee`s objective should be to ensure that arrangements are in place Ior the proportionate and
independent investigation oI such matters and Ior appropriate Iollow-up action.
When reviewing whistle-blowing procedures, the audit committee might consider the Iollowing
questions:
o Are whistle-blowing procedures documented and communicated throughout the institution?
o Does the policy make clear that it is both saIe and acceptable Ior employees (and others) to raise
concerns about wrongdoing?
o Were whistle-blowing procedures arrived at through a consultative process? Do employees buy
in to the process?
o Are concerns raised by employees responded to with a reasonable time Irame?
o Are procedures in place to ensure that all reasonable steps are taken to prevent the victimisation
oI genuine whistle-blowers?
o Are there procedures to ensure that all reasonable steps are taken to keep the identity oI whistle-
blowers conIidential?
o Has a senior person been identiIied to whom conIidential concerns can be disclosed? Does this
person have the authority and determination to act iI concerns are not raised with, or properly
dealt with, by management?
o Are success stories publicised?
o Do senior management understand how to act iI a concern is raised? Do they recognise that
employees have the right to blow the whistle?
o Has consideration been given to the use oI an independent advice centre as part oI the whistle-
blowing procedure?
AudIt CommIttee CuIdance
23
Chapter 5: Monitoring the effectiveness of internal audit
The audit committee should annually review the need Ior an internal audit Iunction and, where such a
Iunction exists, its eIIectiveness. Designed and deployed eIIectively, internal audit can have a positive
impact on the control environment oI an organisation and the eIIective design and operation oI internal
control. Internal audit can also play a signiIicant role in supporting the audit committee through the
provision oI assurance as to whether the controls implemented by management are Iit Ior purpose and
working as intended.
The need Ior an internal audit Iunction will vary depending on company speciIic Iactors including the
scale, diversity and complexity oI the company's activities and the number oI employees, as well as
cost/beneIit considerations. When undertaking its assessment oI the need Ior an internal audit Iunction,
the audit committee should also consider whether there are any trends or current Iactors relevant to the
company's activities, markets or other aspects oI its external environment which have increased, or are
expected to increase, the risks Iaced by the company. Such an increase in risk may also arise Irom
internal Iactors such as organisational restructuring or Irom changes in reporting processes or underlying
inIormation systems. Other matters to be taken into account may include adverse trends evident Irom the
monitoring oI internal control systems or an increased incidence oI unexpected occurrences.
In the absence oI an internal audit Iunction, management needs to apply other monitoring processes in
order to assure itselI, the audit committee and the board that the system oI internal control is Iunctioning
as intended. In these circumstances, the audit committee will need to assess whether such processes
provide suIIicient and objective assurance.
Establishing and maintaining an effective internal audit function
Internal audit can be resourced either through an in-house Iunction or an external service provider. The
decision as to which is appropriate will usually be driven by the availability oI appropriate skills and the
breadth and depth oI experience to cover the company`s business operations adequately. The cost
implications oI each approach may diIIer signiIicantly.
Where an internal audit Iunction exists, the audit committee should participate in the appointment,
promotion or dismissal oI the chieI internal auditor, and help determine the required qualiIications,
Without prejudice to the responsibility oI the members oI the administrative, management or
supervisory bodies, or oI other members who are appointed by the general meeting oI shareholders oI
the audited entity, the audit committee shall, inter alia...
(b) monitor the eIIectiveness oI the company's internal control, internal audit where applicable, and
risk management systems.
Article 41(2) 8
th
Company Law Directive of the European Union
Belgium: With respect to Iinancial institutions, the Belgian Act states that 'the audit committee has
to monitor the eIIectiveness oI the internal audit. This implies that Iinancial institutions should have
an internal audit as audit committees can only monitor the eIIectiveness oI the internal audit iI it
exists.
AudIt CommIttee CuIdance
24
reporting obligations and compensation. The audit committee should also help to ensure internal audit
has access to all appropriate persons both at board level and within the company.
The audit committee should be involved in developing and approving internal audit's remit, goals and
mission, to be certain oI its proper role in the oversight Iunction. Collaboration with both management
and internal audit in developing internal audit`s remit should help ensure a proper balance between the
assessment oI internal control over Iinancial reporting and any responsibilities Ior operational eIIiciency,
risk management and other special projects.
The audit committee should also ensure that the internal audit Iunction has adequate resources and access
to inIormation to enable it to IulIil its mandate, and is equipped to perIorm in accordance with
appropriate proIessional standards Ior internal auditors. The audit committee should pay particular
attention to the experience and resources within the internal audit Iunction in times oI crisis and ensure
the internal audit budget and activities are not inappropriately curtailed as a result oI cost cutting
exercises.
Reviewing the work of the internal audit function
In its review oI the work oI the internal audit Iunction, the audit committee should, inter alia:
o ensure that the internal auditor has direct access to the board chairman and to the audit
committee and is accountable to the audit committee;
o Internal audit should retain a degree oI independence Irom management. The chieI internal
auditor should report directly into the executive board, i.e. to the CFO or ideally the CEO;
but also have a clear line oI responsibility to the audit committee. The audit committee
should have processes in place to Iacilitate conIidential exchanges with the internal auditor,
with regular meetings scheduled between the audit committee and the chieI internal auditor.
o review and assess the annual internal audit work plan;
o receive a report on the results oI the internal auditors` work on a periodic basis;
o review and monitor management`s responsiveness to the internal auditor`s Iindings and
recommendations;
o meet with the head oI internal audit at least once a year without the presence oI management;
and
o monitor and assess the role and eIIectiveness oI the internal audit Iunction in the overall
context oI the company`s risk management system.
Relationship with the statutory auditor
The audit committee should ensure that there is a constructive relationship between the internal audit
Iunction and statutory audit. While each audit Iunction provides independent assurance, the audit
committee should, where appropriate, seek to ensure that the internal audit Iunction and statutory auditor
co-ordinate their audit eIIort and avoid duplication.
AudIt CommIttee CuIdance
25
Chapter 6: Monitoring the statutory audit
Monitoring the statutory audit and the relationship with the statutory auditor is an important part oI the
audit committee`s role.
Maintaining an effective relationship
The statutory auditor and audit committee should have a strong and candid relationship anything less
may limit the committee`s eIIectiveness in achieving its oversight responsibilities. The audit committee
should establish that the auditor is directly accountable to the audit committee and, through it, to the
board/supervisory body and ultimately the company`s shareholders. The audit committee should make
sure its actions and communications with the statutory auditor are consistent with this accountability
the statutory auditor should never Ieel that its primary responsibility is to executive management.
Reviewing the audit plan
The audit committee should determine that an appropriate audit plan is in place. It should careIully
consider the appropriateness oI the business risks identiIied by the statutory auditor and whether, because
oI the audit committee`s own knowledge oI the organisation`s risk environment, other risks should also
be taken into account.
This Iocus applies both at a strategic level - those risks that are Iundamental to the achievement oI the
entity`s strategy - and at the more detailed operational level: those risks that aIIect day-to-day operations,
the recognition oI revenue and costs, the custody and value oI assets, and the completeness oI
recognition oI liabilities.
In general terms, the audit committee should understand:
o the areas where the statutory auditor intends to perIorm detailed substantive testing and those
areas where the auditor intends to rely on internal controls;
o whether divisions or subsidiaries receive adequate coverage, particularly those that are remote
either geographically or culturally; and
o whether other audit Iirms are involved in auditing speciIic geographic locations or group entities.
The audit committee should also seek to understand whether, and to what extent, the statutory auditor is
content to rely on the work oI the internal auditors in support oI their audit work; and whether they will
be reviewing the work oI the internal auditor.
The audit committee and the statutory auditor should agree upon an appropriate audit timetable. Major
issues should not be raised Ior the Iirst time at the meeting at which the audit committee intends to
recommend the approval oI the Iinancial statements rather audit Iindings should be reviewed on an
ongoing and timely basis, Ior example, aIter the interim audit work. The chairman oI the audit committee
should talk with the statutory auditor in advance oI each meeting so that audit committee members can
Without prejudice to the responsibility oI the members oI the administrative, management or
supervisory bodies, or oI other members who are appointed by the general meeting oI shareholders oI
the audited entity, the audit committee shall, inter alia ....
(c) monitor the statutory audit oI the annual and consolidated accounts.
Article 41(2) 8
th
Company Law Directive of the European Union
AudIt CommIttee CuIdance
26
be directed to matters oI substance. One would expect the relationship with the auditor to be such that, iI
there are serious concerns, the auditor will bring them to the audit committee's attention promptly.
Management representations
During an audit, the auditor receives many representations, either unsolicited or in response to speciIic
enquiries. The audit committee should review written representations by management or by the
supervisory board as a whole. Representation letters may cover matters such as:
o conIirmation that all accounting records have been made available, all transactions properly
recorded in the accounting records, and all other records and related inIormation made available;
o management`s plans or intentions that may aIIect the carrying value oI assets and liabilities;
o knowledge oI events that have occurred subsequent to the balance sheet date that would require
adjustment to the Iinancial statements;
o presentation and disclosure oI the Iair value measurement oI material assets, liabilities and
components oI equity;
o knowledge oI Iraud, or suspected Iraud, aIIecting the company;
o conIirmation that the eIIects oI uncorrected Iinancial statement misstatements are immaterial;
o conIirmation that all inIormation provided regarding related parties is complete.
The audit committee should give particular consideration to matters that relate to non-routine or unusual
issues. It should consider whether the inIormation provided is complete and appropriate based on its own
knowledge.
Reviewing the audit findings
The audit committee should review the statutory auditor`s Iindings, including any changes in audit
approach or any modiIication to the statutory audit report. In particular, the audit committee should
discuss with the statutory auditor both major issues that arose during the course oI the audit and have
subsequently been resolved and those issues that have been leIt unresolved - obtaining explanations
about why certain errors might remain uncorrected. Consideration oI those issues that have subsequently
been resolved and uncorrected misstatements that are not material in the context oI the Iinancial
statements, can provide insight into the appropriateness oI the system oI internal control, or be indicative
oI management`s approach to the preparation and presentation oI Iinancial inIormation.
The audit committee should also have a Irank and open dialogue around the quality and acceptability oI
corporate reporting, including, Ior example:
o the appropriateness oI the accounting policies to the particular circumstances oI the company;
o the timing oI transactions and the period in which they are recorded;
o the appropriateness oI accounting estimates and judgements;
The statutory auditor or audit Iirm shall report to the audit committee on key matters arising Irom the
statutory audit, and in particular on material weaknesses in internal control in relation to the Iinancial
reporting process.
Article 41(4) 8
th
Company Law Directive of the European Union
AudIt CommIttee CuIdance
27
o the potential impact oI any uncertainties, including signiIicant risks and exposures, such as
pending litigation;
o material uncertainties that may cast doubt on the company`s ability to continue as a going
concern;
o the extent to which the Iinancial statements are aIIected by unusual transactions;
o inconsistencies between the Iinancial statements and any other inIormation in the document
containing the Iinancial statements Ior example, narrative reporting;
o the overall balance and clarity oI the Iinancial statements; and
o the design and operation oI the company`s internal control and risk management systems (see
below).
Internal control
The EU Directive requires the statutory auditor to report to the audit committee on key matters arising
Irom the audit including any material weaknesses in internal control in relation to the Iinancial reporting
process.
A material weakness` is not deIined in the Directive, but it is thought that the intention oI the legislation
is consistent with requirements set out in International Auditing Standards (see below). The key
consideration is that the auditor is reporting on matters that arose during the course oI their Iinancial
statements audit rather than an audit speciIically designed to enable the auditor to express an opinion on
management's assessment of the effectiveness of the company's internal controls such as that required
by section 404 of the Sarbanes Oxley Act (SOX 404).
International Auditing Standards acknowledge that statutory auditors only consider internal control and
risk management systems to the extent necessary Ior them to Iorm their opinion oI the Iinancial
statements. However, where the auditor identiIies deIiciencies in internal control during their audit and
judge such deIiciencies to be signiIicant, International Auditing Standards require the auditor to report
their Iindings in writing to the audit committee on a timely basis.
In this context, a signiIicant deIiciency in internal control is a deIiciency or combination oI deIiciencies
in internal control that, in the auditor's judgment, is oI suIIicient importance to merit the attention oI the
audit committee. A deIiciency in internal control exists when:
Belgium: The Belgian Act explicitly requires that the audit committee monitors the statutory audit oI
the annual and consolidated accounts 'including the Iollow-up oI questions raised by the statutory
auditor.
The statutory auditor or audit Iirm shall report to the audit committee on key matters arising Irom the
statutory audit, and in particular on material weaknesses in internal control in relation to the Iinancial
reporting process.
Article 41(4) 8
th
Company Law Directive of the European Union
France - The French Stock Exchange Authority (AMF) sets out that the audit committee should also
discuss with the statutory auditors any diIIiculties they have potentially Iaced during the course oI
their audit.
AudIt CommIttee CuIdance
28
o A control is designed, implemented or operated in such a way that it is unable to prevent, or
detect and correct, misstatements in the Iinancial statements on a timely basis; or
o A control necessary to prevent, or detect and correct, misstatements in the Iinancial statements
on a timely basis is missing.
It should be noted that in relation to SOX 404, both the SEC and PCAOB deIine a material weakness as
'a deIiciency, or a combination oI deIiciencies, in internal control over Iinancial reporting, such that
there is a reasonable possibility that a material misstatement oI the company`s annual or interim Iinancial
statements will not be prevented or detected on a timely basis - a more high-level` test than the
signiIicant deIiciency deIinition within International Auditing Standards.
Where signiIicant deIiciencies in internal control are identiIied by the statutory auditor, the audit
committee should expect to receive a description oI the deIiciencies and an explanation oI their potential
impact including suIIicient inIormation to enable the audit committee (and management) to understand
the context oI the report, such as:
o The purpose oI the audit was Ior the statutory auditor to express an opinion on the Iinancial
statements;
o The audit included consideration oI internal control relevant to the preparation oI the Iinancial
statements in order to design audit procedures that are appropriate in the circumstances, but not
Ior the purpose oI expressing an opinion on the eIIectiveness oI internal control; and
o The matters being reported are limited to those deIiciencies that the auditor has identiIied during
the audit and that the auditor has concluded are oI suIIicient importance to merit being reported
to the audit committee.
The audit committee should also expect the statutory auditor to report the Iollowing to management at an
appropriate level oI responsibility on a timely basis:
o signiIicant deIiciencies in internal control that the auditor has reported (or intends to report) to
the audit committee (unless it would be inappropriate to communicate directly to management in
the circumstances); and
o any other deIiciencies in internal control identiIied during the audit that have not been
communicated to management by other parties and that, in the auditor's proIessional judgment,
are oI suIIicient importance to merit management's attention.
Management should provide written responses to any recommendations made or issues raised by the
statutory auditor and, as part oI the ongoing monitoring process, the audit committee should review and
monitor management`s response to the auditors` Iindings and recommendations, to ensure that
appropriate action is taken in a timely manner.