The culture of compliance is rapidly evolving, and while public companies have been directly impacted, private companies, governments, and not-for-profits are also feeling the effects of change. Governing bodies are directly responsible for organizational governance and oversight; however, a well-functioning audit committee can be a substantial component in improving overall governance and compliance.
Should you have an audit committee?
Effective governance requires accountability, which necessitates oversight by either the board or another authorized body. The most common way to achieve this oversight is by implementing either a standing audit committee or an audit task force (read on to learn about task forces).
Typical responsibilities can include:
- Overseeing the financial reporting and disclosure process.
- Monitoring the choice of accounting policies and principles.
- Overseeing the hiring, performance, and independence of the external auditors.
- Overseeing regulatory compliance, ethics, and whistle-blower hotlines.
- Discussing risk management policies and practices with management.
- Receiving audit results, both internal and external.
One key benefit of having a separate audit committee is developing an independent relationship with the external auditor. Adequate separation from client personnel avoids the appearance of a conflict of interest both for the auditee and the auditor. In addition, an audit committee may have an unbiased ability to question management and the opportunity to play an independent role in the prevention, deterrence, discovery, and investigation of fraud.
A separate audit committee also allows for further distribution of work that would normally fall on an executive or finance committee (which might be more appealing to members who want to participate in audit governance but don’t want the additional responsibilities of other committees) and provides added confidence in the quality of financial information, given the additional “set of eyes.”
Consider the pros and cons of your specific situation to determine the level of oversight necessary before making a decision to implement an audit committee. It will be important to set expectations early and document clearly defined roles and responsibilities in either the bylaws of the organization or a committee charter in order for the committee to have the best chance to be valuable to the organization.
Audit Committee Alternatives
A separate audit committee is not always feasible when considering time or resource restraints. Some organizations combine the finance and audit committee responsibilities, which makes sense when the governing board is small with limited resources. It also allows those with the most financial expertise to apply their skills in understanding and accepting responsibilities for the audited financial statements. In addition to the typical audit committee responsibilities, a shared committee structure also ensures the following:
- Budgets and financial statements are prepared and communicated properly.
- Processing is done according to policy and within internal controls.
- Independent oversight occurs.
Other organizations select individuals to serve on a “task force” or ad hoc committee that assembles only during times of need. Best practice dictates that this group of individuals should not consist of members employed by the auditee in order to avoid any independence concerns or conflicts of interest. Such individuals could be members of the community, investors, or other key stakeholders but should have an appropriate understanding of the organization, including financial reporting practices and requirements, and a proper attitude for accountability and oversight.
Auditor Communications – Vital to Effective Governance
One of the more important responsibilities in relation to the independent financial statement audit is the communications with the external auditors. One of the key written deliverables that auditors provide at the conclusion of the audit is an “audit communications letter.” This letter is addressed to the governing body and audit committee or alternative, whichever is functioning in that oversight role. The audit communication letter provides a series of required communications that need to be made with those in charge of governance as part of the audit.
The audit communications letter must include discussion of certain internal control deficiencies that have been identified during the audit. These deficiencies are known as material weaknesses and significant deficiencies. Auditing standards require the auditor to communicate these deficiencies in writing. The definitions are as follows:
Material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented or detected and corrected on a timely basis.
Significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
A central component to understanding these definitions is the notion of materiality. Audit procedures are designed to produce reasonable, but not absolute, assurance that there are no material misstatements. Internal control deviations need to be evaluated based on established materiality thresholds in terms of their potential impact on the financial statements.
In addition to these deficiencies, the auditor may communicate other audit findings or issues that do not fall into these categories but do warrant communication with those in charge of governance. These are generally referred to as other matters. The inclusion of other matters is based on the professional judgement of the auditor.
It can be difficult interpreting technical auditor communications, but fortunately, maintaining an open and honest relationship with the independent auditors will allow for a thoughtful dialogue to ensure that all parties understand the cause and effect of the deficiencies. This will pave the way for identifying an appropriate response and implementing adequate corrective action if necessary.
To place priorities in a corrective action process, there are numerous questions that an audit committee should ask. Questions to consider include the following:
- Who identified the issue, and what is the root cause?
- What length of time has the deficiency existed?
- What are the financial, regulatory, or compliance implications?
- Are there other controls that mitigate this risk?
- Does management have a plan to correct the deficiency, how responsive are they to correcting the issue, and is there an appropriate “tone at the top”?
- Are there concerns that fraud or an illegal act was involved?
- Would it be of benefit to consult with experts outside the organization to aid in the solution of correcting the deficiency?
Cooperating with management is imperative to setting the course for successful implementation of corrective action. Management should work closely with the audit committee to provide realistic solutions for deficiencies. The audit committee can then focus on monitoring compliance going forward. After working through this process, a solid foundation should be in place to effectively resolve the issues identified during the audit.