The audit committee agenda is ever increasing as a result of continuing business and economic pressures, an increased regulatory and governance focus, and from greater demands from boards to provide oversight and report on matters within their remit. Priorities of the audit committee therefore need to evolve and be focused to meet the needs of the board and of stakeholders. Bernard Barron FCA considers that the following matters should be high on the list of priorities of audit committees in 2015.
A focused agenda
Experience with audit committees has shown that the remit of the audit committee includes a wide range of areas from oversight of external and internal audit and financial reporting matters to internal control systems review, risk management, and legal and regulatory compliance matters. This could potentially lead to a situation where members do not have sufficient time to question and debate agenda items. The agenda of the audit committee should be critically reviewed to ensure that it is sufficiently focused and that the audit committee has sufficient time and expertise to consider and debate agenda items during meetings.
Financial reporting and internal controls
Considering the wide range of responsibilities with which the committee is charged, the audit committee should not lose sight of its core responsibility of oversight of the financial control and reporting requirements of the organisation. The volatile and changing economic and regulatory environment requires continuous focus.
To this end the audit committee needs to stay appraised of key regulatory changes that can impact on the organisation now and in the future. These include changes in legislation such as the Companies Act 2014 and taxation changes in Finance Acts. They also include changes in financial reporting requirements, including implementation of any relevant amendments to International Financial Reporting Standards and, in the case of some companies, a change in the accounting framework (such as Financial Reporting Standards 100-102 which are effective for the first time for periods beginning 1 January 2015.)
Legislation is also expected to become applicable in the member states of the European Union in 2016 that will bring about significant changes to the audit market. Specific provisions in relation to mandatory audit firm rotation and restrictions on the provision of non-audit services will require careful planning. The audit committee needs to appraise themselves of the impact on the organisation and on the functioning of the audit committee and possible policy and procedural changes that may be required.
Cybersecurity and data protection risk
Recent media coverage of cybersecurity breaches reminds us that this risk should be high on the agenda of the audit committee for 2015. The audit committee needs a clear understanding of what their cybersecurity risks are, how they are managed, whether internal controls, policies and procedures are adequate to mitigate the risks, the categories of data that are held and whether data is held that should be destroyed. The audit committee should also consider whether the organisation has sufficient skills and expertise to manage this risk or whether specialist skills should be called in to provide support.
Getting optimum value from the internal audit function
As a result of their position and function in the organisation, internal audit can be a valuable resource to the audit committee. A highly effective, experienced and well-resourced internal audit function (either in-house, co-sourced or outsourced) can help the audit committee in providing assurance concerning the operation of financial and operational controls in the organisation. The role of internal audit extends beyond that of focusing on financial controls and should provide assurance and guidance to the audit committee on other high risk areas such as risk management, business continuity planning, data security and management, corporate governance, fraud, human resource management, whistleblowing policy, conflict of interest declarations and many more areas. To achieve this, the audit committee needs to ensure:
- A close working relationship with the head of internal audit.
- Review and approve the annual risk-based internal audit plan to ensure that it is aligned with the strategy and priorities of the organisation.
- Clearly communicate their reporting requirements and information needs to the head of internal audit.
- Monitor the quality of internal audit work and reports.
- Assess the skills and resources of internal audit to deliver on their remit.
- An external review of internal audit is performed at least every five years
- Clear mapping of integration of assurance from various providers (internal and external)
Self-evaluation of the Audit Committee
These audit committee priorities may not be applicable to the same extent to every organisation. Audit committees are recommended under corporate governance guidance (*) to evaluate their own performance annually and the questions that each audit committee must ask to identify their own specific priorities for 2015 include:
- Has the audit committee sufficient expertise to enable it to carry out its duties in a competent manner particularly in areas such as finance, audit, risk management, IT and governance
- Is the committee sufficiently knowledgeable about and comfortable with the viability of the business model and strategy?
- Is there diversity in the committee’s membership to cover the range of responsibilities?
- Does the committee focus on the critical risks to the achievement of the organisation’s strategy?
- Is there understanding of the real culture of the business?
- Is there sufficient challenge of reports and of management?
- Are the resources available to the committee being used effectively, such as internal audit?
- How does committee assess the effectiveness of the internal and external auditor?
- Have the charters of the audit committee and internal audit been updated annually to ensure that they remain relevant?
(*) Guidance on Audit Committees published by the UK Financial Reporting Council
The priorities for the audit committee in 2015 will need to reflect the increased expectations of their boards and stakeholders. In order to properly carry out their responsibilities there needs to be a continuing self appraisal by the audit committee of how it prioritises matters for its agenda. This should include an evaluation of its members’ competencies, skills and experience in the key responsibility areas. In this way there will be a higher level of assurance provided about the ability of the organisation to achieve its strategy.
Bernard Barron FCA is a Partner in Mazars, specialising in governance, audit and internal control. He is a member of a number of Audit Committees in the public and private sectors.
Block 3 - Harcourt Centre,
t: 01 449 44 00