Connect Support Advance

Whitepaper

Audit Committee
Good Practices
May 2023

Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E [email protected] www.iia.org.au

© 2022 - The Institute of Internal Auditors - Australia

 Audit Committee Good
Practices
Contents History

Background 2 An audit committee is a committee established by the

governing authority of an organisation. In a corporate
- Purpose 2
organisation it is a committee of the board of directors.
- Background 2
In the absence of a board, it is an advisory committee for
Discussion 2 the governing authority (the organisation head) operating
- Issue 2 under delegation of authority. Its objectives should be
- History 2 clearly defined and documented in a charter or terms of
- What are Audit Committee Good Practices? 3 reference, and its efficiency and effectiveness measured
by reference to its objectives.
Conclusion 8
- Summary 8 An independent audit committee is a fundamental
- Conclusion 8 component of good corporate governance. An audit
committee is regarded as ‘independent’ when it is
Bibliography and References 8
composed of individuals who are not part of management
Purpose of White Papers 8
of the organisation or of a related organisation.
Author’s Biography 8
An audit committee typically:
About the Institute of Internal Auditors–Australia 9
Copyright 9 › Focuses on issues relevant to the integrity of an
organisation’s financial and performance reporting.
Disclaimer 9
› Oversees the financial statement process, internal
Background
audit, governance, risk management, internal control
Purpose and compliance.
This White Paper has been written to describe ideas › Liaises with the governing authority, internal auditors,
around good practices that can be applied to an audit external auditors and management.
committee to maximise audit committee effectiveness and
Some organisations establish one committee with
value.
responsibility for all these tasks, such as an audit and risk
Background management committee. Larger entities may establish
The concept of audit committees has evolved over time. more than one committee, such as an audit committee
From a basic mandate primarily covering the financial / risk and compliance committee / health and safety
statement process and internal audit, the audit committee committee / environmental committee depending on the
scope of work has grown exponentially as corporate nature and extent of the organisation’s operations.
governance expectations have increased. While multiple committees may manage different aspects
These days an audit committee is expected to cover of organisation risk, it is good practice to enable the
the whole range of an organisation’s governance and audit committee to obtain a comprehensive overview of
assurance environment or it is not doing its job properly. governance and assurance activities.

Discussion
Issue

The issue to be discussed is:

What good practices can be applied to an audit

committee’s operations to maximise its effectiveness
and value to influence optimum governance and
assurance with its organisation?

© 2023 - The Institute of Internal Auditors - Australia 2

 Audit Committee Good
Practices
What are Audit Committee Good Practices? within the organisation to audit committee deliberations, it
can potentially place those internal members in a difficult
Unrestricted Audit Committee Mandate
position as part of management most of the time and part
To provide an audit committee with the authority it needs of an ‘independent’ audit committee a small part of the
to operate effectively, its objectives should be clearly time.
defined and documented in a charter or terms of reference
Skill-Based Membership
approved by the governing authority. The mandate should
not be restricted in any way, with no part off limits to It is not expected each audit committee member will hold
the audit committee. An audit committee charter should all relevant professional, industry and governance related
include such things as: skills – rather these skills should be held collectively
by the audit committee as a whole. For this reason, it is
› Introduction
important to seek a range of people with different skills to
› Mandate ensure the audit committee covers everything it needs to
› Purpose cover. An individual member may encompass a number of
skill areas. Membership should include:
› Role
› Financial management skills – A serving or retired
› Authority chief financial officer with in-depth skills in financial
› Composition management and accounting standards can be a
good fit.
› Terms of Appointment
› Technology skills – This is especially important these
› Quorum
days given cybersecurity risk.
› Operational Principles – committee values /
› Risk management skills – Gained as a risk
communications / induction / preparation and
management practitioner.
attendance / conflict of interest
› Internal audit skills – In-depth skills in internal audit
› Operational Procedures – meetings / committee work
professional practice.
plan / private sessions / secretariat services
› Industry knowledge – Gained working in the
› Committee Reporting
organisation’s industry sector.
› Evaluation of Performance
Refer IIA-Australia Factsheet ‘Establishing a Skills-Based
› Review of the Charter Audit Committee’.

› Approval of the Charter Induction and Orientation

The audit committee charter should be formally approved ‘Induction’ is the process of welcoming new employees
by the board or governing authority. It should also be into an organisation and officially making them a part
publicly available on the organisation’s website. of the work environment. ‘Orientation’ is a more formal
process that occurs after induction to help employees
Independence
adjust to their role and the new work environment they are
An audit committee needs to be independent of coming into.
management. This means an audit committee should have
There should be a comprehensive induction for new audit
a majority of independent members, one of whom is the
committee members. While provision of key organisation
independent chair.
documents is important, that is just a start. The induction
Some audit committees include representatives of process should also include:
the organisation’s internal management – this is not a
› Introductions and briefings with the chief executive
recommended practice. While it can bring insights from
and executive management.

© 2023 - The Institute of Internal Auditors - Australia 3

 Audit Committee Good
Practices
› Discussions with the external auditor, chief audit FSSC meetings are aligned to the approved financial
executive and chief risk officer. statements project plan for financial statement preparation
and provide additional assurance to the audit committee
› Tours of key facilities such as buildings, facilities,
and management that activities are on track and risks
critical infrastructure, operations and data centres.
mitigated.
Annual Meeting Planner
FSSC objectives are to:
An audit committee meeting planner lists what audit
› Monitor key risk areas such as finance systems,
committee meetings will cover over the year and includes:
preparation of the annual financial statements, and
› Standard agenda items – Items that should be infrastructure expenditure.
examined at every or most audit committee meetings.
› Monitor progress of organisation actions to address
This would include a risk management update and an
external audit observations related to the financial
internal audit progress report.
statements.
› Special agenda items – items that generally operate
› Assist with resolution of issues that may arise between
over the year are examined once per year. For
the organisation and the external auditor, if and when
example, the internal audit plan may be tabled for
required.
approval prior to start of the financial year so it can
be ready to launch in the new financial year. Likewise, › Provide the audit committee with sufficient assurance
the annual financial statements and external audit it can recommend the organisation sign the annual
report would be scheduled in the first meeting after financial statements.
financial year close.
FSSC membership would generally be:
Refer IIA-Australia Factsheet ‘Audit Committee Work Plan’.
Role Position
Financial Statements Sub-Committee
Chair An independent audit committee member
The financial statement process performed by the chief with in-depth skills in financial management
financial officer, in-house finance staff and the external and accounting standards
auditor generally runs a few months before financial year- Member Chief financial officer
end and then after year-end. Member Deputy chief financial officer
A problem for an audit committee when performing its Non-voting Finance staff as required to provide
financial statement role is that it only meets periodically. attendees updates and information
This means the audit committee is expected to be ‘all over’
Putting The Time In
and fully understand the financial statements but has a
compressed timeframe to do this when the statements are Audit committee membership is a part-time job, but it
finalised and due for signing. This places a lot of pressure carries a great deal of responsibility. Audit committee
on audit committees. In some organisations, an audit chairs and members are selected for their specialist
committee sees the financial statements out-of-session or expertise, so it is a shame when that expertise is not
after they have been signed which is not ideal. actively used in organisations.

To overcome this problem, some organisations establish There are generally 4–5 audit committee meetings per
a financial statements sub-committee (FSSC) of their year, but the role of an audit committee chair or member
audit committee. The role is to receive throughout the shouldn’t stop at the scheduled meetings – an audit
financial year updates on progress and risks associated committee member should actively contribute their
with preparation of the annual financial statements and knowledge and experience outside audit committee
the annual external audit. A FSSC is a review activity meetings while maintaining their independence from
to monitor and guide the process, work plans and risks management. Though it is true that member effort and
associated with financial statement preparation and the contributions will often come down to the remuneration
annual external audit. offered.

© 2023 - The Institute of Internal Auditors - Australia 4

 Audit Committee Good
Practices
It is often said that an effective chair can get through an This means audit committee members need to view key
audit committee agenda quickly, but audit committee documents to form an opinion on their efficacy – it is not
meetings should take as long as necessary to get the possible to do this without looking at those documents.
job done. If an audit committee is doing everything it
On the other hand, audit committees should not be
should according to an annual audit committee work
expected to act as a quality review activity for writers of
plan covering the entire governance and assurance
policies and procedures. Nor should they be expected to
environment, it is difficult to see how a meeting can
process raw information.
be completed in two hours for a large and complex
organisation (or one hour per meeting as observed in a Active Audit Committee Chairing
very large and complex Australian organisation). Some audit committee chairs and members do not
Covering Everything spend much time within the organisation. This is likely to
be different where an audit committee is a board sub-
It is important for an audit committee to make sure its
committee.
annual meeting planner is sufficiently comprehensive to
cover organisation risks, together with all governance and An active audit committee chair is likely to spend 50%
assurance activities. more time performing the chair role than a member
performing their role.
Some audit committees concentrate on a relatively small
number of governance and assurance activities such as In-Person versus Video Meetings
the financial statements, risk management and internal While videoconference meetings have become common in
audit. There are many more governance and assurance recent times, it is important for audit committee members
activities that should be included in an audit committee’s to develop a solid connection with their organisation.
remit.
There should be at least periodic in-person audit
There should be focus on financial management / long- committee meetings to foster relationships with
term financial sustainability / budget management / organisation management and between audit committee
recruitment funding / asset maintenance / etc - not just the members themselves. In-person attendence is as important
financial statements. for management as it is for audit committee members.
Good questions to ask of management are : In-person meetings lead to a better audit committee
› “Since the last meeting, have you become aware of member understanding of the organisation, its people and
any significant non-compliance or breaches in the its facilities.
organisation?” Asking The Hard Questions
› “Are you aware of any significant reputation issues ‘Hard questions’ are those questions management find
for the organisation that have not already been awkward to answer. It is an audit committee member’s role
discussed?” to ask ‘hard questions’ when warranted.
Seeing Everything It is not unusual for management to verbally assure an
One challenge often heard from audit committee members audit committee that something is in place or nearing
is that there are too many papers for meetings. While it completion. For example, at one organisation, despite
is not an audit committee role to view every document middle management assurances after the ‘hard question’
across the organisation, it is an audit committee member’s was asked multiple times by the audit committee, it
role to satisfy themselves that key documents (a) exist was revealed the ICT disaster recovery plan was not
(b) are sufficiently comprehensive and up-to-date (c) are commenced and the organisation had a major exposure of
good quality (d) have been effectively disseminated (e) are which top management was unaware.
complied with. It is appropriate for the audit committee to seek direct
evidence in support of assurances or to commission
internal audit to confirm them.

© 2023 - The Institute of Internal Auditors - Australia 5

 Audit Committee Good
Practices
Private Sessions stakeholders are shut out for those agenda items.

To ensure the audit committee receives solid information Minuting All Meeting Action Items
and unfiltered reports, private (also called ‘in camera’)
It is important for all meeting action items to be minuted
sessions without management present should be
and assigned a management sponsor to respond by a
scheduled with:
specified date.
› External auditor – at least annually.
When meeting minutes are issued, some action items
› Chief audit executive – at least twice per year. are often missing or recorded in a vague way without
assignment for anyone specific to respond.
› Chief risk officer – at least twice per year.
An audit committee should take time after each meeting
› Chief compliance officer – at least annually.
agenda item discussion to get action items down in writing
› Regulators – as required. to make sure something is done in a timely way and
Private sessions with the chief executive and individual necessary action is not lost accidentally or deliberately.
executive management can also be useful to keep audit Own Internal Audit
committee members up-to-date on risks and challenges
Internal audit independence is achieved by the chief audit
across the organisation and in specific business units –
executive reporting:
one per meeting on a rotational basis. This is more likely to
happen in organisations with a healthy culture and strong › Functionally for operations to the audit committee
ethical ‘tone at the top’. through the chair.

Audit Committee Meeting Attendees › Administratively to the chief executive officer or the
next most independent senior executive who should
A ‘cast of thousands’ attending audit committee meetings
be in an area where there is little internal audit
is not recommended. Audit committee meeting attendees
activity, for example general counsel or company
should be the official voting members. This may be
secretary.
supplemented by attendance for people to present their
agenda item, but this should be for their agenda item For this reason, the audit committee ‘owns’ functional
only and not the whole meeting. A board member or a internal audit elements to provide a control to
chief executive should attend audit committee meetings management interference in the internal audit process or
to share insights, but for open and frank audit committee filtering of internal audit reports and messaging.
discussions this would not generally be attendance for the
Functional reporting generally involves the audit
entire meeting.
committee:
The chief audit executive should attend for all parts of the
› Reviewing and endorsing the internal audit charter.
meeting except where the members are receiving a private
briefing. Even in these circumstances it may be appropriate › Endorsing decisions regarding appointment and
in some circumstances for the chief audit executive to removal of the chief audit executive and contributing
attend so they can remain informed. This may also extend to the chief audit executive performance assessment.
to the chief risk officer. › Reviewing and endorsing the internal audit plan and
It is generally considered undesirable for attendance any changes.
at audit committee meetings by a guest observer › Reviewing reports on the results of internal audit
representing shareholders. In the case of local engagements, audit-related activities, audit team
government, ratepayers and other stakeholders may be capability, audit performance and other important
able to attend audit committee meetings in-person or via matters.
live streaming, though meetings can become disjointed
when confidential papers need to be discussed and › Monitoring compliance with standards, together with
quality and improvement arrangements.

© 2023 - The Institute of Internal Auditors - Australia 6

 Audit Committee Good
Practices
› Meeting privately with the chief audit executive auditors general. There are often learnings in these reports
regularly without management present. relevant to other organisations, whether in the same
industry sector or not. Some public sector reports can have
› Making enquiries of the chief audit executive to
learnings for corporate organisations.
determine any scope or budget limitations that may
impede execution of internal audit responsibilities. Where relevant, it is a good practice for an audit committee
to request their organisation compare their practices to
Administrative reporting to the chief executive officer
learnings contained in reports of this nature.
generally includes:
Audit Action Close-Out
› Internal audit resources and annual budget.
An audit action is ‘An improvement action, ideally agreed
› Provision of corporate services to internal audit
by management, for management to implement from an
including office accommodation, computers and
audit report.’
equipment.
Audit action close-out is ‘Accepting an audit action as
› Human resource administration.
complete after management has implemented remediation
It weakens organisational governance if the administrative or control improvements to address a matter raised in an
role is actively involved in the internal audit process such audit report, or the risk has been accepted through the
as selecting, directing and editing the internal audit plan or approved organisation risk acceptance process.’
being involved in the internal audit engagement process
Audit committees should monitor all remedial and
such as attending meetings or reviewing internal audit
improvement actions, with progress reported to senior
reports.
management and the audit committee from reports
While the internal audit budget may be an administrative containing recommendations from:
matter, the audit committee should be alert to the potential
› Internal audit
for internal audit to be starved of resources which can
impact internal audit effectiveness. › External audit

Learning From Good Practice › Reviews by scrutineers and subject matter experts

The Institute of Internal Auditors-Australia produces › ICT reviews

technical publications called the ’20 Critical Questions
› Evaluations
Series’. This asks a series of questions about governance,
internal audit, risk management, compliance and a range › Significant enquiries
of other related topics. › Royal commissions
They are designed to be short and sharp self-assessments Slow moving and overdue high-risk audit action close-out
which could be facilitated by internal audit as part can be a source of frustration for audit committees. This
of the internal audit plan. They are not necessarily can occur for various reasons, but often because audit
evidence-based but provide a snapshot of a governance actions do not get the attention they warrant.
or assurance activity and an indication of where the
organisation sits in relation to good practice. Where an audit committee is dissatisfied with progress
to close-out overdue audit actions, the senior executive
Improvements identified from the process can then be responsible should be called before the audit committee
tracked until implemented. to explain:
Perhaps start with 20 Critical Questions ‘What Directors › Why action is overdue.
should ask about Their Audit Committee’.
› Interim control arrangements to be relied upon where
Learning From Others there is a long lead time, such as waiting to close-out
Periodically, there are reports relating to various topics an improvement action through implementation of a
issued by significant government enquiries / regulators / technology solution.

© 2023 - The Institute of Internal Auditors - Australia 7

 Audit Committee Good
Practices
› When overdue high-risk audit actions will definitely be will go some way to achieving that aim.
closed-out.
Bibliography and References
› Who is accepting the risk and whether this is in line
Bibliography
with the organisation’s approved risk appetite.
Australian Institute of Company Directors, Auditing and
The audit action close-out process also needs focus to
Assurance Standards Board, 2017. The Institute of Internal
ensure some form of validation over close-outs.
Auditors - Australia, Audit Committees: A guide to good
Refer IIA-Australia Factsheet ‘Audit Action Close-Out’. practice. 3rd ed. Melbourne: AICD, AuASB & IIA-Australia.

Debriefing The Institute of Internal Auditors - Australia, 2022.

Factsheet: Audit Action Close-Out. [Online].
It is important for the audit committee to have a sound
relationship with the governing authority. The Institute of Internal Auditors - Australia, 2022.
Factsheet: Audit Committee Work Plan. [Online].
For this reason, regular meetings should be scheduled in
advance where the audit committee chair can meet with The Institute of Internal Auditors - Australia, 2022.
the governing authority and provide a private briefing on Factsheet: Establishing a Skills-Based Audit Committee.
audit committee activities and concerns. These are often [Online].
scheduled soon after each audit committee has been held.
Purpose of White Papers
This is also important to demonstrate ‘tone at the top’
supporting the audit committee as important. A White Paper is a report authored and peer reviewed
by experienced practitioners to provide guidance on a
Performance Assessment particular subject related to governance, risk management
or control. It seeks to inform readers about an issue and
Audit committee performance should be evaluated, present ideas and options on how it might be managed. It
with results reported to the governing authority. Audit does not necessarily represent the position or philosophy
committee performance should be evaluated through: of the Institute of Internal Auditors–Global and the Institute
of Internal Auditors–Australia.
› Annual self-assessment by committee members.
Author’s Biography
› Independent review – suggested every five years
This White Paper written by:
in the same way as internal audit is required by
the Internal Audit Standards to be independently Andrew Cox MBA, MEC, GradDipSc, GradCertPA,
reviewed at least every five years. DipBusAdmin, DipPubAdmin, AssDipAcctg, CertSQM, PFIIA,
CIA, CISA, CFE, CGAP, CSQA, MACS Snr, MRMIA
Conclusion
Andrew Cox is Manager of Technical Services at the
Summary IIA-Australia, responsible for technical matters including
contributions to the body of knowledge around
There are audit committees that do the bare minimum and governance, risk management and internal audit.
those that put the time in and actively contribute to their
He was previously a chief audit executive at significant
organisation. organisations. He further developed the internal audit
external quality assessment process in Australia and has
Expectations of audit committees have grown, and these
performed more than 300 of these in corporate and public
days coverage needs to encompass the whole range of an sector organisations in Australia, Bahrain, Brunei, Kuwait,
organisation’s governance and assurance environment if Qatar, Saudi Arabia and the United Arab Emirates.
an audit committee is to perform its role effectively.
He has made presentations on internal auditing in forums
Conclusion in Australia and internationally and has taught internal
auditing in Australia and other countries. He co-authored
An audit committee should strive to operate effectively and the IIA-Australia publication ‘Internal Audit in Australia’ and
deliver a valuable service to its organisation. co-authored ‘Audit Committees – A Guide to Good Practice,
3rd edition’ issued by AICD / AUASB / IIA-Australia. He
Incorporating some or all or the ideas in this White Paper contributed to ‘Sawyer’s Internal Auditing, 7th Edition’.

© 2023 - The Institute of Internal Auditors - Australia 8

 Audit Committee Good
Practices
He is an independent member of a number of audit Copyright
committees.
This White Paper contains a variety of copyright material.
This White Paper edited by: Some of this is the intellectual property of the author, some
Michael Parkinson BSc(Hons), GradDipComp, PFIIA, CIA, is owned by the Institute of Internal Auditors–Global or the
CISA, CRMA, CRISC Institute of Internal Auditors–Australia. Some material is
owned by others which is shown through attribution and
Stephen Coates BCom(Acc), CertSQM, PFIIA, CIA, CISA, referencing. Some material is in the public domain. Except
CGAP, CRMA, CSQA, JP(Qual) for material which is unambiguously and unarguably in
Stephen Horne BBus, GradCertMgtComm, the public domain, only material owned by the Institute
GradCertFraudControl, CertPublicAdmin, PFIIA, CIA, CGAP, of Internal Auditors–Global and the Institute of Internal
CRMA, FGIA, GAICD, MIPAA Auditors–Australia, and so indicated, may be copied,
provided that textual and graphical content are not
About the Institute of Internal Auditors– altered and the source is acknowledged. The Institute of
Australia Internal Auditors–Australia reserves the right to revoke
that permission at any time. Permission is not given for any
The Institute of Internal Auditors (IIA) is the global commercial use or sale of the material.
professional association for Internal Auditors, with global
headquarters in the USA and affiliated Institutes and Disclaimer
Chapters throughout the world including Australia.
Whilst the Institute of Internal Auditors–Australia has
As the chief advocate of the Internal Audit profession, attempted to ensure the information in this White Paper is
the IIA serves as the profession’s international standard- as accurate as possible, the information is for personal and
setter, sole provider of globally accepted internal auditing educational use only, and is provided in good faith without
certifications, and principal researcher and educator. any express or implied warranty. There is no guarantee
given to the accuracy or currency of information contained
The IIA sets the bar for Internal Audit integrity and in this White Paper. The Institute of Internal Auditors–
professionalism around the world with its ‘International Australia does not accept responsibility for any loss or
Professional Practices Framework’ (IPPF), a collection of damage occasioned by use of the information contained in
guidance that includes the ‘International Standards for the this White Paper.
Professional Practice of Internal Auditing’ and the ‘Code of
Ethics’.
The IIA-Australia ensures its members and the profession
as a whole are well-represented with decision-makers and
influencers, and is extensively represented on a number
of global committees and prominent working groups in
Australia and internationally.
The IIA was established in 1941 and now has more than
200,000 members from 190 countries with hundreds of
local area Chapters. Generally, members work in internal
auditing, risk management, governance, internal control,
information technology audit, education, and security.

© 2023 - The Institute of Internal Auditors - Australia 9