Part 1 – Role of the Audit Committee
The audit committee makes up one of the three pillars of the Board committee system and forms a critical part of the overall framework of corporate governance for medium to large companies, housing associations, charities, academy trusts and public sector bodies. Experience shows that the role is not an intuitive one and there is often confusion about the purpose of an audit committee.
For example, in a recent Education Funding Agency webinar, a leading accountancy practitioner was asked what is the role of the audit committee in an academy trust? He replied that its job was ‘to manage risk in the organisation’. That may be his perception, but in practice how can this group of usually 3-5 non-executive members possibly have eyes and ears in every corner of the organisation? Do they really have the time and resources to achieve that result? Or is it more a case of providing oversight and ‘reasonable assurances’ to the Board and external stakeholders that appropriate systems and controls are in place? In this piece, I look at the role and functions of the audit committee and share some lessons on what makes it effective.
Why have an audit committee?
In the education sector, all academy trusts with an annual income over £50 million are required by the Financial Handbook to appoint a dedicated audit committee (smaller ones may combine this function with other committee business), under the NHS Codes of Conduct and Accountability and the Monitor Governance Code health trusts are required to establish one, local authorities are required by accounting standards to establish one, the National Housing Federation Governance Code requires that ‘All but small non-developing organisations must have a committee primarily responsible for audit, and arrangements for an effective internal audit function’. Similarly, HM Treasury requires that all government departments, executive agencies and arm’s length bodies should establish an ‘audit and risk assurance committee’. UK listed companies are required by law to have an audit committee.
The UK Corporate Governance Code (widely regarded as the gold standard of best practice) requires that boards should establish formal and transparent arrangements for:
- Consideration of how they should apply reporting and risk management and principles of internal control; and
- Maintaining an appropriate relationship with the organisation’s external auditors
These functions are discharged by establishing a formal audit committee with clear terms of reference.
The Board must put in place governance structures and processes to ensure that the organisation operates effectively, meets its strategic objectives and provides the Board with assurance that this is the case. However, even the best structures and processes can let down an organisation if they, and the assurances they provide, are not operated with sufficient rigour. Boards are ultimately responsible for assessing risk, signing off financial statements and the accuracy of public announcements. There can be significant personal liabilities for getting it wrong. Board members need to be reassured that they can rely on the information being presented to them. Boards look to their audit committee to review and report on the relevance and rigour of the governance structures in place and the assurances the Board receives. The Audit Committee supports the Board in this area by obtaining assurances that controls are working as designed and by challenging poor sources of assurance.
What are the functions of an audit committee?
The UK Code lists the role and responsibilities of an audit committee:
- To monitor the integrity of the organisation’s financial statements and any formal announcements relating to financial performance
- To review the organisation’s internal financial controls, internal control and risk management systems
- To monitor and review the effectiveness of the organisation’s internal audit function (if it has one, and if there is not, annually consider whether there ought to be one in the light of current risks and trends in the market)
- To make recommendations to the board in relation to the appointment, reappointment or removal of the organisation’s external auditors
- To approve the remuneration and terms of engagement of the external auditors
- To review and monitor the independence of the external auditors, as well as the objectivity and effectiveness of the audit process
- To develop and implement a policy on using external auditors to provide any non-audit services
- To report to the board on how it has discharged its responsibilities.
The Code recommends that part of the organisation’s annual report should describe the work of the audit committee.
The Financial Reporting Council has published extensive guidance on the role of the audit committee. Of particular note are the following points:
- The organisation’s management is under an obligation to make sure that the audit committee is kept properly informed and should take the initiative in providing the committee with information instead of waiting to be asked – this is crucial since the audit committee can only work properly if it is kept informed.
- Whilst the core duties of the audit committee are oversight, assessment and review of systems and functions in the organisation, it is not the duty of the committee itself to carry out those functions or to make or endorse substantive decisions. Executive management prepares financial statements, auditors prepare audit plans. Executive management is responsible for actually managing risk (within the risk appetite and tolerances set by the Board as whole). The audit committee’s role is to provide reasonable assurance to the board and external stakeholders that the functions are being carried out properly. They must flag up issues indentified. FRC guidance recognises that, faced with unsatisfactory explanations by management, the committee may ‘have no alternative but to grapple with the detail and perhaps seek independent advice’. They might also from time to time carry out thematic reviews of known areas of high risk on their own initiative.
In the public sector, HM Treasury sees the role of the audit committee ‘is also to act as the conscience of the organisation’ and to provide insight and constructive challenge where required, for example, on risks arising from increasing constraints on resources, new service delivery models, information flows on risk and control and the general agility of the organisation to respond to new risks.
Oversight of risk management and controls
The effective development and delivery of an organisation’s strategic objectives, its ability to seize new opportunities and to ensure its own long-term survival depend on its identification, understanding of, and response to, the risks it faces. In an earlier post we looked at how boards can develop an effective approach to risk management. Risk appetite is the level of risk that the organisation is willing to take in pursuit of its objectives (it can have ‘upside’ as well as ‘downside’). It is concerned with the amount and types of risk the Board would like the organisation to take without a serious threat to its financial stability – it can be quantified so that prudent limits can be set. Setting that level of risk appetite is a key role for the Board as a whole.
The UK Corporate Governance Code requires that ‘the Board should satisfy itself that appropriate systems are in place to identify, evaluate and manage the significant risks faced by the organisation’. The Board should carry out a review of the effectiveness of risk management systems in the organisation. The work of the audit committee helps to inform this, but it must always be remembered that ‘the buck stops’ with the Board.
An internal control system must be effective in preventing losses arising from risk events, identifying risk events and taking corrective action when they occur. An internal control system is concerned with managing business risks which are largely internal to the organisation. Controls will include the policies, processes, procedures, methods, measures, tasks and behaviours to ensure that operational activities progress effectively. It is designed to provide assurance on the achievement of objectives as follows:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Internal controls can be classified into 3 main types:
Preventive controls – intended to prevent an adverse risk event from occurring, e.g. fraud by employees
Detective controls – for detecting risk events when they occur, so that an appropriate person is alerted and corrective action can be taken
Corrective controls – measures for dealing with the consequences of risk events that have occurred.
The various sources of assurance make up what is known as the ‘three lines of defence’:
First line: management assurance from frontline or operational areas;
Second line: oversight of management activity, separate from those responsible for delivery (but still part of management chain);
Third line: independent and objective assurances from internal audit and external bodies.
Together these assurances make up the Assurance Framework.
“The Assurance Framework is the ‘lens’ through which the Board examines the assurances it requires to discharge its duties. The key question Board members need to ask is ‘How do we know what we know?’ The Assurance Framework should provide the answer.” (NHS Audit Committee Handbook 2011).
The role of ‘internal audit’ in assisting the committee
‘Internal audit’s role is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight’– Institute of Internal Auditors.
The role of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively. Unlike external auditors, they look beyond financial risks and statements to consider wider issues, such as operational effectiveness, the organisation’s reputation, growth prospects, impact on the environment, dealings with employees and compliance with regulations. The internal audit function can be performed by directly employed staff (with appropriate reporting lines), or alternatively the function can be outsourced to a specialist firm. The scale and frequency of activities really depends on the complexity of the organisation. A properly resourced internal audit function can provide management with valuable objective assurance and advice on risk management and controls. The data and reports produced by internal audit will be valuable data to feed into the audit committee meetings, particularly where they highlight trends or recurring problems which the committee may need to probe more deeply.
In part 2, we will consider the composition of the Audit Committee, how it can manage its business effectively and the qualities to look for in effective members.
Mark Johnson is an experienced solicitor & chartered company secretary supporting businesses, charities, social enterprises & academy trusts on governance, compliance & legal affairs. He also serves as an audit committee member for a leading multi-academy trust. Please get in touch firstname.lastname@example.org or 01625 260577.
If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.