Audit committee oversight responsibilities

Audit committee members have a critical role in overseeing many aspects of a company’s activities and performance. The audit committee has responsibility for overseeing financial reporting and related internal controls, risk, independent and internal auditors, and ethics and compliance.

The audit committee’s oversight responsibilities are described in rules of the Securities and Exchange Commission (SEC) and the exchanges on which a company’s shares are listed, notably the New York Stock Exchange (NYSE) and Nasdaq. Responsibilities may also fall to the audit committee indirectly resulting from requirements for independent auditors imposed by the Public Company Accounting Oversight Board (PCAOB). SEC, NYSE, Nasdaq, and PCAOB rules are highlighted throughout, where relevant. Common practices, tools, and resources to assist audit committee members in executing their responsibilities are highlighted throughout as well.

Increasingly, additional responsibilities are also falling to the audit committee, including cybersecurity and environmental, social, and governance (ESG) reporting. According to the Audit Committee Practices Report, a survey conducted by Deloitte and the Center for Audit Quality finds audit committees are being challenged by increased complexity in their core responsibilities as well as scope creep across other areas within their organizations.

Financial reporting

The audit committee, management (including the internal auditor), and the independent auditor each have a distinct role in financial reporting. Management is responsible for preparing the financial statements, establishing and maintaining adequate internal control over financial reporting (ICFR) as well as disclosure controls and procedures (DCPs) for items disclosed in Exchange Act reports, and evaluating the effectiveness of ICFR. The independent auditor is responsible for expressing an opinion on whether the financial statements fairly present, in all material respects, the financial position, results of operations, and cash flows in conformity with generally accepted accounting principles (GAAP), and, when applicable, evaluating the effectiveness of ICFR. In companies that have internal auditors, they have a role in providing objective assurance while acting as advisers to management.

The audit committee is responsible for overseeing the financial reporting process. To do so effectively, committee members should be familiar with the processes and controls that management has established and determine whether they are designed and operating effectively. In carrying out its role of oversight and monitoring, including obtaining the knowledge needed to provide appropriate oversight, the committee may rely on management, the independent auditor, the internal auditor (if any), and any advisers the committee might engage, provided its reliance is reasonable.

Audit committees should understand risk areas and related internal controls. Attention can be focused on a few important areas to remain vigilant in overseeing this, including:

• Complex accounting and reporting areas and how management addresses them
• Significant accounting policies, judgments, management estimates, and their impact on the financial statements
• Any prior internal control issues and how they have been resolved
• The design and components of the company’s antifraud and anticorruption compliance programs to confirm that those programs have sufficient oversight, autonomy, and resources
• The company’s strategy for managing tax risk, tax controversy, and volatility in the effective tax rate and to consider potential reputational risks associated with tax positions
• Uncertain tax positions taken by the company and their potential impact on financial reporting
• Pending financial reporting and regulatory developments, with a focus on understanding how they may affect the company

Review of filings and earnings releases

The audit committee generally reviews earnings releases, SEC filings containing financial information, and other financial information and earnings guidance provided to analysts, rating agencies, and others. NYSE listing standards require that the audit committee meet to discuss the company’s annual audited financial statements and quarterly financial statements with management and the independent auditor. Nasdaq requirements are similar.

The standards require the audit committee to address the committee’s responsibility to discuss earnings press releases and the financial information and guidance provided to analysts and ratings agencies. This discussion may be in general terms, and the audit committee may discuss the types of information disclosed and presentations made. The discussion should highlight pro forma or adjusted non-GAAP financial information.

SEC rules regarding the use of non-GAAP financial measures require, among other things, that disclosure of any material information containing non-GAAP financial measures must include the most directly comparable GAAP financial measures, that the GAAP measures must be disclosed with equal or greater prominence, and that GAAP and non-GAAP measures must be reconciled. The SEC scrutinizes the use of non-GAAP measures in response to concerns about their use and prominence. As a result, companies and audit committees should consider examining their use of non-GAAP measures and related controls as well as the disclosure of those measures. Deloitte’s publication A Roadmap to Non-GAAP Financial Measures provides additional information, including ways for a company to assess the appropriateness of its non-GAAP measures and control considerations.

The committee should consider how it will execute these responsibilities to satisfy itself that all information is presented fairly and transparently. This should include a focus on consistency of information, tone, and messaging across all communications.

The audit committee should confirm that an appropriate legal review has been completed to verify disclosures are reasonable, including any obligation to report on known trends and uncertainties. This review should also consider compliance with the company’s policies on forward-looking statements and the completeness of any related disclaimers.

Audit committees should also ask questions about the issues raised in SEC comment letters received by the company and management’s response, and it should consider the nature of SEC comment letters issued to companies in similar industries.

Internal control over financial reporting

ICFR is intended to provide reasonable assurance that policies, processes, and procedures governing financial reporting help produce reliable and effective reporting and promote compliance with relevant reporting obligations. While management is responsible for designing, implementing, operating, and maintaining ICFR, the audit committee is responsible for overseeing the system of internal controls and confirming that management has an adequate and well-functioning system of controls. As part of its oversight responsibilities, the audit committee also plays an important role in promoting a culture of behavior that enables reliable and timely reporting.

Audit committees should have periodic interactions with management, the internal auditor, and the independent auditor to receive timely, accurate information regarding the functioning of internal controls. These reports should address the design and operating effectiveness of controls, ongoing monitoring activities, any failures or weaknesses in controls, root causes associated with these failures or weaknesses, and actions to remedy them. Audit committees should also understand the role of outside service providers, such as outsourced payroll, data centers, and others, that have a role in a company’s ICFR.

COSO framework

The 2013 Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a formal structure for designing and evaluating the effectiveness of internal controls. The SEC requires companies to use a “suitable framework” for management reporting on ICFR, and it says the COSO framework “satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements.” The framework emphasizes the role of the board—and, by delegation or regulation, the role of the audit committee—in overseeing internal control, which remains an essential aspect of effective governance. The framework highlights:

• The board’s role in the control environment, including clarification of expectations for integrity and ethics, conflicts of interest, adherence to codes of conduct, and other matters
• The board’s assessment of the risk that management could override internal controls and careful consideration of the possibility that management may override such controls
• The establishment and maintenance of open lines of communication between management and the board and the provision of separate lines of communication, such as whistleblower hotlines

Related-party transactions

NYSE and Nasdaq listing standards require that an independent body of the board review and oversee related-party transactions. In some instances, this responsibility is assigned to the audit committee. Examples of related-party transactions include transactions between the company and a business affiliated with a director or members of a director’s immediate family. Transactions might also occur between an entity and trusts for the benefit of employees, such as pension or profit-sharing trusts that are managed by or under the trusteeship of the entity’s management.

While these types of transactions often occur in the normal course of business, transactions among related parties are sometimes associated with the risk of misstatement or omission in financial reporting, whether by error or fraud. Auditors are required to scrutinize related-party transactions that may pose an increased risk of fraud. These include transactions involving directors, executives, and their families; significant unusual transactions that are outside the normal course of business; and other financial relationships with the company’s executive officers and directors. Audit committees must be alert to these transactions as part of their oversight responsibilities.

Proxy disclosures

Various SEC rules and exchange listing requirements address audit- and audit-committee-related information that must be disclosed in the proxy statement, including the audit committee report, and on company websites. SEC rules require companies to disclose the name of each audit committee member and include an audit committee report in the proxy statement. In the report, the audit committee must state whether it has:

• Reviewed and discussed the audited financial statements with management
• Discussed with the independent auditor all matters required under applicable auditing standards
• Received required independence disclosures from the independent auditor
• Recommended to the board that the audited financial statements be included in the company’s annual report on Form 10-K

Each issuer is required to disclose in any proxy or information statement pertaining to the election of directors whether the issuer has a standing audit committee, the number of audit committee meetings held during the last fiscal year, and the functions performed by the committee. The proxy statement must also disclose whether the board has adopted a written charter for the audit committee, and if so, include a copy of the charter as an appendix to the proxy statement at least once every three years. Alternatively, the company may post a copy of the charter on its website or reference the availability of the charter on the website by including a link; most companies fulfill this requirement in this fashion.

Companies whose securities are listed on the NYSE or quoted on Nasdaq must disclose whether the audit committee members are independent as defined in the applicable listing standards.

Beyond required disclosures, investors, policymakers, and regulators have shown interest in more detailed disclosure about audit committees, their activities, and their oversight of the relationship with the independent auditor. As these external parties request additional clarification about the related roles and responsibilities, audit committees should consider whether they should enhance disclosures in the proxy statement to take credit for the work they do. The Center for Audit Quality annually publishes an Audit Committee Transparency Barometer to highlight observations from disclosures of audit committee oversight in proxy statements.

In addition to voluntary disclosures, regulators may, in some instances, solicit views of audit committees with respect to industry- and company-specific knowledge and experience. Taking the time to engage in formal or informal communication with regulators, industry groups, and independent auditors on these topics could have a substantive impact on the development of standards and rules.

Fee disclosures

SEC rules require the disclosure of fees paid to the independent auditor for the current and prior years as well as a description of the services included in all categories other than audit fees for both years. (The audit committee’s duties in this area are further described in oversight of the independent auditor.) The audit committee’s preapproval policies and procedures must be described or reproduced. Such disclosures are required in the issuer’s Form 10-K as well as the proxy statement, but companies are allowed to incorporate the information into their Form 10-K from their proxy statement.

The disclosure is also required to include the percentage of services in the audit-related fees, tax fees, and all other fee captions that were approved by the audit committee pursuant to its preapproval policies and procedures. Many companies have opted to provide even more information. For instance, many companies subtotal the audit and audit-related fees so shareholders can easily quantify the portion of services that are audit and audit-related in nature.

Because certain institutional investors and proxy advisers have guidelines for proxy vote recommendations related to audit fees, many companies disclose not only the nature of services in the fee categories but also the amounts associated with specific services (for example, in the tax fee category, specifically noting the amount of tax compliance and preparation fees). Issuers should consult with legal counsel to determine the content of the fee disclosure. The SEC’s four fee categories are:

Risk

The SEC considers risk oversight a major responsibility of the board and requires disclosure of its role in this area. Disclosures include whether the entire board is involved in risk oversight, whether certain aspects are executed by individual board committees, and whether the employees responsible for risk management report directly to the board. Such disclosures inform shareholders’ understanding of the board’s process for overseeing risk.

In some instances, the audit committee may be delegated broad oversight responsibility for risk by the board. The audit committee’s primary risk oversight responsibilities are focused on the company’s financial risks, enterprise risk management (ERM), and risks related to ethics and compliance. At companies with risk committees, such as large financial institutions that are required to have such committees under the Dodd-Frank Act, the audit committee’s oversight responsibilities with respect to risk may differ.

In many companies, the audit committee’s risk oversight role has evolved to include additional responsibilities in areas such as cyber, mergers and acquisitions (M&A), and to varying degrees, ESG matters, among others.

With respect to financial risk, the audit committees should understand the company’s major financial risk exposures and how management monitors and controls such exposures. The committee can also ask business leaders to periodically provide an overview of their respective businesses, focusing on financial risks and other factors that may impact the financial statements.

Enterprise risk management

The board should prioritize having a well-defined, effective risk oversight function and should clearly define which risks the full board should discuss regularly versus those that can be delegated primarily to a board committee. Boards may have a defined risk governance structure in place, which should be assessed periodically as risks shift or new risks emerge, and consideration should be given to whether committee charters should be updated to align with the defined risk governance structures. The board or the committee tasked with overseeing the enterprise risk program should periodically review the company’s top risks with an eye on which board committee and member of management is responsible for each.

NYSE listing standards indicate the audit committee must discuss guidelines and policies to govern the process by which management assesses and manages the company's exposure to risk. This includes discussing the company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The standards acknowledge that many companies manage and assess their risk through mechanisms other than the audit committee and that audit committees should review these processes in a general manner.

Many companies leverage COSO’s ERM framework, which promotes a principles-based approach to ERM by helping focus a program on five interrelated components of effective control: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting.

A common practice is for management to maintain a list of all enterprise-wide risks, which are then mapped to specific board committees with the expertise to oversee them as well as the respective risk owners in management. In many instances, the full board takes direct responsibility for and regularly discusses the company’s most strategic risks, which include risks that could disrupt and materially impact the company’s business strategy. While it may be appropriate for the audit committee to review the guidelines, processes, and policies management has in place to assess and manage risk, boards should take care not to overburden the audit committee with risk oversight responsibilities.

Fraud risk

The audit committee should be satisfied that the company has programs and policies in place to deter and detect fraud. The committee should work with management to oversee the establishment of appropriate antifraud controls and programs and to take appropriate steps when fraud is detected.

The audit committee should also be satisfied that the organization has implemented an appropriate ethics and compliance program and established a reporting hotline. See codes of ethics and conduct and hotlines for more information.

Audit committee members should be aware of three main areas of fraud risk:

• Financial statement fraud, which includes intentional misstatements in or omissions from financial statements
• Asset misappropriation, which may include check forgery, theft of money, inventory theft, payroll fraud, or theft of services
• Corruption, which may include schemes such as kickbacks, shell companies, bribes to influence decision-makers, or manipulation of contracts

The audit committee can help oversee the prevention and detection of financial statement fraud by monitoring management’s assessment of ICFR. The audit committee should also be aware of the US Foreign Corrupt Practices Act (FCPA) and other non-US anticorruption laws that may be applicable, such as the UK Bribery Act. As the SEC and Department of Justice note in the Resource Guide to the FCPA, anticorruption compliance “begins with the board of directors and senior executives setting the proper tone for the rest of the company.” To that end, the audit committee should:

• Understand the company’s obligations and responsibilities regarding anticorruption laws to which it is subject
• Determine whether the company has dedicated appropriate oversight, autonomy, and resources to its anticorruption compliance program
• Understand specific policies and procedures in place to identify and mitigate corruption-related risks
• Discuss with management corruption-related risks that have been identified, including allegations of corruption that may have been received through the company’s monitoring and reporting mechanisms, as well as management’s plans for responding to such risks
• Monitor any violations, including management’s response

Depending on a company’s size, the determination of whether the company has dedicated appropriate oversight, autonomy, and resources could include an evaluation of whether an individual is specifically charged with anticorruption compliance and has a direct reporting line to the committee.

Cyber risk

Rapid advancements in digital technology and interconnectivity have significantly escalated cyber risk, making it a high priority for management and boards at companies of all sizes and in all industries. The pervasiveness of cyber risk significantly increases concerns about financial information, internal controls, and a wide variety of risks, including reputational risks that can result from a cyber incident. Oversight of a successful cyber risk management program requires proactive engagement and is frequently the responsibility of the full board. In some organizations, a level of oversight may be delegated to the audit committee, or to a risk committee or technology committee, if either exists.

Cyber-related regulatory requirements that are relevant to audit committees are evolving. In early 2022, the SEC issued proposed requirements to enhance and standardize disclosure regarding cyber risk management, strategy, governance, and incident reporting by public companies. The amendments would require current reporting about material cyber incidents and periodic reporting to provide updates about previously reported cyber incidents. It would also require reporting about policies and procedures to identify and manage cyber risks, the company’s board oversight of cyber risk, management’s role and expertise in assessing and managing cyber risk, and the board’s cyber expertise, if any.

Until the final rules are issued, SEC guidance from 2018 presents the SEC’s view on how its existing rules should be interpreted in connection with cybersecurity threats and incidents. The guidance highlights earlier rules to expand on concepts and focus on cyber policies and controls, most notably those related to cyber escalation procedures and the application of insider trading prohibitions. The guidance also addresses the importance of avoiding selective disclosure and considers the role of the board of directors in risk oversight. The release applies to public operating companies, including foreign private issuers, but does not address the specific implications of cyber for other regulated entities under the federal securities laws, such as registered investment companies, investment advisers, brokers, dealers, exchanges, and self-regulatory organizations.

SEC guidance includes the SEC’s view on the role of the board in overseeing cyber risk. If the risk is material to a company’s business, the discussion of the board’s role in risk oversight should include the nature of its responsibilities for overseeing the management of this risk. In the guidance, the SEC says “disclosures regarding a company’s cyber risk management program and how the board of directors engages with management on cyber issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

In companies where the audit committee holds some responsibility for cyber risk oversight, the committee should obtain a clear understanding of the specific areas it is expected to oversee. In the audit committee’s capacity of overseeing financial risks and monitoring management’s policies and procedures, it may have expertise and be asked to play a significant strategic role in monitoring management’s preparation for and response to cyber threats, coordinating cyber risk management initiatives and policies, and confirming their efficacy. Those audit committees may take the lead in overseeing cyber threat trends, regulatory developments, and major threats to the company. Other responsibilities may include setting expectations and accountability for management as well as assessing the adequacy of resources, funding, and focus on cyber risk management activities.

For audit committees charged with this oversight, engaging in regular dialogue with C-suite leaders responsible for information technology and security can help the committee determine where attention should be focused. Although cyber risk is frequently on the full board’s agenda, audit committees are increasingly receiving regular updates from relevant technology leaders, with technology risk-related topics appearing on almost every meeting agenda. The audit committee chair can be a particularly effective liaison with other groups in enforcing and communicating expectations regarding cyber and financial risk mitigation.

The AICPA’s cybersecurity risk management attestation reporting framework is a resource for expanding cyber risk reporting to help address the marketplace need for greater stakeholder transparency. This reporting framework establishes a standardized reporting mechanism for providing a broad range of users with useful information about an entity’s cyber risk management program to support informed and strategic decision-making. Leveraging a unified approach for performing and reporting on an entity’s cyber risk management program and related controls could help boards and audit committees effectively execute their oversight responsibilities with respect to cyber risk. See Deloitte’s cybersecurity risk management examination resources for more on cyber reporting and risk management.

Mergers and acquisitions

The audit committee has an important role in M&A transactions, both before a transaction in overseeing due diligence and after a transaction in integrating controls and reporting. The audit committee should also review SEC reporting with respect to acquisitions and the accounting for acquisitions in financial statements.

Environmental, social, and governance

Rising focus on climate change, social justice, and shareholder activism in recent years has led to a greatly increased focus on ESG issues in corporate boardrooms. Regulation in these areas is evolving. The SEC issued a proposal in 2022 to require public companies to include extensive climate-related disclosures in their registration statements and periodic reports soon after it issued proposed cyber disclosure requirements. If finalized as proposed, these disclosures would include information about climate-related risks that are reasonably likely to have a material effect on the business, results of operations, or financial condition, as well as certain climate-related financial statement metrics in a note to audited financial statements. Under the proposed rule, certain filers would be required to include an attestation report from an independent attestation service provider covering certain emissions disclosures. This issue of Heads Up outlines the proposed requirements, which are intended to enhance and standardize climate disclosures.

Audit committees are increasingly engaging in the ESG agenda due to the growing reliance by investors and other stakeholders on ESG disclosures. Additionally, audit committees may have a growing role in overseeing ESG-related activities and metrics. While regulation might formalize the role of the audit committee in the ESG arena, audit committees should engage on whether appropriate internal controls and DCPs exist underlying the ESG information and metrics that companies disclose, whether the audit committee has reviewed disclosures, how management considers ESG strategies and their impact on financial statements, and whether the organization is obtaining assurance on its reporting.

Audit

Oversight of the independent auditor, as well as the internal auditor at companies that have this function, is among the audit committee’s most important oversight responsibilities. Audit committees are responsible for overseeing the performance and quality of the audit as well as the independence of auditors.

Oversight of the independent auditor

Audit committees of listed companies are directly responsible for the appointment, compensation, and oversight of the independent auditor, including the resolution of any disagreements with management. The audit committee, management, the independent auditor, and the internal auditor should work together in a spirit of mutual respect and cooperation.

Audit committees are required to own the relationship with the independent auditor, focusing on qualifications, performance, independence, and compensation. Expectations should be clear regarding the nature and method of communication and the exchange of insights. An annual meeting with the independent auditor and regular dialogue beyond audit committee meetings can promote effective interaction.

The audit committee and the independent auditor typically meet at least quarterly to thoroughly discuss a wide variety of matters, including the company’s financial reporting, internal controls, and the audit, from planning to report issuance. Audit committees should proactively engage with the lead audit partner and meet periodically with specialists in areas such as tax, information technology, and others, as needed. These discussions should also include educational topics and sharing of insights beyond the audit. The audit committee can provide the independent auditor with formal evaluations and regular feedback.

The NYSE corporate governance rules require the audit committee to participate in periodic private sessions with management, independent auditors, and internal audit. Executive sessions with the independent auditor facilitate open communication and help to identify concerns. Although executive sessions are not explicitly required for Nasdaq-listed companies, it is common practice for audit committees to hold these sessions.

Auditor independence

SEC and PCAOB rules govern the independence of accountants who audit or review financial statements and prepare attestation reports filed with the SEC. The rules recognize the critical role of audit committees in financial reporting, their unique position in monitoring auditor independence, and their direct responsibility for the oversight of the independent auditor. Although most audit firms are rigorous in monitoring and enforcing these independence requirements, it is important that audit committee members be cognizant of them and understand that independence is a dual responsibility with the auditor. The SEC independence rules address the following issues related to registrants:

Auditor communications

The NYSE, Nasdaq, and PCAOB indicate communications that are required between the audit committee and the independent auditor. Many of these communications focus on the responsibility of the audit committee to oversee the independent auditor.

Evaluation of the independent auditor

Inherent in the audit committee’s duty to appoint, compensate, and oversee the independent auditor is an expectation that the audit committee will evaluate the auditor. The NYSE listing standards require the audit committee to review a report by the independent auditor describing its quality controls, results of investigations, and independence. After reviewing the report and the independent auditor’s work throughout the year, the audit committee is expected to be in a position to evaluate the auditor’s qualifications, performance, and independence. The evaluation is expected to include a review and evaluation of the lead partner of the independent auditor, considering the opinions of management and the company’s internal auditor or other personnel responsible for the internal audit function.

Evaluation factors

Practices for evaluating the independent auditor range from highly formalized processes with extensive documentation to more informal assessments. Factors the audit committee may consider in developing the evaluation process include:

The Center for Audit Quality has issued an External Auditor Assessment Tool for audit committees. The tool can be used by audit committees to inform their evaluation of the independent auditor.

Audit innovation

With advances in technology, many auditors are turning to innovation to enhance quality and add value to the audit. In understanding how the independent auditor is innovating, the audit committee may consider several issues, including how the independent auditor is leveraging innovation to enhance audit execution, what investments the independent auditor is making in audit innovation, and how those investments translate to enhanced audit quality and value for the company. Audit committees can ask auditors to explain what insights auditors are able to provide about the company and its financial and internal controls processes through the use of new technologies, including audit analytics.

Oversight of internal auditors

Most public companies have an internal audit function, whether in-house, co-sourced, or outsourced. An internal audit function is not required by the SEC or Nasdaq, but it is required by NYSE listing standards. Whether a company staffs its own internal audit function or outsources it to a third party, audit committees are responsible for providing effective oversight.

Expectations of internal audit functions have evolved dramatically over time, with internal audit often asked to offer an advisory perspective. The expectations for internal audit functions vary by organization but may include:

• Objectively evaluating whether risks relating to the achievement of the company’s strategic objectives are appropriately identified and managed
• Monitoring and reporting on the health of the company’s controls covering financial, operational, regulatory, reputational, technological, and governance risk, including offering guidance regarding the internal/compliance controls aligned with these risk areas
• Evaluating whether results of operations or programs are consistent with established goals and objectives and acting as a catalyst for positive change in processes and controls
• Providing insight in the areas of controls and risk management to assist in the audit committee’s assessment of the efficacy of programs and procedures
• Coordinating activities and sharing perspectives with the independent auditor

An effective relationship between the audit committee and internal auditors is fundamental to the success of the internal audit function. Internal audit should have direct access to the audit committee, optimally with the chief audit executive (CAE) reporting directly to the audit committee and administratively to senior management. In this reporting structure, internal auditors can remain structurally separate from management, enhancing independence and objectivity. This also encourages the free flow of communication on issues and promotes direct feedback from the audit committee on the performance of the CAE. The audit committee should confirm that internal auditors have appropriate independence and stature and are visibly supported by senior management throughout the organization. The audit committee should support the CAE, providing guidance and assistance when the CAE reports potential management lapses.

The audit committee and the CAE should have a strong relationship characterized by regular and open communication. The audit committee should challenge the CAE and the internal audit department by setting high expectations, communicating those expectations clearly, and holding the department accountable for meeting them. Holding regular executive sessions with the CAE is common, and it is required for NYSE-listed companies. The audit committee should actively participate in discussing goals and evaluating the performance of the CAE. These responsibilities should not be delegated solely to the CEO or CFO.

It is important for the audit committee to assess whether internal audit’s priorities, such as monitoring critical controls and developing an audit plan focused on risks identified in the ERM program, are aligned with those of the audit committee. At some companies, internal audit evaluates and considers suggestions to improve operations and processes. The audit committee should play a role in helping determine the balance between compliance and operational audits, as appropriate.

The audit committee should understand and approve the internal audit plan and determine if the CAE has a sufficient budget and related resources to execute against it. As part of this review, the committee should evaluate the enterprisewide ERM program and the alignment of risks with the internal audit plan. The audit committee should also evaluate the progress and results of the internal audit plan against the original plans, the extent to which the plan benefits from emerging technology, and how it adapts to changes in risks.

The committee can perform annual evaluations of the CAE and understand internal audit staffing, funding, succession planning, and adequacy of resources. In determining adequacy of resources, audit committees often consider the structure (for example, whether the group is in-house, co-sourced, or outsourced), and whether the CAE and staff are adequately compensated. The committee can consider performing peer benchmarking of the company’s internal audit function to compare relevant metrics.

Ethics and compliance

The audit committee can promote a strong focus on tone at the top, maintaining a positive culture, and adherence to the company’s code of ethics, thus promoting a culture of compliance. The committee should meet periodically in executive sessions with those responsible for overseeing ethics and compliance matters and work with management to confirm that the company’s code of ethics or conduct complies with the applicable requirements. Companies may update the code in response to new issues or situations. Legal counsel should be consulted on modifications to the code.

Communication and training are critical to fostering an ethical culture. The code should be available to everyone in the organization, perhaps through inclusion on the company’s intranet site and in the employee orientation program and manual. Some companies require individuals, including directors, to sign an annual certification noting that they have read, understood, and complied with the code. If an employee refuses to sign the certification, committees should encourage companies to take prompt and appropriate disciplinary action, up to and including termination. Communication of disciplinary actions taken in response to code violations is a common way of communicating to employees that violations are taken seriously.

As part of its oversight of ethics and compliance, the committee should also pay close attention to the risk of management override of controls as well as risk mitigation mechanisms. In addition, the committee can prioritize initiating internal or independent investigations on matters within the committee’s scope of responsibility.

Codes of ethics and conduct

The SEC, NYSE, and Nasdaq require companies to have a code of ethics or a code of conduct. Each code of conduct must provide for prompt and consistent enforcement, protection for individuals who make good faith reports of questionable behavior, clear and objective standards for compliance, and a fair process for addressing violations. Both the NYSE and Nasdaq listing standards permit companies to have more than one code of conduct as long as all directors, officers, and employees are covered by a code. For example, some companies have developed a separate code for directors, whose roles and responsibilities differ from those of officers and other employees.

Hotlines

A thorough, independent, and objective process should be established by management and the audit committee for investigating complaints related to ethics and compliance. SEC regulations and the NYSE and Nasdaq listing standards require the audit committees of listed companies to establish procedures for:

• Receiving, retaining, and addressing complaints regarding accounting, internal controls, or auditing matters, whether from internal or external sources who wish to remain anonymous, as well as reporting a range of compliance matters, including violations of the code of conduct and allegations of management fraud or corruption
• The confidential, anonymous submission of employee concerns regarding questionable accounting or auditing matters

Companies use various procedures, but the most common method of receiving tips from both inside and outside the organization is through a telephone and web-based hotline administered by an internal department or a third party. If the hotline is administered internally, operators should be trained on where to direct questions or complaints, including those related to human resources, with continuous coverage provided. An anonymous reporting option should be available. Telephone operators working in human resources, customer service, and investor relations should be prepared to answer questions on how to submit concerns and complaints regarding financial reporting.

Employees should be made aware of reporting channels and encouraged to report known or suspected violations of laws or company policy. This information can be included in the code of ethics, the employee handbook, human resources orientation, ethics training, and periodic communications. Instructions for submitting questions or complaints can be posted in company facilities and on intranet sites. The company’s public website is a natural vehicle for communicating ethics and compliance procedures to individuals outside the organization.

The audit committee should work with management to confirm that the appropriate members of management are aware of questions or complaints received from internal sources and third parties, including vendors, through the various reporting methods available. Responsibility for investigating questions or concerns and reporting back to the audit committee often falls on individuals in the ethics and compliance, internal audit, legal, or risk management departments.

The audit committee should also establish expectations with respect to the type of complaints that will be reported to the committee and how complaints will be communicated. Some complaints may warrant immediate communication, such as those involving senior management, significant reputational issues, or significant dollar amounts. In addition to these immediate reporting situations, the audit committee should receive a regular summary of complaints with root-cause analyses, their resolution, and the steps taken to enhance internal controls and avoid similar violations in the future. Reporting can include trends, such as any increase in reports on a specific topic, department, or person. The audit committee should also determine which complaints warrant a discussion with the full board.

Under the SEC’s whistleblower programs, employees with knowledge of potential securities fraud who report original information to the government or a self-regulatory organization can receive 10% to 30% of monetary sanctions if the enforcement action results in fines of at least $1 million. Whistleblowers are not required to report issues first through internal company channels; however, those who do are still eligible for the reward if the company reports the problem to the government or if the whistleblower does so within 120 days of notifying the company.

Companies with operations in different countries should be careful to comply with those countries’ laws, as they may impose requirements, restrictions, and prohibitions different from those applicable in the United States.