Audit committee oversight responsibilities

Audit committee members have a critical role in overseeing many aspects of a company’s activities and performance. The audit committee has responsibility for overseeing financial reporting and related internal controls, risk, independent and internal auditors, and ethics and compliance.

The audit committee’s oversight responsibilities are described in rules of the Securities and Exchange Commission (SEC) and the exchanges on which a company’s shares are listed, notably the New York Stock Exchange (NYSE) and Nasdaq. Responsibilities may also fall to the audit committee indirectly resulting from requirements for independent auditors imposed by the Public Company Accounting Oversight Board (PCAOB). SEC, NYSE, Nasdaq, and PCAOB rules are highlighted throughout, where relevant. Common practices, tools, and resources to assist audit committee members in executing their responsibilities are highlighted throughout as well.

Increasingly, additional responsibilities are also falling to the audit committee, including cyber and environmental, social, and governance (ESG) reporting. According to the Audit Committee Practices Report, a survey conducted by Deloitte and the Center for Audit Quality, audit committees continue to be challenged by increased complexity in their core responsibilities as well as scope creep across other areas within their companies.

Financial reporting

The audit committee, management (including the internal auditor), and the independent auditor each have a distinct role in financial reporting. Management is responsible for preparing the financial statements, establishing and maintaining adequate internal control over financial reporting (ICFR) as well as disclosure controls and procedures (DCPs) for items disclosed in Exchange Act reports, and evaluating the effectiveness of ICFR. The independent auditor is responsible for expressing an opinion on whether the financial statements fairly present, in all material respects, the financial position, results of operations, and cash flows in conformity with generally accepted accounting principles (GAAP), and, when applicable, evaluating the effectiveness of ICFR. In companies that have internal auditors, they have a role in providing objective assurance while acting as advisers to management.

The audit committee is responsible for overseeing the financial reporting process. To do so effectively, committee members should be familiar with the processes and controls that management has established and determine whether they are designed and operating effectively. In carrying out its role of oversight and monitoring, including obtaining the knowledge needed to provide appropriate oversight, the committee may rely on management, the independent auditor, the internal auditor (if any), and any advisers the committee might engage, provided its reliance is reasonable.

Audit committees should understand risk areas and related internal controls. Attention can be focused on a few important areas to remain vigilant in overseeing this, including:

• Complex accounting and reporting areas and how management addresses them
• Significant accounting policies, judgments, management estimates, and their impact on the financial statements
• Any prior internal control issues and how they have been resolved
• The design and components of the company’s antifraud and anticorruption compliance programs to confirm that those programs have sufficient oversight, autonomy, and resources
• The company’s strategy for managing tax risk, tax controversy, and volatility in the effective tax rate and to consider potential reputational risks associated with tax positions
• Uncertain tax positions taken by the company and their potential impact on financial reporting
• Pending financial reporting and regulatory developments, with a focus on understanding how they may affect the company

Segment reporting considerations

In November 2023, the FASB issued ASU 2003-07, which introduces improvements to the information that a public entity discloses about its reportable segments and addresses investor requests for more information about reportable segment expenses. Refer to Deloitte’s On the Radar for further considerations on this updated disclosure guidance about segment reporting.

Review of filings and earnings releases

The audit committee generally reviews earnings releases, SEC filings containing financial information, and other financial information and earnings guidance provided to analysts, rating agencies, and others. NYSE listing standards require that the audit committee meet to discuss the company’s annual audited financial statements and quarterly financial statements with management and the independent auditor. Nasdaq requirements are similar.

The standards require the audit committee to address the committee’s responsibility to discuss earnings press releases and the financial information and guidance provided to analysts and ratings agencies. This discussion may be in general terms, and the audit committee may discuss the types of information disclosed and presentations made. The discussion should highlight pro forma or adjusted non-GAAP financial information.

SEC rules regarding the use of non-GAAP financial measures require, among other things, that disclosure of any material information containing non-GAAP financial measures must include the most directly comparable GAAP financial measures, that the GAAP measures must be disclosed with equal or greater prominence, and that GAAP and non-GAAP measures must be reconciled. The SEC scrutinizes the use of non-GAAP measures in response to concerns about their use and prominence. As a result, companies and audit committees should consider examining their use of non-GAAP measures and related controls as well as the disclosure of those measures. Deloitte’s publication A Roadmap to Non-GAAP Financial Measures provides additional information, including ways for a company to assess the appropriateness of its non-GAAP measures and control considerations.

The committee should consider how it will execute these responsibilities to satisfy itself that all information is presented fairly and transparently. This should include a focus on consistency of information, tone, and messaging across all communications.

The audit committee should confirm that an appropriate legal review has been completed to verify disclosures are reasonable, including any obligation to report on known trends and uncertainties. This review should also consider compliance with the company’s policies on forward-looking statements and the completeness of any related disclaimers.

Audit committees should also ask questions about the issues raised in SEC comment letters received by the company and management’s response, and it should consider the nature of SEC comment letters issued to companies in similar industries.

Internal control over financial reporting

ICFR is intended to provide reasonable assurance that policies, processes, and procedures governing financial reporting help produce reliable and effective reporting and promote compliance with relevant reporting obligations. While management is responsible for designing, implementing, operating, and maintaining ICFR, the audit committee is responsible for overseeing the system of internal controls and confirming that management has an adequate and well-functioning system of controls. As part of its oversight responsibilities, the audit committee also plays an important role in promoting a culture of behavior that enables reliable and timely reporting.

Audit committees should have periodic interactions with management, the internal auditor, and the independent auditor to receive timely, accurate information regarding the functioning of internal controls. These reports should address the design and operating effectiveness of controls, ongoing monitoring activities, any failures or weaknesses in controls, root causes associated with these failures or weaknesses, and actions to remedy them. Audit committees should also understand the role of outside service providers, such as outsourced payroll, data centers, and others, that have a role in a company’s ICFR.

COSO framework

The 2013 Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a formal structure for designing and evaluating the effectiveness of internal controls. The SEC requires companies to use a “suitable framework” for management reporting on ICFR, and it says the COSO framework “satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements.” The framework emphasizes the role of the board—and, by delegation or regulation, the role of the audit committee—in overseeing internal control, which remains an essential aspect of effective governance. The framework highlights:

• The board’s role in the control environment, including clarification of expectations for integrity and ethics, conflicts of interest, adherence to codes of conduct, and other matters
• The board’s assessment of the risk that management could override internal controls and careful consideration of the possibility that management may override such controls
• The establishment and maintenance of open lines of communication between management and the board and the provision of separate lines of communication, such as whistleblower hotlines

Related-party transactions

NYSE and Nasdaq listing standards require that an independent body of the board review and oversee related-party transactions. In some instances, this responsibility is assigned to the audit committee. Examples of related-party transactions include transactions between the company and a business affiliated with a director or members of a director’s immediate family. Transactions might also occur between an entity and trusts for the benefit of employees, such as pension or profit-sharing trusts that are managed by or under the trusteeship of the entity’s management.

While these types of transactions often occur in the normal course of business, transactions among related parties are sometimes associated with the risk of misstatement or omission in financial reporting, whether by error or fraud. Auditors are required to scrutinize related-party transactions that may pose an increased risk of fraud. These include transactions involving directors, executives, and their families; significant unusual transactions that are outside the normal course of business; and other financial relationships with the company’s executive officers and directors. Audit committees must be alert to these transactions as part of their oversight responsibilities.

Proxy disclosures

Various SEC rules and exchange listing requirements address audit- and audit-committee-related information that must be disclosed in the proxy statement, including the audit committee report, and on company websites. SEC rules require companies to disclose the name of each audit committee member and include an audit committee report in the proxy statement. In the report, the audit committee must state whether it has:

• Reviewed and discussed the audited financial statements with management
• Discussed with the independent auditor all matters required under applicable auditing standards
• Received required independence disclosures from the independent auditor
• Recommended to the board that the audited financial statements be included in the company’s annual report on Form 10-K

Each issuer is required to disclose in any proxy or information statement pertaining to the election of directors whether the issuer has a standing audit committee, the number of audit committee meetings held during the last fiscal year, and the functions performed by the committee. The proxy statement must also disclose whether the board has adopted a written charter for the audit committee, and if so, include a copy of the charter as an appendix to the proxy statement at least once every three years. Alternatively, the company may post a copy of the charter on its website or reference the availability of the charter on the website by including a link; most companies fulfill this requirement in this fashion.

Companies whose securities are listed on the NYSE or quoted on Nasdaq must disclose whether the audit committee members are independent as defined in the applicable listing standards.

Beyond required disclosures, investors, policymakers, and regulators have shown interest in more detailed disclosure about audit committees, their activities, and their oversight of the relationship with the independent auditor. As these external parties request additional clarification about the related roles and responsibilities, audit committees should consider whether they should enhance disclosures in the proxy statement to take credit for the work they do. The Center for Audit Quality annually publishes an Audit Committee Transparency Barometer to highlight observations from disclosures of audit committee oversight in proxy statements.

In addition to voluntary disclosures, regulators may, in some instances, solicit views of audit committees with respect to industry- and company-specific knowledge and experience. Taking the time to engage in formal or informal communication with regulators, industry groups, and independent auditors on these topics could have a substantive impact on the development of standards and rules.

Fee disclosures

SEC rules require the disclosure of fees paid to the independent auditor for the current and prior years as well as a description of the services included in all categories other than audit fees for both years. (The audit committee’s duties in this area are further described in oversight of the independent auditor.) The audit committee’s preapproval policies and procedures must be described or reproduced. Such disclosures are required in the issuer’s Form 10-K as well as the proxy statement, but companies are allowed to incorporate the information into their Form 10-K from their proxy statement.

The disclosure is also required to include the percentage of services in the audit-related fees, tax fees, and all other fee captions that were approved by the audit committee pursuant to its preapproval policies and procedures. Many companies have opted to provide even more information. For instance, many companies subtotal the audit and audit-related fees so shareholders can easily quantify the portion of services that are audit and audit-related in nature.

Because certain institutional investors and proxy advisers have guidelines for proxy vote recommendations related to audit fees, many companies disclose not only the nature of services in the fee categories but also the amounts associated with specific services (for example, in the tax fee category, specifically noting the amount of tax compliance and preparation fees). Issuers should consult with legal counsel to determine the content of the fee disclosure. The SEC’s four fee categories are:

Risk

The SEC considers risk oversight a major responsibility of the board and requires disclosure of its role in this area. Disclosures include whether the entire board is involved in risk oversight, whether certain aspects are executed by individual board committees, and whether the employees responsible for risk management report directly to the board. Such disclosures inform shareholders’ understanding of the board’s process for overseeing risk.

In some instances, the audit committee may be delegated broad oversight responsibility for risk by the board. The audit committee’s primary risk oversight responsibilities are focused on the company’s financial risks, enterprise risk management (ERM), and risks related to ethics and compliance. At companies with risk committees, such as large financial institutions that are required to have such committees under the Dodd-Frank Act, the audit committee’s oversight responsibilities with respect to risk may differ.

In many companies, the audit committee’s risk oversight role has evolved to include additional responsibilities in areas such as cyber, mergers and acquisitions (M&A), and to varying degrees, ESG matters, among others.

With respect to financial risk, the audit committees should understand the company’s major financial risk exposures and how management monitors and controls such exposures. The committee can also ask business leaders to periodically provide an overview of their respective businesses, focusing on financial risks and other factors that may impact the financial statements.

Enterprise risk management

The board should prioritize having a well-defined, effective risk oversight function and should clearly define which risks the full board should discuss regularly versus those that can be delegated primarily to a board committee. Boards may have a defined risk governance structure in place, which should be assessed periodically as risks shift or new risks emerge, and consideration should be given to whether committee charters should be updated to align with the defined risk governance structures. The board or the committee tasked with overseeing the enterprise risk program should periodically review the company’s top risks with an eye on which board committee and member of management is responsible for each.

NYSE listing standards indicate the audit committee must discuss guidelines and policies to govern the process by which management assesses and manages the company's exposure to risk. This includes discussing the company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The standards acknowledge that many companies manage and assess their risk through mechanisms other than the audit committee and that audit committees should review these processes in a general manner.

Many companies leverage COSO’s ERM framework, which promotes a principles-based approach to ERM by helping focus a program on five interrelated components of effective control: governance and culture; strategy and objective-setting; performance; review and revision; and information, communication, and reporting.

A common practice is for management to maintain a list of all enterprise-wide risks, which are then mapped to specific board committees with the expertise to oversee them as well as the respective risk owners in management. In many instances, the full board takes direct responsibility for and regularly discusses the company’s most strategic risks, which include risks that could disrupt and materially impact the company’s business strategy. While it may be appropriate for the audit committee to review the guidelines, processes, and policies management has in place to assess and manage risk, boards should take care not to overburden the audit committee with risk oversight responsibilities.

Fraud risk

The audit committee should be satisfied that the company has programs and policies in place to deter and detect fraud. The committee should work with management to oversee the establishment of appropriate antifraud controls and programs and to take appropriate steps when fraud is detected.

The audit committee should also be satisfied that the company has implemented an appropriate ethics and compliance program and established a reporting hotline. See codes of ethics and conduct and hotlines sections for more information.

Audit committee members should be aware of three main areas of fraud risk:

• Financial statement fraud, which includes intentional misstatements in or omissions from financial statements
• Asset misappropriation, which may include check forgery, theft of money, inventory theft, payroll fraud, or theft of services
• Corruption, which may include schemes such as kickbacks, shell companies, bribes to influence decision-makers, or manipulation of contracts

The audit committee can help oversee the prevention and detection of financial statement fraud by monitoring management’s assessment of ICFR. The audit committee should also be aware of the US Foreign Corrupt Practices Act (FCPA) and other non-US anticorruption laws that may be applicable, such as the UK Bribery Act. As the SEC and Department of Justice note in the Resource Guide to the FCPA, anticorruption compliance “begins with the board of directors and senior executives setting the proper tone for the rest of the company.” To that end, the audit committee should:

• Understand the company’s obligations and responsibilities regarding anticorruption laws to which it is subject
• Determine whether the company has dedicated appropriate oversight, autonomy, and resources to its anticorruption compliance program
• Understand specific policies and procedures in place to identify and mitigate corruption-related risks
• Discuss with management corruption-related risks that have been identified, including allegations of corruption that may have been received through the company’s monitoring and reporting mechanisms, as well as management’s plans for responding to such risks
• Monitor any violations, including management’s response

Depending on a company’s size, the determination of whether the company has dedicated appropriate oversight, autonomy, and resources could include an evaluation of whether an individual is specifically charged with anticorruption compliance and has a direct reporting line to the committee.

Cyber risk

Rapid advancements in digital technology and interconnectivity have significantly escalated cyber risk, making it a high priority for management and boards at companies of all sizes and in virtually all industries. The pervasiveness of cyber risk increases concerns about financial information, internal controls, and a wide variety of risks, including reputational risks, that can result from a cyber incident. Deloitte’s Audit Committee Practices Report, which summarizes survey results from 266 audit committee members, indicates that 69% of respondents include cyber risk as a top three priority area for their audit committee in the next 12 months.

Oversight of a successful cyber risk management program requires proactive engagement with many stakeholders across the company and it is common for boards to delegate oversight of cyber risk to the audit committee, although oversight may rest with the full board or risk committee at some companies. According to the Audit Committee Practices Report, 58% of the respondents indicated that the audit committee has primary oversight of cyber risk, 25% said that the full board has oversight responsibility, and the remaining respondents said that either the risk, nominating/governance, or other committee has oversight responsibility.

In companies where the audit committee has oversight responsibility for cyber risk, the committee should obtain a clear understanding of the specific areas it is expected to oversee. In the audit committee’s capacity of overseeing financial risks and monitoring management’s policies and procedures, it may have expertise and be asked to play a strategic role in monitoring management’s preparation for and response to cyber threats, coordinating cyber risk management initiatives and policies, and confirming their efficacy. Those audit committees may take the lead in monitoring cyber threat trends, regulatory developments, and major threats to the company. Other responsibilities may include setting expectations and accountability for management, as well as evaluating the adequacy of resources, funding, and focusing on cyber risk management activities.

For audit committees charged with this oversight, engaging in regular dialogue with C-suite leaders responsible for information technology and cyber can help the committee determine where attention should be focused. Audit committees may also receive regular updates from relevant technology leaders throughout the company. As seen in the Audit Committee Practices Report, most audit committees (73%) are discussing cyber risk on a quarterly basis. The audit committee chair can be a particularly effective liaison with other groups in enforcing and communicating expectations regarding cyber and financial risk mitigation.

Although many boards may delegate primary oversight of cyber risk to the audit or another relevant committee, given the pervasive nature of cyber risks, the role of the full board in understanding this risk should be considered. At a minimum, the full board should determine the appropriate cadence for discussing the threat landscape and cyber risks affecting the company, if the identified cyber risk is aligned to an agreed-upon cyber risk tolerance, and evaluate the overall performance of the cyber program.

Cyber-related regulatory requirements are evolving. In July 2023, the SEC issued a final rule that requires registrants to enhance and standardize disclosures regarding cyber risk management, strategy, governance, and incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. The final rule addresses concerns over investor access to timely and consistent information related to cyber as a result of increasing dependence on digital/electronic systems; the rise in cyber incidents driven by remote work and third-party services; and the escalating costs and consequences of these incidents, including business interruptions, ransom payments, and reputational damage.

Deloitte’s Heads Up publication discusses the SEC’s final rule in more detail. Some key requirements of the final rule are listed below:

• Material cyber incidents would need to be disclosed on Form 8-K within four business days of their being deemed material
• Annual disclosures in Form 10-K pertaining to (1) cyber risk management and strategy, (2) “management’s role in assessing and managing material risks from cyber threats,” and (3) “the board of directors’ oversight of cyber risks.”

All types of periodic SEC filers are affected by the final rule, including domestic registrants, foreign private issuers (FPIs), smaller reporting companies, and emerging growth companies.

SEC guidance includes their view on the role of the board in overseeing cyber risk. If the risk is material to a company’s business, the discussion of the board’s role in risk oversight should include the nature of its responsibilities for overseeing the management of this risk. In the guidance, the SEC says “disclosures regarding a company’s cyber risk management program and how the board of directors engages with management on cyber issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.” Additionally, the SEC Division of Enforcement has been attentive to companies' adherence with the final disclosure standards. As a leading practice, audit committees should stay informed and current on trends and regulatory updates related to the final disclosure requirements.

Separate from the final SEC rule, companies are increasingly utilizing external reporting to demonstrate their established cyber practices.

For more information on cyber reporting and risk management, refer to Deloitte’s cyber risk management examination resources. This resource focuses on the AICPA’s cyber risk management attestation reporting framework, commonly referred to as SOC for Cybersecurity. Released in 2017, this reporting framework establishes a standardized reporting mechanism for providing a broad range of users with useful information about an entity’s cyber risk management program to support informed and strategic decision-making. Leveraging a unified approach for performing and reporting on an entity’s cyber risk management program and related controls could help boards and audit committees effectively execute their oversight responsibilities with respect to cyber risk.

Artificial intelligence

Artificial intelligence (AI), including Generative AI, continues to advance rapidly, and related governance processes are evolving. More companies are investing in AI initiatives and scaling AI use cases and applications throughout the enterprise. Companies should have effective oversight of their AI initiatives and governance over AI use cases and applications not only to realize value and drive outcomes but also to address business risks and emerging ethical concerns associated with AI use (e.g., concerns over bias, transparency, responsible applications).

As outlined in Deloitte’s Audit Committee Practices Report, primary oversight of AI does not typically fall to the audit committee. The audit committee should, however, understand how AI is being used (or could be used) in the company, particularly within finance. This could include opportunities to enhance or improve financial reporting processes. Relevant AI use cases and applications are expanding from automation of transactions and tasks (e.g., data population into forms) to more complex areas, such as using predictive analytics for decision making (e.g., using demand forecasting for inventory management) or creating new content (e.g., drafting memos or financial disclosures). Audit committees should also understand how risks related to relevant AI-enabled processes are identified and addressed as well as who is responsible for oversight of those risks. Additionally, audit committees should understand what is being disclosed about AI in the financial statements.

Governments and regulators around the world are considering various regulations and policies to address AI risks. Staying on top of this rapidly evolving environment will be important for companies and audit committees. Regardless of the audit committee’s role in overseeing AI, there are many facets to this topic that will likely involve the full board and other committees.

Deloitte’s responsible artificial intelligence resources highlight additional considerations.

Mergers and acquisitions

The audit committee has an important role in M&A transactions, both before a transaction in overseeing due diligence and after a transaction in integrating controls and reporting. The audit committee should also review SEC reporting with respect to acquisitions and the accounting for acquisitions in financial statements.

Environmental, social, and governance

Rising focus on climate change, social justice, and shareholder activism in recent years has led to increased attention on ESG issues in corporate boardrooms. Regulation in these areas is evolving. The SEC issued a final rule in March, 2024 to require public companies to include extensive climate-related disclosures in their registration statements and annual reports. Since being issued, the rule has been stayed pending the outcome of legal proceedings. If upheld as issued, these disclosures would include information about climate-related risks that are reasonably likely to have a material effect on business strategy, results of operations, or financial condition, as well as material Scope 1 and Scope 2 greenhouse gas (GHG) emissions (for certain registrants) outside of the financial statements. The stay does not reverse or change any of the final rule’s requirements nor does it affect the SEC’s existing 2010 interpretive release on climate-change disclosures. As released, this final rule would go into effect beginning with annual reports for the year ending December 31, 2025, for calendar-year-end large accelerated filers. This issue of Heads Up outlines the requirements, which are intended to enhance and standardize climate disclosures.

Outside of the SEC rule, companies should also consider rules in other relevant jurisdictions in which they do business. Currently, the most notable rules are the European Union Corporate Sustainability Reporting Directive (CSRD), and the pair of California Senate Bills, SB-253, Climate Corporate Data Accountability Act, and SB-261, Greenhouse Gases: Climate-Related Financial Risk. The two California Senate Bills are discussed in further within this issue of Heads Up. Separately, this issue of Heads Up answers commonly asked questions about the CSRD. These rules go into effect as early as the year ending December 31, 2024, for certain multinational entities.

Audit committees are increasingly engaging in the ESG agenda due to the growing reliance by investors and other stakeholders on ESG disclosures. Additionally, audit committees may have a growing role in overseeing ESG-related activities and metrics. While regulation might formalize the role of the audit committee in the ESG arena, audit committees should engage on whether appropriate internal controls and disclosure controls and procedures (DCPs) exist underlying the ESG information and metrics that companies disclose, whether the audit committee has reviewed disclosures, how management considers ESG strategies and their impact on financial statements, and whether the company is obtaining assurance on its reporting.

Audit

Oversight of the independent auditor, as well as the internal auditor at companies that have this function, is among the audit committee’s most important oversight responsibilities. Audit committees are responsible for overseeing the performance and quality of the audit as well as the independence of auditors.

Audit quality begins with the selection and oversight of the external auditor by the audit committee. A February 5, 2024, speech by Paul Munter, SEC Chief Accountant, discussed the important role the audit committee plays in prioritizing and promoting audit quality through their appointment, compensation and oversight of the independent auditor.

Oversight of the independent auditor

Audit committees of listed companies are directly responsible for the appointment, compensation, and oversight of the independent auditor, including the resolution of any disagreements with management. The audit committee, management, the independent auditor, and the internal auditor should work together in a spirit of mutual respect and cooperation.

Audit committees are required to own the relationship with the independent auditor, focusing on qualifications, performance, independence, and compensation. Expectations should be clear regarding the nature and method of communication and the exchange of insights. An annual meeting with the independent auditor and regular dialogue beyond audit committee meetings can promote effective interaction.

The audit committee and the independent auditor typically meet at least quarterly to thoroughly discuss a wide variety of matters, including the company’s financial reporting, internal controls, and the audit, from planning to report issuance. Audit committees should proactively engage with the lead audit partner and meet periodically with specialists in areas such as tax, information technology, and others, as needed. These discussions should also include educational topics and sharing of insights beyond the audit. The audit committee can provide the independent auditor with formal evaluations and regular feedback.

The NYSE corporate governance rules require the audit committee to participate in periodic private sessions with management, independent auditors, and internal audit. Executive sessions with the independent auditor facilitate open communication and help to identify concerns. Although executive sessions are not explicitly required for Nasdaq-listed companies, it is common practice for audit committees to hold these sessions.

Auditor independence

SEC and PCAOB rules govern the independence of accountants who audit or review financial statements and prepare attestation reports filed with the SEC. The rules recognize the critical role of audit committees in financial reporting, their unique position in monitoring auditor independence, and their direct responsibility for the oversight of the independent auditor. Although most audit firms are rigorous in monitoring and enforcing these independence requirements, it is important that audit committee members be cognizant of them and understand that independence is a dual responsibility with the auditor. The SEC independence rules address the following issues related to registrants:

Auditor communications

The NYSE, Nasdaq, and PCAOB indicate communications that are required between the audit committee and the independent auditor. Many of these communications focus on the responsibility of the audit committee to oversee the independent auditor.

Evaluation of the independent auditor

Inherent in the audit committee’s duty to appoint, compensate, and oversee the independent auditor is an expectation that the audit committee will evaluate the auditor. The NYSE listing standards require the audit committee to review a report by the independent auditor describing its quality controls, results of investigations, and independence. After reviewing the report and the independent auditor’s work throughout the year, the audit committee is expected to be in a position to evaluate the auditor’s qualifications, performance, and independence. The evaluation is expected to include a review and evaluation of the lead partner of the independent auditor, considering the opinions of management and the company’s internal auditor or other personnel responsible for the internal audit function.

Evaluation factors

Practices for evaluating the independent auditor range from highly formalized processes with extensive documentation to more informal assessments. Factors the audit committee may consider in developing the evaluation process include:

The Center for Audit Quality has issued an External Auditor Assessment Tool for audit committees. The tool can be used by audit committees to inform their evaluation of the independent auditor.

Audit innovation

With advances in technology, many auditors are turning to innovation to enhance quality and add value to the audit. In understanding how the independent auditor is innovating, the audit committee may consider several issues, including how the independent auditor is leveraging innovation to enhance audit execution, what investments the independent auditor is making in audit innovation, and how those investments translate to enhanced audit quality and value for the company. Audit committees can ask auditors to explain what insights auditors are able to provide about the company and its financial and internal controls processes through the use of new technologies, including audit analytics.

Oversight of internal auditors

Most public companies have an internal audit function, whether in-house, co-sourced, or outsourced. An internal audit function is not required by the SEC or Nasdaq, but it is required by NYSE listing standards. Whether a company staffs its own internal audit function or outsources it to a third party, audit committees are responsible for providing effective oversight.

Expectations of internal audit functions have evolved dramatically over time, with internal audit often asked to offer an advisory perspective. The expectations for internal audit functions vary by company but may include:

• Objectively evaluating whether risks relating to the achievement of the company’s strategic objectives are appropriately identified and managed
• Monitoring and reporting on the health of the company’s controls covering financial, operational, regulatory, reputational, technological, and governance risk, including offering guidance regarding the internal/compliance controls aligned with these risk areas
• Evaluating whether results of operations or programs are consistent with established goals and objectives and acting as a catalyst for positive change in processes and controls
• Providing insight in the areas of controls and risk management to assist in the audit committee’s assessment of the efficacy of programs and procedures
• Coordinating activities and sharing perspectives with the independent auditor

An effective relationship between the audit committee and internal auditors is fundamental to the success of the internal audit function. Internal audit should have direct access to the audit committee, optimally with the chief audit executive (CAE) reporting directly to the audit committee and administratively to senior management. In this reporting structure, internal auditors can remain structurally separate from management, enhancing independence and objectivity. This also encourages the free flow of communication on issues and promotes direct feedback from the audit committee on the performance of the CAE and the function. To support this relationship, the audit committee should consider the following:

• Confirm that internal auditors have appropriate independence and stature and its recognition is promoted by senior management throughout the company.
• Support the CAE, providing guidance and assistance when the CAE reports potential management lapses. The function’s overall authority, role, responsibilities, scope, reporting lines, and quality program should be defined and documented in the internal audit charter and approved by the audit committee.
• Maintain a strong relationship with the CAE characterized by regular, direct, and open communication.
• Challenge the CAE and the internal audit department by setting high expectations (i.e., performance objectives), communicating those expectations clearly, and holding the department accountable for meeting them. Holding regular executive sessions with the CAE is common, and it is required for NYSE-listed companies.
• Participate in discussing internal audit strategy and goals and evaluating the performance of the function and the CAE.

These responsibilities should not be delegated solely to the CEO or CFO.

It is important for the audit committee to assess whether internal audit’s priorities, such as monitoring critical controls and developing an audit plan focused on risks identified in the ERM program, are aligned with those of the audit committee. At some companies, internal audit evaluates and considers suggestions to improve operations and processes. The audit committee should play a role in helping determine the balance between compliance and operational audits, as appropriate.

The audit committee should provide input and review the internal audit strategy for alignment with the company’s strategic objectives. At least annually, the audit committee should understand and approve the internal audit plan and determine if the CAE has sufficient budget and related resources (talent and technological) to execute against it. As part of this review, the committee should evaluate the enterprise-wide ERM program, the level of coordination and collaboration between the two programs, and the alignment of risks with the internal audit plan. The audit committee should also evaluate the progress and results of the internal audit plan against the original plan, how it adapts to changes in risk, the extent to which the plan benefits from emerging technology, and the mix of assurance and advisory engagements.

The audit committee should perform annual evaluations of the CAE and understand internal audit staffing, funding, succession planning, and adequacy of resources. In determining adequacy of resources, audit committees often consider the structure (i.e., whether the group is in-house, co-sourced, or outsourced), and whether the CAE and staff are adequately compensated. The committee can consider performing peer benchmarking of the company’s internal audit function to compare relevant metrics.

For internal audit functions following the Global Internal Audit Standards ™ issued by the Institute of Internal Auditors (and effective January 2025), the audit committee should be familiar with the Essential Conditions as defined within – which outline the activities of the audit committee (and senior management) identified as “essential” to the internal audit function’s ability to fulfill its intended purpose and be effective. These Essential Conditions can support an effective dialogue between the CAE, the audit committee, and senior management.

Ethics and compliance

The audit committee can promote a strong focus on tone at the top, maintaining a positive culture, and adherence to the company’s code of ethics, thus promoting a culture of compliance. The committee should meet periodically in executive sessions with those responsible for overseeing ethics and compliance matters and work with management to confirm that the company’s code of ethics or conduct complies with the applicable requirements. Companies may update the code in response to new issues or situations. Legal counsel should be consulted on modifications to the code.

Communication and training are critical to fostering an ethical culture. The code should be available to everyone in the company, perhaps through inclusion on the company’s intranet site and in the employee orientation program and manual. Some companies require individuals, including directors, to sign an annual certification noting that they have read, understood, and complied with the code. If an employee refuses to sign the certification, committees should encourage companies to take prompt and appropriate disciplinary action, up to and including termination. Communication of disciplinary actions taken in response to code violations is a common way of communicating to employees that violations are taken seriously.

As part of its oversight of ethics and compliance, the committee should also pay close attention to the risk of management override of controls as well as risk mitigation mechanisms. In addition, the committee can prioritize initiating internal or independent investigations on matters within the committee’s scope of responsibility.

Codes of ethics and conduct

The SEC, NYSE, and Nasdaq require companies to have a code of ethics or a code of conduct. Each code of conduct must provide for prompt and consistent enforcement, protection for individuals who make good faith reports of questionable behavior, clear and objective standards for compliance, and a fair process for addressing violations. Both the NYSE and Nasdaq listing standards permit companies to have more than one code of conduct as long as all directors, officers, and employees are covered by a code. For example, some companies have developed a separate code for directors, whose roles and responsibilities differ from those of officers and other employees.

Hotlines

A thorough, independent, and objective process should be established by management and the audit committee for investigating complaints related to ethics and compliance. SEC regulations and the NYSE and Nasdaq listing standards require the audit committees of listed companies to establish procedures for:

• Receiving, retaining, and addressing complaints regarding accounting, internal controls, or auditing matters, whether from internal or external sources who wish to remain anonymous, as well as reporting a range of compliance matters, including violations of the code of conduct and allegations of management fraud or corruption
• The confidential, anonymous submission of employee concerns regarding questionable accounting or auditing matters

Companies use various procedures, but the most common method of receiving tips from both inside and outside the company is through a telephone and web-based hotline administered by an internal department or a third party. If the hotline is administered internally, operators should be trained on where to direct questions or complaints, including those related to human resources, with continuous coverage provided. An anonymous reporting option should be available. Telephone operators working in human resources, customer service, and investor relations should be prepared to answer questions on how to submit concerns and complaints regarding financial reporting.

Employees should be made aware of reporting channels and encouraged to report known or suspected violations of laws or company policy. This information can be included in the code of ethics, the employee handbook, human resources orientation, ethics training, and periodic communications. Instructions for submitting questions or complaints can be posted in company facilities and on intranet sites. The company’s public website is a natural vehicle for communicating ethics and compliance procedures to individuals outside the company.

The audit committee should work with management to confirm that the appropriate members of management are aware of questions or complaints received from internal sources and third parties, including vendors, through the various reporting methods available. Responsibility for investigating questions or concerns and reporting back to the audit committee often falls on individuals in the ethics and compliance, internal audit, legal, or risk management departments.

The audit committee should also establish expectations with respect to the type of complaints that will be reported to the committee and how complaints will be communicated. Some complaints may warrant immediate communication, such as those involving senior management, significant reputational issues, or significant dollar amounts. In addition to these immediate reporting situations, the audit committee should receive a regular summary of complaints with root-cause analyses, their resolution, and the steps taken to enhance internal controls and avoid similar violations in the future. Reporting can include trends, such as any increase in reports on a specific topic, department, or person. The audit committee should also determine which complaints warrant a discussion with the full board.

Under the SEC’s whistleblower programs, employees with knowledge of potential securities fraud who report original information to the government or a self-regulatory organization can receive 10% to 30% of monetary sanctions if the enforcement action results in fines of at least $1 million. Whistleblowers are not required to report issues first through internal company channels; however, those who do are still eligible for the reward if the company reports the problem to the government or if the whistleblower does so within 120 days of notifying the company.

Companies with operations in different countries should be careful to comply with those countries’ laws, as they may impose requirements, restrictions, and prohibitions different from those applicable in the United States.