10 Important Roles of the Audit Committee in Internal Audit
Although the exact nature, charter, scope and reporting lines of internal audit may vary between companies, the audit committee plays a key role in supporting and overseeing aspects of an internal audit function’s activities. While needing to ensure that it does not assume day-to-day oversight activities on behalf of management or the internal audit function, the audit committee should generally be involved in the following matters:
- Provide input and approve the written charter for the internal audit function, including periodic review and updating.
- Understand, discuss and approve the company’s risk assessment and internal audit plan results. As appropriate, review, discuss and approve changes to the audit plan during the year.
- At least annually, evaluate the internal audit function in relation to meeting the needs of the company and the audit committee, including compliance with its written charter.
- Hold executive sessions with the company’s chief audit executive.
- Provide input and direction to the appropriate escalation protocols for significant findings and issues.
- Review, discuss and approve the compensation of the CAE, any changes therein and the hiring or termination of the CAE.
- Understand, discuss and approve the funding level for the internal audit function, and discuss its appropriateness and adequacy with management and the CAE.
- Review ongoing activities of the internal audit function, including its reports, and inquire as to any other matters that should be brought to the committee’s attention.
- Direct the internal audit function, as necessary, to perform special reviews on behalf of management or the audit committee, including investigations of fraud or suspected fraud.
- Participate with internal audit to design and provide control, governance and ethics training to employees.
While the above listing is not intended to be all-inclusive, it provides reasonable overall guidance. Each audit committee should discuss, along with input from management, the role it should play in connection with the company’s internal audit function. Of course, the requirements of all related regulations and stock exchange listing standards related to audit committees should be followed.
What should internal audit report to the audit committee?
The appropriate reporting by internal audit will vary considerably from company to company based on several factors, including the charter and scope of the function, frequency and length of audit committee meetings, amount of material provided, and communications between meetings, as well as actual issues arising at the company.
However, as a guide, it might be logical to expect the following information to be reported to the audit committee by internal audit (assuming that meetings are conducted quarterly):
- Activities and audits completed during the last quarter.
- A presentation and discussion of key findings from audits recently completed.
- The status of past audit recommendations requiring resolution.
- Planned activities for next quarter.
- Any reported instances of fraud and internal audit’s role in investigating such fraud.
- In highly regulated environments, the results of recently completed audits by outside regulatory agencies.
- Depending on the role and scope of internal audit, a status report on calls received from the company’s hotline developed in connection with Section 301 of Sarbanes-Oxley.
- As appropriate, reports related to assistance provided by internal audit in connection with other areas of Sarbanes-Oxley, such as Sections 302 and 404 compliance efforts.
- An update on any new risks, issues or matters facing the company that internal audit feels should be addressed, and whether the current internal audit plan should be modified to take into consideration these new risks, issues and matters.
- Other matters specifically requested of management or the audit committee.
Every audit committee meeting presents an opportunity for internal audit to assist in educating the committee on timely issues and current matters. As an example, it might be appropriate for internal audit’s presentation to include educational materials, articles and white papers for later reading by both management and the audit committee.
Internal audit adds considerable value in reporting its findings, observations and viewpoints to management as well as to the audit committee. Though many times management is present at audit committee meetings, there should be more frequent, in-depth and informal communications between internal audit and company management. Internal audit should not be viewed solely as an instrument for the audit committee. In management’s ongoing efforts to meet objectives related to risk management, controls and corporate governance, it should be working closely with internal audit.
You can read more on the audit committee’s role with internal audit in Protiviti’s Guide to Internal Audit and explore these tools on KnowledgeLeader: