Transcription
Audit Committeeeffectiveness2020 Framework
Audit Committee effectivenessIntroductory letterDear Audit Committee Member,Given how rapidly expectations of the audit committee are changing, there is one question every audit committee memberwants to know – are we covering the ground well? We are often asked for an independent view of how the audit committee isperforming, and to help with this we drew up our Audit Committee effectiveness framework, which we first published in 2015.It is striking just how far the audit committee’s agenda has grown in the five years since.The work of the audit committee has never been more important: investors, other stakeholders and regulators demand evermore informative and reliable reporting, not just of the results and financial position, but of strategy, resilience, long termvalue creation, of values, of a company’s role in climate change, not to mention the community and the whole public interestagenda. The audit committee plays a prominent role in establishing and maintaining “deserved confidence” in a company,with specific independent endorsement by auditors in certain areas.The implementation of many of the recommendations put forward in the Competition and Markets Authority (CMA), Kingmanand Brydon reviews to enhance corporate reporting and audit in the UK will impact the audit committee considerably. TheBrydon review draws out the public interest aspects of reporting and audit, proposing new statements in which the auditcommittee will have a particular interest: a Public Interest Statement and a Resilience Statement. Brydon also proposesthat a company should consult with shareholders on its articulation and management of risks and on the company’s Auditand Assurance Policy1. Both Kingman and Brydon supported the introduction of a more formal internal control regime forthe largest UK listed companies, and consultations on the implementation of these are expected in the UK during 2021.Furthermore, the Financial Reporting Council’s (FRC) future oversight of company reporting will include the whole of theannual report from 2021 and it is likely that the FRC’s supervision powers will cover all directors even where they are not anaccountant. Dialogue within and supervision of the reporting ecosystem is at last recognising where the responsibilities lie.To assist with the annual Code requirement to review the effectiveness of your audit committee, committee members willwant to keep current with the range of new calls on their time and attention. Given how much the landscape has alreadychanged for audit committees, we decided to update this effectiveness framework for current expectations, even thoughmore changes will emanate from the 2021 consultations on corporate reporting and audit reform. Indeed, the FRC isitself suggesting the need to develop a set of minimum standard expectations for the audit committee. In this edition, welabel clearly what is “direction of travel” and what is new “in issue“ materials since the last edition: the 2018 UK CorporateGovernance Code; the new Internal Audit Code of Practice; the FRC’s revised Ethical Standard 2019; updated standardson auditing; and the Financial Conduct Authority’s (FCA) consultation on mandatory climate-related disclosures. These inthemselves represent more ground to cover for most audit committees – reinforcing that even the best committees requirethe support of a well informed and well organised secretary.We trust you will find this framework helpful, and we would be very interested to hear your feedback. If you believe yourevaluation could benefit from professional external facilitation, you know where to find us.Finally, don’t forget that you and your colleagues can join us at the Deloitte Academy where we host live updates to air currentissues and enable you to swap notes with your peers.Yours faithfully,William ToucheVice Chair1 Deloitte’s publication Developing your company’s Audit and Assurance Policy is a helpful resource in this area, and includes a framework for developing and reviewing internal controls over financial reporting.2
Audit Committee effectivenessContentsAbout this frameworkHow to use this frameworkSetting up for successAEstablishment, membership and appointmentBThe audit committee chairCSkills, experience, training and mindsetDMeetings of the committeeESupport and resourcesFRelationship with the boardGEstablishing an audit and assurance policyThe audit committee agendaHOversight of accounting judgements, business and financial reporting and other company announcementsIRisk managementJInternal controlsKCulture, values, whistleblowing, fraud and investigationsLOversight of internal auditMOversight of the external audit processNGoing concern and longer term viability3
Audit Committee effectivenessContentsExternal communicationOThe audit committee’s communication with shareholdersDeep divesPThe public interest: consideration of wider stakeholdersQClimateRCyber riskSData privacyFinalising your self-assessmentGlossaryContactsThe Deloitte Academy4
Audit Committee effectivenessAbout this frameworkThis practical self assessment guide covers all aspects of the audit committee’s remit for companies outside the financialsector. Regulatory requirements are drawn from the UK Corporate Governance Code, the FRC’s Guidance on AuditCommittees, the FRC’s Guidance on Risk Management, Internal Control and Related Financial and Business Reporting, theFRC’s revised Ethical Standard 2019 and the CMA’s final order. It also includes new materials: the new Internal Audit Code ofPractice, and the FCA’s consultation on mandatory climate-related disclosures aligned to the Financial Stability Board’s TaskForce on Climate-related Financial Disclosures (TCFD).As well as covering all the mandated areas, we have added some key considerations around narrative reporting, particularlyrelevant in the current volatile economic environment. We also reflect in this framework areas where we expect the auditcommittee to have an increasing role in future and have incorporated questions on climate change, on audit and assurancepolicies and on wider stakeholders. To be clear, however, the framework does not anticipate the results of any futureconsultations on changes to the board or audit committee remit, auditor responsibilities or corporate reporting, but doestake into account areas where expansion of role can be expected.As in previous editions, we have included a number of qualitative considerations in the form of ‘good practice statements’which help to differentiate an effective audit committee from one which is just ticking the boxes.5
Audit Committee effectivenessHow to use this frameworkInevitably perhaps, reflecting the complexities of modern business life, this is a long framework. Audit committees will notwant or need to answer all of the questions on an annual basis. Instead, we recommend covering the different sections ona rotation basis. The framework is structured to allow you to focus on the requirements of the Code or other regulationand then decide which areas of the audit committee’s structure and remit merit a deeper dive into guidance and qualitativeconsiderations.To facilitate that decision, each section is broken down into three parts: Requirements – these come directly from law, the UK Corporate Governance Code or requirements with similarimportance – we would expect these to be assessed annually, to assess compliance. Guidance – it is also advisable to follow the guidance, which is usually issued by the FRC, the Chartered Institute ofInternal Auditors (IIA) or similar bodies. Qualitative considerations – these are suggested best practice considerations developed by our specialists to identifyareas where audit committees can recognise their own leading practices and incorporate those used by other leadingaudit committees.Some audit committees may wish to add one or more of the “deep dive” sections – covering stakeholders, climate, cyber anddata security – to assess their existing span of activities.For each statement, respondents should decide whether this is an area for further focus, an area where the committee isperforming as expected, or a special strength. This can be typed or written next to the statement, allowing responses tobe retained and compared for discussion. The section Finalising your self- assessment can then be used to summarise thescores you have given and your key observations.6
Audit Committee effectivenessSetting up for success7
Audit Committee effectivenessA. Establishment, membership and appointmentWhile all board directors have a duty to act in the interests of the company the audit committee has a particular role, actingindependently from the executive, to ensure that the interests of shareholders are properly protected in relation to financial reportingand the risk management and internal control over that reporting.Appointments to the audit committee should be made by the board on the recommendation of the nomination committee, inconsultation with the audit committee chair.In considering the composition of the audit committee, the nominations committee and board should consider the range of skills,experience, knowledge and professional qualifications of current and proposed committee members. There are some limitedrequirements under the Code and the need for a degree of financial literacy among the other members will vary according to thenature of the company. However, experience of corporate financial matters will normally be required.Formal requirements in this area are driven by the Code, the Disclosure & Transparency Rules (DTR) and the Guidance.RequirementsGuidanceQualitative considerations1 Area for focus2 Performing as expected3 Special strengthRating1,2 or 3Code provisionA1The audit committee has at least three, or in the case of smaller companies two, members (24).A2The audit committee members are all independent under provision B.1.1 of the Code (24).A3At least one member of the audit committee has recent and relevant financial experience (24). N.B. The Disclosure &Transparency Rules (DTR) require that at least one member must have competence in accounting or auditing, or both (DTR7.1.1A); and this requirement may be satisfied by the same member or by different members (DTR 7.1.2).A4The audit committee as a whole has competence relevant to the sector in which the company operates (24).Rating1,2 or 3Guidance on audit committeesA5Appointments to the audit committee are made by the board on the recommendation of the nomination committee,in consultation with the audit committee chair (13).A6The level of remuneration paid to members of the audit committee takes into account the level of fees paid to othermembers of the board. The remuneration of the audit committee chair reflects the heavier responsibilities and timedemands of this role (28).Rating1,2 or 3Guidance on board effectivenessA7The chair should ensure that committee membership is periodically refreshed and that individual independent nonexecutive directors are not over-burdened when deciding the chairs and membership of committees (63).Rating1,2 or 3Qualitative considerationsA8The audit committee is sufficiently diverse to avoid the risk of “groupthink”.A9There is a clear succession plan in place for future membership of the audit committee, allowing the nomination committeeadequate time to consider appropriate replacements.Total of ratingsComments:8
Audit Committee effectivenessB. The audit committee chairThe audit committee chair sets the tone for and leads the audit committee. For this the chair will develop a deep understanding of thecompany and its industry, the regulatory context and technical accounting and reporting issues. Chairing the committee will involveleading discussions with (and challenge of) members of the executive, the internal auditor and the external auditor.The chair should communicate clearly with the board, seek views from committee members, and be proactive about engagement withshareholders at the annual general meeting and other occasions.There are no specific requirements in relation to the role of the audit committee chair. The assessment in this area is driven by theFRC’s Guidance on audit committees and some qualitative considerations.RequirementsGuidanceQualitative considerations1 Area for focus2 Performing as expected3 Special strengthRating1,2 or 3Guidance on audit committeesB1The audit committee chair keeps in touch on a continuing basis with the key people involved in the company’s governance,including the board chair, the chief executive, the finance director, the external audit lead partner and the head of internalaudit (22).Rating1,2 or 3Qualitative considerationsB2The committee chair is demonstrably committed to the integrity of all aspects of corporate reporting (both in the annualreport and on the company website), internal control, risk management and audit quality.B3The audit committee chair inspires confidence. The audit committee members value the chair’s opinion and believe thatthe chair demonstrates clear leadership of the committee and acts as a driving force within the committee to ensure allaudit committee members are contributing effectively.B4The audit committee chair brings an independent perspective and challenge when it comes to management, theinternal auditor and the external auditor.B5The audit committee chair performs their role with enthusiasm, acts as a catalyst for change and brings ideas andinsights to help the organisation to be more successful.B6The audit committee chair has the confidence of shareholders and is proactive about seeking meetings withshareholders to seek input about significant matters within the remit of the committee.Total of ratingsComments:9
Audit Committee effectivenessC. Skills, experience, training and mindsetAudit committee members should bring expertise and experience to the role, which may include recent and relevant financialexperience. Each committee member should have sufficient financial and risk management literacy to be able to identify and raise anyconcerns about internal controls, accounting judgements and reporting obligations. Additional skills in areas that are relevant to thecompany’s industry sector or particular risk profile are valuable.Structured ongoing training should be provided for the committee as a whole and for each member as required. Internal or externalexperts are often invited to offer training on specialist areas within the remit of the audit committee that are current regulatory orgovernance areas of focus.There are no specific requirements in relation to skills, experience, training and mindset for the audit committee, other than thosealready laid out in Section A. The assessment in this area is driven by the FRC’s Guidance on audit committees and some tative considerations1 Area for focus2 Performing as expected3 Special strengthRating1,2 or 3Guidance on audit committeesC1The committee members bring an independent mindset to their role (14).C2Members have a degree of financial literacy and experience of corporate financial matters (15).C3An induction programme is provided for new audit committee members, covering the role of the audit committee, its termsof reference, expected time commitment and an overview of the company’s business model and strategy, identifying themain business and financial dynamics and risks. It could also include meeting some ofthe company staff (16).C4Training is provided on an ongoing and timely basis and includes an understanding of the principles of anddevelopments in corporate reporting and regulation (17).Rating1,2 or 3Qualitative considerationsThe ongoing training requirements of committee members are agreed at the start of each year according to their specificneeds and current industry context. Topics should be determined for training deep dives such as: Changing technology/digital landscapeC5 Incorporation of automation and AI into operations Emerging business model risks such as developments in international trade agreements, climate change, response topandemics Supply chain resilience – including understanding of both outsourced and insourced partnersNB This understanding should be sufficient to identify related risks and opportunities and determine areas where any furtherassurance may be required.C6Each committee member, as should all board members, bears in mind and promotes discussion of the directors’ dutiesunder s172, ensuring consideration of long term consequences of decisions, the interests of stakeholders, communitiesand the environment, company reputation and the need to act fairly between shareholders.Total of ratingsComments:10
Audit Committee effectivenessD. Meetings of the committeeThe committee should meet as many times as it considers necessary to meet its responsibilities under its terms of reference. Currently,audit committees outside financial services are meeting 4-5 times per year. Meetings are usually aligned to the financial reporting andexternal audit cycle.Where the audit committee also acts as a risk committee, further meetings may be required to ensure that adequate focus can begiven to risk management and internal controls as well as the financial reporting cycle.There are no specific requirements in relation to meetings of the committee. The assessment in this area is driven by the FRC’sGuidance on audit committees and some qualitative considerations.RequirementsGuidanceQualitative considerations1 Area for focus2 Performing as expected3 Special strengthRating1,2 or 3Guidance on audit committeesD1The number of audit committee meetings is sufficient to meet the audit committee’s role and responsibilities, is not fewerthan three per year and the meetings are held to coincide with key dates within the financial reporting and audit cycle. Forexample, when the audit plans (internal and external) are available for review and when interim statements, preliminaryannouncements and the full annual report are near completion (18).D2No one other than the audit committee chair and members receive automatic invitations to a meeting of the auditcommittee. The external audit partner, the finance director and head of internal audit are invited to attend on a regularbasis (20).D3There is sufficient time between audit committee meetings and main board meetings to allow any work arising from theaudit committee meeting to be carried out and reported to the board as appropriate (19).D4At least once a year the audit committee meets the external and internal auditors without managementpresent (21).Rating1,2 or 3Qualitative considerationsD5The committee’s agenda is set in a timely manner and circulated well in advance of meetings to all members and otherinvited attendees with appropriate supporting papers.D6There is a clear plan for the year to ensure that all matters falling within the remit of the audit committee are covered overthe year.D7Items on the agenda are set with consideration of regulatory requirements, the company’s reporting timetable andafter considering key issues identified by management, the chief risk officer, the director of internal audit and theexternal auditors; and, where applicable, the input sought from stakeholders such as shareholders or employees.D8The agenda gives appropriate focus on the most important issues, key judgements, and risk areas, ensuring that thecommittee’s focus is spent on the most critical areas.D9The meeting cycle allows time for “deep dives” in areas of particular complexity or interest, and for proper auditcommittee review of investigations.D10Meetings of the committee are of an appropriate length and ensure that all key agenda items are well considered,and allow each member the opportunity to raise any queries or areas for discussion.Total of ratingsComments:11
Audit Committee effectivenessE. Support and resourcesThe audit committee should be able to rely on the company secretary in managing agendas and papers and for practical assistanceand support. However, it is for the audit committee to determine what other resources it requires to properly fulfil its remit. This couldinclude access to external legal or other professional advice in specialist areas.There are no specific requirements in relation to support and resources. The assessment in this area is driven by the FRC’s Guidanceon audit committees and some qualitative considerations.RequirementsGuidanceQualitative considerations1 Area for focus2 Performing as expected3 Special strengthRating1,2 or 3Guidance on audit committeesE1The audit committee is provided with sufficient resources to undertake its duties (23).E2The audit committee has access to the services of the company secretariat on all audit committee matters including:assisting the chair in planning the audit committee’s work, drawing up meeting agendas, taking minutes, drafting of materialabout its activities for the annual report, collection and distribution of information and provision of any necessary practicalsupport (24).E3The company secretary ensures that the audit committee receives information and papers in a timely manner to enable fulland proper consideration to be given to the issues (25).E4The board makes funds available to the audit committee to enable it to take independent legal, accounting or otheradvice when the audit committee reasonably believes it necessary to do so (26).Rating1,2 or 3Qualitative considerationsE5The audit committee assesses its confidence in the quality of the management information provided to it - from the financefunction covering accounting and tax issues and judgements and, from other parts of the company, covering ethical andconduct matters, workforce information and compliance with laws and regulations. Where necessary the committee plansfor additional assurance (see section G).Total of ratingsComments:12
Audit Committee effectivenessF. Relationship with the boardThe audit committee should report back to the board on a regular basis, usually as a standing board agenda item delivered by the chairof the audit committee. All board members of course have access to committee papers and may request to attend as an observer atthe audit committee.The chair of the board and respective committee chairs, should work with the executive to ensure there is clarity between the rolesand remit of the audit committee and other committees, such as the risk committee, the sustainability committee or the disclosurecommittee.There are no specific requirements in relation to the relationship with the board. The assessment in this area is driven by the FRC’sGuidance on audit committees and Guidance on board effectiveness, with some qualitative considerations.RequirementsGuidanceQualitative considerations1 Area for focus2 Performing as expected3 Special strengthRating1,2 or 3Guidance on audit committeesF1The main role and responsibilities of the audit committee are set out in written terms of reference tailored to the particularcircumstances of the company (10).F2The audit committee and board reviews the effectiveness of the audit committee on an annual basis (11).F3Disagreements between the audit committee and the board are given adequate time for discussion. The auditcommittee has the right to report unresolved issues to shareholders as part of the report on its activities in theannual report (30).F4The audit committee discusses what information and assurance it requires in order to properly carry out its roleto review, monitor and provide assurance or recommendations to the board and, where there are gaps, how theseshould be addressed. The audit committee satisfies itself that these sources of assurance and information aresufficient and objective (31).Rating1,2 or 3Guidance on board effectivenessF5The chair should ensure that sufficient time is allowed at the board for committees to report on the nature and content ofdiscussion, on recommendations, and on actions to be taken (62).F6The minutes of committee meetings should be circulated to all board members and the company secretary, unless,exceptionally, it would be inappropriate to do so (65).F7The remit of each committee, and the processes of interaction between committees and between each committeeand the board, should be reviewed regularly, for example, during the board evaluation (65).Rating1,2 or 3Qualitative considerationsF8The audit committee has time allotted annually to review the terms of refervence, to ensure they remain current and in linewith expectations and industry peers.F9The audit committee and board have established clear criteria for assessing the effectiveness of the audit committee toinform their annual assessment of board and audit committee effectiveness.Total of ratingsComments:13
Audit Committee effectivenessG. Establishing an audit and assurance policyWhilst the terms of reference of the committee establishes its overall remit, the audit committee should document its scope, activitiesand approach in a further level of detail to inject greater clarity around the role of the audit committee.To assist with this, and to encourage stakeholder alignment, in his report published in December 2019, Sir Donald Brydon introducedthe concept that companies should establish and publish an “Audit and Assurance Policy”. This would make clearer the extent of allassurance, addressing the “audit universe” of internal and external audit as well as additional assurance activity often undertakenby specialists, over areas such as cyber risk or climate impacts. It would also indicate the relationship to risks identified by the auditcommittee as part of its remit to understand principal and emerging risks and the related controls.Although currently there is no requirement for an audit committee to establish such a policy, it seems clear that this is a sensiblecodification of audit committee assurance considerations and therefore all audit committees should be encouraged to develop one,whether they choose to publish it or not. Brydon proposes that the policy should be published on a three year “rolling” basis to beapproved annually at the AGM. According to Brydon, this would provide an opportunity for audit committees to show how they areassuring the integrity of reporting and handling of risk, whether required to do so by law or not. The rolling nature of the policy wouldmake it simple to reflect changes in circumstances and to evidence learning.The policy would include an assurance budget split between external audit, internal audit and other forms of assurance. It would also: Explain the process of appointing auditors, the work demanded of them and the fees basis for audit work; Provide a framework for decisions about materiality; Explain how seeking assurance relates to the principal and emerging risks identified by the directors; Indicate how shareholders should interpret the resulting audit reports; Explain the approach taken to compiling the Resilience Statement (see section N) and the extent of assurance on this; and Explain the approach taken to obtaining and reporting on assurance around internal controls, both in relation to the financialreporting and operational controls; and Explain the approach taken to obtaining and reporting on assurance around other elements of the annual report.Where there is a separate risk committee, audit committees may wish to skip or answer “not applicable” to some of these questions.RequirementsGuidanceQualitative considerations1 Area for focus2 Performing as expected3 Special strengthQualitative considerationsG1The audit committee considers the principal and emerging risks to the business and both its financial reporting andoperational controls, and identifies any areas where additional audit or assurance coverage would be of benefit, forinstance corporate culture, alternative performance measures, key performance indicators. The committee establishes apolicy regarding which of these areas should be covered by internal or external auditors or other providers of assuranceand how frequently that should happen.G2The audit committee determines its framework for decisions about materiality and is able to articulate this tostakeholdersThe audit committee considers whether any form of assurance should be obtained over specific information conveyed inthe annual report by the directors, in particular: The confirmation that information in the strategic report is “fair, balanced and understandable” and that it containssufficient information to understand the position, performance, strategy and business model of the company.G3 The disclosures in the front half of the annual report regarding corporate purpose, whether it is clearly articulatedand linked to the company’s strategy and values, and the explanation of how purpose, strategy and values alignwith the company’s culture. The s172(1) statement, explanations of engagement with stakeholders and input obtained. Key performance indicators, especially where KPIs and other metrics are of interest to investors.14Rating1,2 or 3
Audit Committee effectivenessG. Establishing an audit and assurance policyRequirementsGuidanceQualitative considerations1 Area for focus2 Performing as expected3 Special strengthRating1,2 or 3Qualitative considerationsG4The audit committee assesses whether there are significant corporate events or activities planned where assurance wouldprovide benefits – such as changes in systems or control environment, new accounting judgements, acquisitions, newbusinesses being launched, outsourcing, planned divestments.The audit committee has considered the level of assurance over other information published by the company,such as: Interim financial statementsG5 Updates to the market Presentations to analysts Information provided to regulators Other information, such as Gender and Ethnicity Pay Gap, Prompt Payment pract
3 Audit Committee effectiveness Contents About this framework How to use this framework The audit committee agenda Setting up for success A Establishment, membership and appointment B The audit committee chair C Skills, experience, training and mindset D Meetings of the committee E Support and resources F Relationship
