The audit committee must make effective use of the internal audit function in giving assurance on risk management, governance and internal control systems.
The IIA International Standards define governance as “the combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organisation toward the achievement of its objectives”.
According to the Financial Reporting Council’s (FRC’s) UK Corporate Governance Code, the purpose of corporate governance is to facilitate effective, entrepreneurial and prudent management that can deliver the long-term success of the company. Strong corporate governance relies on robust processes for reporting, risk management and internal control. According to the Code, directors should monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness, and report on that review in the annual report.
Culture, values and ethics are increasingly important considerations in the governance of organisations. For the first time the 2014 edition of the Corporate Governance Code highlights a key role for the board in establishing culture, values and ethics, considering among other things the culture it wishes to embed, and whether this has been achieved. It is not sufficient for the board simply to set the desired values. The board also needs to ensure they are communicated by management, incentivising the desired behaviours and sanctioning inappropriate behaviour, and must assess whether the desired values and behaviours have become embedded at all levels.
In many organisations audit committees are charged with overseeing, on behalf of the board, the quality of all the above processes. Indeed the establishment of an audit committee is a requirement of the Corporate Governance Code for publicly listed companies on a comply-or-explain basis. In other organisations the board and its individual directors will retain some or all of the functions of committees of the board, such as the audit or risk committee.
The audit committee’s tasks include reviewing the company’s internal controls and, unless expressly addressed by a separate board risk committee composed of independent directors or by the board itself, reviewing the company’s governance and risk management systems. To do this, it utilises the skills and expertise of the internal audit function, agreeing the scope of its work, its priorities and resources.
It must also monitor and review the effectiveness of the organisation’s internal audit function. Where there is no internal audit function, the audit committee should consider annually whether there is a need for it and make a recommendation to the board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report.
The audit committee reviews and approves internal audit’s remit, having regarded the complementary roles of the internal and external audit functions.
It ensures that internal audit is free to work independently and objectively, i.e. free from the influence of those being audited. It ensures that internal audit has the necessary resources and access to information to enable it to fulfil its mandate, and is equipped to perform in accordance with appropriate professional standards for internal auditors (IIA's Code of Ethics and the International Standards for the Professional Practice of Internal Auditing). The committee also approves the appointment or termination of appointment of the Head of Internal Audit, and its chair should play a direct role in decisions concerning the Head of Internal Audit’s appraisal and remuneration.
In its review of the work of internal audit, the audit committee:
• Ensures that the Head of Internal Audit has direct access to the board chairman and to the audit committee, and is accountable to the audit committee;
• Ensures that internal audit is appropriately tasked and resourced, and has sufficient authority and standing to carry out its tasks effectively;
• Reviews and assesses the annual internal audit work plan;
• Receives a periodic report on the results of the internal auditors’ work;
• Reviews and monitors management’s responsiveness to the internal auditor’s findings and recommendations;
• Meets with the Head of Internal Audit at least once a year without the presence of management; and
• Monitors and assesses the quality and effectiveness of internal audit, and its role in the overall context of the company’s risk management system.