Audit Committee Handbook

ABC COMPANY
AUDIT COMMITTEE HANDBOOK
1
Table of Contents
Introduction............................................................................................................................4
Good practice principles for Audit Committees.....................................................................5
Role of the Audit Committee.................................................................................................6
Terms of Reference............................................................................................................6
Membership, Independence, Objectivity and Understanding................................................6
Independence......................................................................................................................7
Relationship with the Executive.........................................................................................7
Conflicts of Interest............................................................................................................7
Terms of Appointment........................................................................................................8
Skills...................................................................................................................................8
Additional Skills.................................................................................................................8
Training and Development.................................................................................................9
Scope of work.........................................................................................................................9
Overall Assurance..............................................................................................................9
Internal and External Audit................................................................................................9
Financial Reporting..........................................................................................................10
Communication....................................................................................................................10
Co-ordination between the Audit Committee and the Board of Directors.......................10
Annual Reports.................................................................................................................11
Bilateral Communications................................................................................................11
Appendix A. Model Audit Committee Charter.....................................................................11
Appendix B. The Role of the Chairperson...........................................................................16
Appendix C. Committee Support.........................................................................................18
Appendix D. Model Letter of Appointment to the Audit Committee..................................20
Audit Committee Handbook Page 2

Appendix E. Model of Work Programme.............................................................................22
Appendix F. Fraud and the Responsibilities of the Audit Committee..................................24
Appendix G. Internal Control: A Tool for the Audit Committee..........................................27
Appendix H. Key Questions for the Audit Committee to Ask.............................................38
Appendix I. Audit Committee Competency Framework....................................................41
Appendix J. Audit Committee Self Assessment Checklist...................................................42
.............................................................................................................................................46
Appendix K. Model of Corporate Governance Questionnaire.............................................46
Appendix L. Model of Audit Committee Annual Report.....................................................50
Appendix M. Model of a Whistle-blowing Policy...............................................................53
Appendix N. Model Policy on Using External Auditor for Non-audit Services..................55
Appendix O. Model Policy on Employing Former Employees of the External Auditor.....57
Appendix P. Evaluation of the External Auditor..................................................................58
Appendix Q. External Audit: Model of the Terms of Reference .........................................61
Appendix R. Guidelines for Hiring the Chief Audit Executive (CAE)................................65
Appendix S. Internal Audit: Model of the Terms of Reference ..........................................68
Appendix T. Engaging Independent Counsel and Other Advisers.......................................71
Appendix U. Model of an Internal Audit Plan.....................................................................72
Appendix V. Model of an Internal Audit Report..................................................................74
Appendix W. Evaluation of Internal Audit...........................................................................76
Appendix X. Self-Assessment of the Audit Committee.......................................................82

Introduction
In today's complex world, the Audit Committee can contribute tremendously to a 'no surprise'
environment. An effective Audit Committee should be a key feature in a strong, effective
governance culture and bring significant benefits to the Company. Carefully designed
practices can also help the Audit Committee to maximise its contribution to the ABC
Company.
Developing practices which are based on robust principles - whether terms of reference,
recruiting the right members, or focused agendas and rigorous processes - is fundamental in
fulfilling the Audit Committee's responsibilities.
This handbook articulates the principles underlying the role of the Audit Committee. It
provides guidance to help Audit Committee members to gain a better understanding of the
processes and issues that drive effective oversight of risk management, control and
governance, and of economy, efficiency and effectiveness.
The main focus of the Audit Committee’s work is related to internal control matters, such as
the safeguarding of assets, the maintenance of proper accounting records and the reliability of
financial information.

Today, the Audit Committee’s primary role is to conclude upon the adequacy and effective
operation of the ABC Company’s overall internal control system.
In performing that role the Audit Committee’s work will predominantly focus upon the
framework of risks, controls and related assurances that underpin the delivery of the
Company’s objectives (the Assurance Framework).
As a result, the Audit Committee has a pivotal role to play in reviewing the disclosure
statements that flow from the Company’s assurance processes. In particular these cover the
Statement on Internal Control, included in the Annual Financial Statements.
Both of these documents should come to the Audit Committee before being submitted for
approval to the Board.
It is the responsibility of the Board of Directors to establish and maintain processes for
governance. The Audit Committee independently monitors, reviews and reports to the Board
of Directors on the processes of governance and, where appropriate, facilitates and supports,
through its independence, the attainment of effective processes.
We hope that this handbook will help Audit Committee members to identify and achieve their
objectives and add value to governing bodies, their organisations and other stakeholders
Good practice principles for Audit Committees
1. Role of the Audit Committee
The Audit Committee shall support the Board of Directors and the Managing Director by
reviewing the comprehensiveness of assurances in meeting the Board of Directors and
Managing Director’s assurance needs, and reviewing the reliability and integrity of these
assurances.
2. Membership, Independence, Objectivity and Understanding
The Audit Committee shall be independent and objective; in addition each member shall have
a good understanding of the objectives and priorities of the organisation and of their role as
the Audit Committee member.
3. Skills
The Audit Committee shall corporately own appropriate skills to allow it to carry out its
overall function.
4. Scope of Work
The scope of the Audit Committee’s work shall be defined in its Terms of Reference, and
encompass all the assurance needs of the Board of Directors and the Managing Director.
Within this, the Audit Committee shall have particular engagement with the work of Internal
Audit, the work of the External Auditor, and Financial Reporting issues.

5. Communication
The Audit Committee shall ensure it has effective communication with the Board of
Directors, the Chief Audit Executive, the External Auditor, and other stakeholders.
In addition, the role of the Chairperson and provision of appropriate secretariat support are
important elements in achieving Audit Committee effectiveness.
The Chairperson of the Audit Committee has particular responsibility for ensuring that the
work of the Audit Committee is effective, that the Audit Committee is appropriately
resourced, and is maintaining effective communication with stakeholders.
The Audit Committee shall be provided with appropriate secretariat support to enable it to be
effective. This is more than a minute taking function - it involves providing pro-active
support for the work of the Audit Committee and helping its members to be effective in their
role.
Role of the Audit Committee
Terms of Reference
The Audit Committee shall be given formal Terms of Reference by the Board of Directors.
These shall be reviewed regularly and in turn shall require the Audit Committee to regularly
review its own effectiveness.
The Audit Committee shall have appropriate authority to require any member of the
organisation either to:
• Attend the Audit Committee meeting; or
• Provide written report(s) to the Audit Committee for the purpose of providing
information to assist the Audit Committee in fulfilling its role of advising the Board of
Directors.
The Audit Committee will require access to funding to cover the costs incurred in fulfilling
its role. The funding shall be sufficient to:
• Adequately meet the remuneration and working expenses of its members;
• Adequately meet the relevant training needs of its members;
• Provide specialist (external) advice or opinions when required; and
• (If agreed as appropriate in the organisation) provide external review of the
effectiveness of the Audit Committee.
Membership, Independence, Objectivity and Understanding

Independence
An effective Audit Committee must have members who are both independent and objective.
It is good practice, so far as possible, for Audit Committee members to be independent non-
executive Board members.
However, many organisations will not have sufficient independent non-executive Board
members who are also willing to serve as Audit Committee members to provide sufficient
numbers or skills for the Audit Committee.
When there are insufficient non-executive Board members to form the Audit Committee,
independent external members need to be appointed. These members will be appointed to the
Audit Committee but not to the Board of Directors.
They will often be chosen because of particular skills or experience that they hold which will
be beneficial to the Audit Committee. They may be remunerated at appropriate rate for the
time and effort they are expected to contribute.
As Audit Committee membership will be the only contact they have with the organisation,
such members will have to make particular efforts to obtain and maintain appropriate
understanding of the organisation, which is vital if they are to make a meaningful
contribution to the Audit Committee’s considerations. In this respect, appropriate induction
training is critical, as is an ongoing programme of activity to ensure the member maintains
sufficient appropriate contact with the organisation.
Relationship with the Executive
Executive members of the organisation shall not be appointed to the Audit Committee. The
role of the Executive is to attend, to provide information, and to participate in discussions,
either for the whole duration of a meeting or for particular agenda items.
The Managing Director and the Chief Financial Officer shall routinely attend the Audit
Committee. It is also normal for the Chief Audit Executive and a representative of the
External Auditor to attend. However, the Terms of Reference should provide for the Audit
Committee to sit privately without any non-members present for all or part of a meeting if
they so decide.
Conflicts of Interest
Normally the process for recording declarations of conflicts of interests in the Audit
Committee shall mirror the processes used at Board level. Each member of the Audit
Committee shall take personal responsibility to pro-actively declare any potential conflict of
interest arising out of business arising on the Audit Committee’s agenda or from changes in
the member’s personal circumstances. The Chairperson of the Audit Committee shall then
determine an appropriate course of action with the member. For example, the member might
simply be asked to leave while a particular item of business is taken; or in more extreme
cases the member could be asked to leave the Audit Committee.

If it is the Chairperson who has a conflict of interest, the Board of Directors shall ask another
member of the Audit Committee to lead in determining the appropriate course of action. A
key factor in determining the course of action will be the likely duration of the conflict of
interest: a conflict likely to endure for a long time is more likely to suggest that the member
should leave.
Terms of Appointment
All members of Audit Committees shall have a clear understanding of:

• What is expected of them in their role, including time commitments;
• How their individual performance will be appraised, including a clear understanding
of what would be regarded as unsatisfactory performance and the criteria which
would indicate the termination of Audit Committee membership shall be considered;
and
• The duration of their appointment and how often it may be renewed.
The terms of appointment of the Audit Committee member shall be clearly set out at the time
of appointment in a Letter of Appointment. The letter shall also specify what other activities
the individual may or may not undertake in relation to the organisation. The impact on
independence of further remuneration from other activities shall be given careful
consideration.
Skills
The Audit Committee is charged with ensuring that the Board of Directors and Managing
Director of the organisation gain the assurance they need on risk management, governance
and internal control. So, it needs a range of skills and experience relevant to various aspects
of risk, governance and control.
Because of the importance of financial management and financial reporting to every

organisation, at least one member of the Audit Committee shall have recent and relevant
financial experience. This experience shall be sufficient to allow them to competently engage
with financial management and reporting in the organisation, and associated assurances.
The Audit Committee shall identify, and agree with the Board of Directors, the other skills
required for Committee effectiveness. These identified skills shall inform the choice of
members of the Audit Committee. The required skills set shall be periodically reviewed.
Additional Skills
The Audit Committee shall be empowered to either:

• Co-opt members for a period of time (not exceeding a year, and with the approval of
the Board of Directors) to provide specialist skills, knowledge and experience which
the Audit Committee needs at a particular time; or

• Procure specialist advice at the expense of the organisation on an ad-hoc basis to
support them in relation to particular pieces of Committee business. Budgets for such
procurement shall be approved by the Board of Directors.
Training and Development
All Audit Committee members, whatever their status or background, will have training and
development needs. Those who have recently joined the Audit Committee will need induction
training, either to help them understand their role; or if they have Audit Committee
experience elsewhere, to help them understand the organisation.
Scope of work
Overall Assurance
In most organisations there are a number of sources of assurance, both internal and external,
sometimes primarily intended for the benefit of the organisation and sometimes primarily
intended for the benefit of other stakeholders.
The Board of Directors and Managing Director’s assurance needs are largely met by
evaluating the various sources of assurance (or gaps in sources of assurance), testing and
determining their reliability, and then forming an overall view on the state of risk
management, governance and internal control (which is especially important in supporting
the Statement on Internal Control).
Overall assurance of this kind is unlikely to be capable of expression in a single phrase,

sentence or indicator because it is highly unlikely that all risk will be equally managed.
Rather, the overall view may draw attention to areas where:
• Risk is being appropriately managed (no action is needed);
• Risk is inadequately controlled (action is needed to improve control);
• Risk is over controlled (resource is wasted which could be diverted to other use);
• There is lack of evidence to support a conclusion - and if this concerns areas material
to the operations of the organisation more audit and/or assurance work will need to be
done.
Internal and External Audit
The work of Internal Audit is carried out primarily for the benefit of the Board of Directors
and Managing Director of the organisation. Although the work of the External Auditor is
normally primarily conducted for the benefit of shareholders, it is still of significant benefit to
the organisation as well.
The work of Internal Audit is likely to be the single most significant resource used by the
Audit Committee in discharging its responsibilities. This is because the Chief Audit
Executive, in accordance with Generally Accepted Auditing Standards, has a responsibility to
submit an annual opinion on the overall adequacy and effectiveness of the organisation’s risk
management, control and governance processes. There is consequently a major synergy
between the purpose of the Chief Audit Executive and the role of the Audit Committee.
The role of the Audit Committee in relation to Internal Audit shall include advising the Board
of Directors and Managing Director on:
• The Audit Strategy and periodic Audit Plans, forming a view on how well they
support the Chief Audit Executive’s responsibility to provide an annual opinion on the
overall adequacy and effectiveness of the Company’s risk management, control and
governance processes.
• The results of Internal Audit work, and management response to issues raised by that
work.
• The resourcing of Internal Audit.
• The Terms of Reference (or equivalent) for Internal Audit.
Whilst the work of the External Auditor is not primarily conducted for the benefit of the
Company or its Audit Committee, the Audit Committee shall nevertheless engage with the
activity of the External Auditor. As well as considering the results of external audit work,
they shall enquire about and consider the External Auditor’s planned approach and the way in
which the External Auditor is co-operating with Internal Audit to maximise overall audit
efficiency, capture opportunities to derive a greater level of assurance and minimise
unnecessary duplication of work.
Financial Reporting
The Audit Committee will not itself be able to review the accounts in detail in order to advise
the Managing Director whether they are true and fair. In reaching a view on the accounts, the
Audit Committee shall consider:
• Key accounting policies and disclosures;
• Assurances about the financial systems which provide the figures for the accounts;
• The quality of the control arrangements over the preparation of the accounts by the
Chief Financial Officer;
• Key judgements made in preparing the accounts;
• Any disputes arising between those responsible for preparing the accounts and the
Auditor.
Communication
Co-ordination between the Audit Committee and the Board of Directors
The work of the Audit Committee needs to be effectively communicated if it is to be

effective.
After each meeting of the Audit Committee a report shall be prepared for the Board of
Directors and Managing Director to:
• Summarise the business taken by the Audit Committee, explaining if necessary why
that business was regarded as important; and
• Offer the views and advice from the Audit Committee on issues which they consider
the Board of Directors or Managing Director should be taking action.
If the minutes of the Audit Committee meeting are used as the report, care shall be taken in
their presentation to highlight the advice being provided. These reports shall normally be
copied to the Chief Audit Executive and to the External Auditor (especially if the report
contains advice about or to the Auditor).
Annual Reports
The Audit Committee shall also provide an Annual Report, timed to support preparation of
the Statement on Internal Control. This internal report needs to be open and honest in
presenting the Audit Committee’s views if it is to be of real benefit to the Board of Directors
and Managing Director.
The Annual Report shall summarise the Audit Committee’s work for the year past, and
present the Audit Committee’s opinion about:
• The comprehensiveness of assurances in meeting the Board of Directors and
Managing Director’s needs;
• The reliability and integrity of these assurances;
• Whether the assurances available are sufficient to support the Board of Directors and
the Managing Director in their decision-taking and their accountability obligations;
• The implication of these assurances for the overall management of risk;
• Any issues that the Audit Committee considers pertinent to the Statement on Internal
Control and any long term issues that the Audit Committee thinks the Board of
Directors and/or Managing Director should give attention to;
• Financial reporting for the year;
• The quality of both Internal and External Audit and their approach to their
responsibilities; and
• The Audit Committee’s view of its own effectiveness, including advice on ways in
which it considers it needs to be strengthened or developed.
Bilateral Communications
There shall be mutual rights of access among each of the Chairperson of the Audit
Committee, the Managing Director, the Chief Audit Executive, and the External Auditor.
Whether or not that right of access is exercised, there shall be an annual bilateral meeting
between the Chairperson of the Audit Committee and each of these parties to ensure that
there is clear understanding of expectations and mutual understanding of current issues.
Appendix A. Model Audit Committee Charter
Purpose

To assist the Board of Directors in fulfilling its oversight responsibilities for the financial
reporting process, the system of internal control, the audit process, and the company's process
for monitoring compliance with laws and regulations and the Code of Conduct.
Authority
The Audit Committee has authority to conduct or authorise investigations into any matters
within its scope of responsibility. It is empowered to:
• Appoint, compensate, and oversee the work of any registered public accounting firm
employed by the organisation.
• Resolve any disagreements between management and the Auditor regarding financial
reporting.
• Pre-approve all auditing and non-audit services.
• Retain outside counsel, accountants, or others to advise the Audit Committee or assist
in the conduct of an investigation.
• Seek any information it requires from employees - all of whom are directed to
cooperate with the Audit Committee's requests - or external parties.
• Meet with company officers, External Auditor, or outside counsel, as necessary.
Composition
The Audit Committee shall consist of at least three and no more than six members. The Board
of Directors or its nominating Committee shall appoint Committee members and the
Chairperson of the Audit Committeeperson.
Each Committee member shall be both independent and financially literate. At least one
member shall be designated as the "financial expert," as defined by applicable legislation and
regulation.
Meetings
The Audit Committee will meet at least four times a year, with authority to convene
additional meetings, as circumstances require. All Committee members are expected to attend
each meeting. The Audit Committee will invite members of management, Auditor or others to
attend meetings and provide pertinent information, as necessary. It will hold private meetings
with Auditor (see below) and executive sessions.
Meeting agendas will be prepared and provided in advance to members, along with
appropriate briefing materials. Minutes will be prepared.
Responsibilities
The Audit Committee will carry out the following responsibilities:
Financial Statements

• Review significant accounting and reporting issues, including complex or unusual
transactions and highly judgmental areas, and recent professional and regulatory
pronouncements, and understand their impact on the financial statements.
• Review with management and the External Auditor the results of the audit, including
any difficulties encountered.
• Review the annual financial statements, and consider whether they are complete,
consistent with information known to Committee members, and reflect appropriate
accounting principles.
• Review other sections of the annual report and related regulatory filings before release
and consider the accuracy and completeness of the information.
• Review with management and the External Auditor all matters required to be
communicated to the Audit Committee under Generally Accepted Auditing Standards.
• Understand how management develops interim financial information, and the nature
and extent of internal and External Auditor involvement.
• Review interim financial reports with management and the External Auditor before
filing with regulators, and consider whether they are complete and consistent with the
information known to Committee members.
Internal Control
• Consider the effectiveness of the company's internal control system, including

information technology security and control.
• Understand the scope of Internal and External Auditor’s review of internal control
over financial reporting, and obtain reports on significant findings and
recommendations, together with management's responses.
Internal Audit
• Review with management and the Chief Audit Executive the charter, activities,
staffing, and organisational structure of the Internal Audit function.
• Have final authority to review and approve the annual audit plan and all major
changes to the plan.
• Ensure there are no unjustified restrictions or limitations, and review and concur in
the appointment, replacement, or dismissal of the Chief Audit Executive.
• At least once per year, review the performance of the CAE and concur with the annual
compensation and salary adjustment.
• Review the effectiveness of the Internal Audit function, including compliance with
Generally Accepted Auditing Standards.
• On a regular basis, meet separately with the Chief Audit Executive to discuss any
matters that the Audit Committee or Internal Audit believe should be discussed
privately.

External Audit
• Review the External Auditor’s proposed audit scope and approach, including
coordination of audit effort with Internal Audit.
• Review the performance of the External Auditor, and exercise final approval on the
appointment or discharge of the Auditor.
• Review and confirm the independence of the External Auditor by obtaining
statements from the Auditor on relationships between the Auditor and the company,
including non-audit services, and discussing the relationships with the Auditor.
• On a regular basis, meet separately with the External Auditor to discuss any matters
that the Audit Committee or the Auditor believe should be discussed privately.
Compliance
• Review the effectiveness of the system for monitoring compliance with laws and
regulations and the results of management's investigation and follow-up (including
disciplinary action) of any instances of non-compliance.
• Review the findings of any examinations by regulatory agencies, and any Auditor
observations.
• Review the process for communicating the Code of Conduct to company personnel,
and for monitoring compliance therewith.
• Obtain regular updates from management and company legal counsel regarding
compliance matters.
Reporting Responsibilities
• Regularly report to the Board of Directors about Committee activities, issues, and
related recommendations.
• Provide an open avenue of communication between Internal Audit, the External
Auditor, and the Board of Directors.
• Report annually to the shareholders, describing the Audit Committee's composition,
responsibilities and how they were discharged, and any other information required by
rule, including approval of non-audit services.
• Review any other reports the Company issues that relate to Committee
responsibilities.
Other Responsibilities
• Perform other activities related to this charter as requested by the Board of Directors.
• Institute and oversee special investigations as needed.

• Review and assess the adequacy of the Audit Committee charter annually, requesting
Board approval for proposed changes, and ensure appropriate disclosure as may be
required by law or regulation.
• Confirm annually that all responsibilities outlined in this charter have been carried
out.
• Evaluate the Audit Committee's and individual members' performance on a regular
basis.

Appendix B. The Role of the Chairperson
The role of the Chairperson of the Audit Committee goes a good deal beyond chairing
meetings.
Indeed it is the key to achieving Committee effectiveness. The additional workload should be
taken into account when appointing the Chairperson.
Exactly how a particular Chairperson manages the Audit Committee will vary depending on
the character of the individual and the needs of the specific organisation.
Key activities beyond Committee meetings shall include the following:
Agenda Setting
• Before each meeting the Chairperson and the Audit Committee Secretary shall meet to
discuss and agree the business for the meeting. The Chairperson shall take ownership
of, and have final say in, the decisions about what business will be pursued at any
particular meeting.
Communication
• The Chairperson shall ensure that after each meeting appropriate reports are prepared
from the Audit Committee to the Board of Directors and to the Managing Director.
• The Chairperson shall ensure that the Audit Committee provides a suitable Annual
Report to the Board of Directors.
• The Chairperson shall have bilateral meetings at least annually with the Managing
Director, the Chief Audit Executive and the External Auditor, and with the
Chairperson of the Board of Directors. In addition, the Chairperson shall meet any
people newly appointed to these positions as soon as practicable after their
appointment.
• The Chairperson shall also ensure that all Committee members have an appropriate
programme of interface with the organisation and its activities to help them
understand the organisation, its objectives, business needs and priorities.
Monitoring actions
• The Chairperson shall ensure that there is an appropriate process between meetings
for action points arising from Committee business to be appropriately pursued.
• The Chairperson shall also ensure that members who have missed a meeting are
appropriately briefed on the business conducted in their absence. The Chairperson
may choose to rely on the Secretariat to take these actions.

Appraisal
• The Chairperson shall take the lead in ensuring that Committee members are provided
with appropriate appraisal of their performance as a Committee member and that
training needs are identified and addressed. The Chairperson shall themselves seek
appraisal of their performance from the Managing Director (or Chairperson of the
Board of Directors), as appropriate
• The Chairperson shall ensure that there is a periodic review of the overall
effectiveness of the Audit Committee and of its Terms of Reference.
Appointments
• The Chairperson shall be involved in the appointment of new Committee members,

including providing advice on the skills and experience being sought by the Audit
Committee when a new member is appointed.

Appendix C. Committee Support
The secretariat shall be able to support the Chairperson of the Audit Committee in identifying
business to be taken, and the relevant priorities of the business. For this reason, and as the
Audit Committee is a committee of the Board of Directors, the Audit Committee Secretariat
function shall be supervised by the Board of Directors secretariat. The Chairperson of the
Audit Committee and the secretariat shall agree procedures for commissioning briefing to
accompany business items on the Audit Committee’s agenda and timetables for the issue of
meeting notices, agendas, and minutes.
The Chairperson of the Audit Committee shall always review and approve minutes of
meetings before they are circulated.
The specific responsibilities of the Audit Committee Secretariat shall include:

• Meeting with the Chairperson of the Audit Committee to prepare agendas for
meetings;
• Commissioning papers as necessary to support agenda items;
• Circulating meeting documents in good time before each meeting;
• Arranging for executives to be available as necessary to discuss specific agenda items
with the Audit Committee during meetings;
• Keeping a record of meetings and providing draft minutes for the Chairperson’s
approval;
• Ensuring action points are being taken forward between meetings;
• Supporting the Chairperson in the preparation of Audit Committee reports to the
Board of Directors;
• Arranging the Chairperson’s bilateral meetings with the Managing Director, the Chief
Audit Executive and the External Auditor, and with the Chairperson of the Board of
Directors;
• Keeping the Chairperson and Committee members in touch with developments and
relevant background information about developments in the organisation;
• Maintaining a record of when members’ terms of appointment are due for renewal or
termination;
• Ensuring that appropriate appointment processes are initiated when required;
• Ensuring that new members receive appropriate induction training, and that all
members are supported in identifying and participating in ongoing training;
• Managing budgets allocated to the Audit Committee.
Careful consideration shall be given to ensuring that the Audit Committee Secretariat
function is not biased. If the function is provided by Internal Audit there may be a risk of bias

towards Internal Audit interests. On the other hand, there is merit in ensuring the secretariat is
independent of pressure from senior management, as could happen if the Board of Directors
Secretariat also supports the Audit Committee.
When the Audit Committee decides to meet privately, the Chairperson shall decide whether
the secretariat members should also withdraw. If so, the Chairperson shall ensure that an
adequate note of proceedings is kept to support the Audit Committee’s conclusions and
advice.

Appendix D. Model Letter of Appointment to the Audit Committee
(Date)
Dear (Name of Committee Member)
You are hereby appointed by the Board of Directors as a member of the Audit Committee of
(organisation). As a member of the Audit Committee you are accountable to the Board of
Directors through the Chairperson of the Audit Committee. Your appointment is for (number)
years from (date). This appointment may be renewed (number) times (by mutual agreement)
after the duration of this appointment.
The Audit Committee is a Committee of the Board of Directors of (organisation) and the
purpose of the Audit Committee is to:
• Review the comprehensiveness of assurances in meeting the Board of Directors and
Managing Director’s assurance needs;
• Review the reliability and integrity of these assurances;
• Advise the Board of Directors and the Managing Director about how well assurances
consequently support them in decision taking and in discharging their accountability
obligations.
A copy of the Audit Committee’s Terms of Reference is enclosed.
The Audit Committee is chaired by (name) and the other members are (names). (It is
recommended that the new member be provided with a list of their contact details)
Support and Training
The Secretary of the Audit Committee is (name / contact details) and they will shortly be in
touch with you to discuss and arrange appropriate induction training.
To help you understand the governance arrangements and the role of Audit Committees, a
copy of the “Audit Committee Handbook” is enclosed with this letter of appointment.
Commitment and Remuneration
Your duties as the Audit Committee member are expected to typically take (number) days per
annum, including time to read papers in preparation for meetings and a programme of activity
to keep you in touch with the organisation’s activities and priorities. The Audit Committee
normally meets (number) times each year, but additional meetings may be required from time
to time. Your remuneration will be (include details of amount and means by which it will be
paid).
Conflicts of Interest

If during your period of appointment to the Audit Committee your personal circumstances
change in any way that may provide a conflict of interest for you in your Audit Committee
role, you must declare the circumstances to the Chairperson of the Audit Committee.
Appraisal
As a member of the Audit Committee you will be subject to appraisal by the Chairperson of
the Audit Committeeperson (include brief details of the appraisal process).
Termination
If you choose to resign from this appointment you will be expected to give (number) months
notice, unless your circumstances have changed in a way that makes it appropriate for you to
resign immediately. If your performance as the Audit Committee member is decided to be
unacceptable (see appraisal) or if your conduct (including conflicts of interests) is
unacceptable your appointment may be terminated by the Board of Directors.

Appendix E. Model of Work Programme
Spring Meeting
• Comment on the accounts for the year just finished prior to their finalisation and
submission for audit;
• Advise on the content of the Statement on Internal Control for the year just finished,
to be presented alongside the finalised accounts;
• Review Internal Audit’s finalised periodic work plan for the financial year just begun.
• Agree the Audit Committee’s annual report to the Board of Directors and Managing
Director.
Summer Meeting
• Review and consider the accounts;

• Consider (emerging) External Auditor’s opinion for the financial year just finished
and advise the Managing Director on signing the accounts and the Statement on
Internal Control (SIC);
• Consider Internal Audit opinion for the financial year just finished;
• Discuss the implications of the result of the Managing Director’s review of
effectiveness of the system of internal control in relation to the Statement on Internal
Control;
• Some Audit Committees choose to have an additional meeting timed to deal with no
business other than the pre-recess finalisation of the accounts.
Autumn Meeting
• Consider mid-year report on emerging findings from Internal Audit;

• Consider the External Auditor’s management letter for the previous year, any
emerging findings from the current interim / in-year work of the External Auditor, and
External Auditor’s approach to their work;
• Consider the External Auditor’s strategy proposed in respect of the current year’s
accounts;
• Consider any residual actions arising from the previous year’s work of both internal
and external audit.
Winter Meeting
• Advise on the Internal Audit strategy and the periodic work plan for the beginning of
the new financial year;

• Consider areas in which the Audit Committee will particularly promote cooperation
between External Auditor and other review bodies in the coming year;
• Re-visit emerging findings from the External Auditor and review actions in response
to the External Auditor’s management letter;
• Consider the Audit Committee’s own effectiveness in its work.

Appendix F. Fraud and the Responsibilities of the Audit Committee
The Audit Committee shall take an active role in the prevention and deterrence of fraud, as
well as an effective ethics and compliance program. The Audit Committee shall constantly
challenge management and the External Auditor to ensure that the organisation has
appropriate antifraud programs and controls in place to identify potential fraud and ensuring
that investigations are undertaken if fraud is detected. The Audit Committee shall take an
interest in ensuring that appropriate action is taken against known perpetrators of fraud.
This document is intended to make Audit Committee members aware of their responsibilities
as they undertake this important role. It highlights areas of corporate activity that may require
additional scrutiny by the Audit Committee.
Definition and Categories of Fraud

An understanding of fraud is essential for the Audit Committee to carry out its
responsibilities.
The term fraud may be defined as:
An intentional perversion of truth for the purpose of inducing another in reliance

upon it to part with some valuable thing belonging to him or to surrender a legal
right. A false representation of a matter of fact, whether by words or by conduct, by
false or misleading allegations, or by concealment of that which should have been
disclosed, which deceives and is intended to deceive another so that he shall act upon
it to his legal injury. . . A generic term, embracing all multifarious means which
human ingenuity can devise, and which are resorted to by one individual to get
advantage over another by false suggestions or by suppression of truth, and includes
all surprise, trick, cunning, dissembling, and any unfair way by which another is
cheated.
The Audit Committee also needs to be aware that fraud affecting the organisation often falls
within one of three categories:
• Management fraud, which involves senior management’s intentional

misrepresentation of financial statements, or theft or improper use of company
resources.
• Employee fraud, which involves non-senior employee theft or improper use of
company resources.
• External fraud, which involves theft or improper use of resources by people who are
neither management nor employees of the firm.

This categorisation of fraud is useful, but not absolute. Middle management employees may
intentionally misrepresent financial statement transactions, for example, to improve their
apparent performance, or outside individuals may collude with company management or
employees.
Role of the Audit Committee in the Prevention, Deterrence, Investigation, and Discovery or
Detection of Fraud
The members of the Audit Committee should understand their role of ensuring that the
organisation has antifraud programs and controls in place to help prevent fraud, and aid in its
discovery if it does occur, to properly fulfil their fiduciary duties of:
• Monitoring the financial reporting process
• Overseeing the internal control system
• Overseeing the Internal Audit and the External Auditor, and
• Reporting findings to the Board of Directors.
The Audit Committee should ensure that the organisation has implemented an effective ethics
and compliance program, and that it is periodically tested. Since the occurrence of significant
frauds can frequently be attributed to an override of internal controls, the Audit Committee
plays an important role to ensure that internal controls address the appropriate risk areas and
are functioning as designed.
Internal Audit and the External Auditor can serve a vital role in aiding in fraud prevention and
deterrence. Internal Audit staff and External Auditor staff who are experienced and trained in
fraud prevention and deterrence can help to provide assurance that:
• Risks are effectively identified and monitored;
• Organisational processes are effectively controlled and tested periodically; and
• Appropriate follow-up action is taken to address control weaknesses.
The Audit Committee needs to ensure that Internal Audit and the External Auditor are
carrying out their responsibilities in connection with potential fraud.
When Fraud Is Discovered
Fraud can be discovered through many sources, namely, Internal Audit or the External
Auditor, accounting consultants, employees, suppliers, and others. Establishing a confidential
hotline can also be an important source of information leading to fraud discovery, as part of an
organisation’s overall ethics, compliance, and fraud prevention program.
If fraud or improprieties are asserted or discovered, the Audit Committee - through the
External Auditor, Internal Audit, or accounting consultants, as appropriate - should
investigate, and, if necessary, retain legal counsel to assert claims on the organisation’s behalf.
If fraud is discovered, or there is a reasonable basis to believe that fraud may have occurred,
the Audit Committee is responsible for ensuring that an investigation is undertaken. Criteria

should be in place describing the Audit Committee’s level of involvement, based on the
severity of the offense. Most Audit Committee members will also want to obtain information
about all violations of the law and the organisation’s policies.
Conclusion
Audit Committees are required to play a pivotal role in the prevention and deterrence of fraud,
and to take appropriate action in the discovery of fraud. Independent accountants, hired by the
Audit Committee and Internal Audit will continue to play an important part in the process.

Appendix G. Internal Control: A Tool for the Audit Committee
Internal control over financial reporting has always been a major area in the governance of an
organisation, and this importance has been magnified in recent years. This document is
intended to give Audit Committee members basic information about internal control to
understand what it is, what it is not, how it can be used most effectively in the organisation,
and the requirements of management with respect to the system of internal control over
financial reporting. Note that the primary responsibility of the Audit Committee with respect
to internal control is the system of internal control over financial reporting.
Basics of Internal Control
In 1992, the Audit Committee of Sponsoring Organisations (COSO)1 of the National

Commission on Fraudulent Financial Reporting (also known as the Treadway Commission)
published a document called: Internal Control – Integrated Framework,2 which defined
internal control as “a process, effected by an entity’s Board of Directors, management and
other personnel, designed to provide reasonable assurance regarding the achievement of
objectives” in three categories:
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting, and
3. Compliance with applicable laws and regulations
Internal control can be judged as effective in each of these categories if the Board of Directors
and management have reasonable assurance that:
1. They understand the extent to which the entity’s operations objectives are being
achieved.
2. Published financial statements are being prepared reliably.
3. Applicable laws and regulations are being complied with.
The COSO Framework went on to say that internal control consists of five interrelated
components as follows:
1. Control environment. Sometimes referred to as the “tone at the top” of the

organisation, meaning the integrity, ethical values and competence of the entity’s
people, management’s philosophy and operating style, the way management assigns
authority and responsibility, organises and develops its people, and the attention and
direction provided by the Board of Directors. It is the foundation for all other
components of internal control, providing discipline and structure.
1
The Audit Committee of Sponsoring Organisations consists of the American Institute of CPAs
(AICPA), the Institute of Management Accountants (IMA), the Institute of Internal Auditor (IIA),
Financial Executives International (FEI), and the American Accounting Association (AAA).
2
The COSO publication Internal Control—Integrated Framework (Product Code Number 990012), may
be purchased through the AICPA store.

2. Risk assessment. The identification and analysis of relevant risks to achieve the
objectives which form the basis to determine how risks should be managed. This
component should address the risks, both internal and external, that must be assessed.
Before conducting a risk assessment, objectives must be set and linked at different
levels.
3. Control activities. Policies and procedures that help ensure that management
directives are carried out. Control activities occur throughout the organisation at all
levels in all functions. These include activities like approvals, authorisations,
verifications, reconciliations, reviews of operating performance, security of assets and
segregation of duties.
4. Information and communication. Addresses the need in the organisation to identify,

capture and communicate information to the right people to enable them to carry out
their responsibilities. Information systems within the organisation are key to this
element of internal control. Internal information, as well as external events, activities
and conditions must be communicated to enable management to make informed
business decisions and for external reporting purposes.
5. Monitoring. The internal control system must be monitored by management and

others in the organisation. This is the framework element that is associated with the
Internal Audit function in the company, as well as other means of monitoring such as
general management activities and supervisory activities. It is important that internal
control deficiencies be reported upstream, and that serious deficiencies are reported to
top management and the Board of Directors.
These five components are linked together and form an integrated system that should react
dynamically to changing conditions. The internal control system is intertwined with the
organisation’s operating activities, and is most effective when controls are built into the
organisation’s infrastructure becoming part of the very essence of the organisation.
An effective internal control structure can actually be part of the competitive advantage of the
organisation.
Key Terms in Internal Control
There are a few terms that you will hear frequently when discussing internal control, and
these are identified and described as follows:
Reportable condition. Has the same meaning as the term “significant deficiency.” These two
terms are used to define a significant deficiency in the design or operation of internal control
that could adversely affect a company’s ability to record, process, summarise and report
financial data consistent with the assertions of management in the organisation’s financial
statements. An aggregation of significant deficiencies could constitute a material weakness.
Material weakness. Defined in the auditing literature as a reportable condition in which the
design or operation of one or more of the internal control components does not reduce to a
relatively low level the risk that misstatements caused by errors or fraud in amounts that
would be material in relation to the financial statements being audited may occur and not be

detected within a timely period by employees in the normal course of performing their
assigned duties.
Compensating controls. Some organisations, by virtue of their size, are not able to implement
basic controls such as segregation of duties. This apparent lack of control should be overcome
through other controls, which should be expected to be more rigorous in this situation than in
a situation where the basic control exists. This compensating control could be a permanent
part of the control system, or just temporary if a basic control is not able to function for some
period of time.
What Internal Control Cannot Do
As important as an internal control structure is to an organisation, an effective system is not a

guarantee that the organisation will be successful. An effective internal control structure will
keep the right people informed about the organisation’s progress (or lack of progress) in
achieving its objectives, but it cannot turn a poor manager into a good one. Internal control
cannot ensure success, or even survival.
Internal control is not an absolute assurance to management and to the Board of Directors
about the organisation’s achievement of its objectives. It can only provide reasonable
assurance, due to limitations inherent in all internal control systems. For example,
breakdowns in the internal control structure can occur due to simple error or mistake, as well
as faulty judgments that could be made at any level of management. In addition, controls can
be circumvented by collusion or by management override. Finally, the design of the internal
control system is a function of the resources available, meaning that there must be a cost-
benefit analysis in the design of the system.
Roles and Responsibilities
Everyone in the organisation has some role to play in the organisation’s internal control
system.
In a public company, the CFO and CEO are required to certify that they (among other things):
• Are responsible for establishing and maintaining internal controls;

• Have designed such internal controls to ensure that material information relating to the
company and its consolidated subsidiaries is made known to the CFO and CEO by
others within those entities, particularly during the period in which the periodic reports
are being prepared;
• Have evaluated the effectiveness of the company’s internal controls as of a date within
90 days prior to the report; and
• Have presented in the report their conclusions about the effectiveness of their internal
controls based on their evaluation as of that date;
• Have disclosed to the company’s External Auditor and the Audit Committee (a) all
significant deficiencies in the design or operation of internal control which could
adversely affect the company’s ability to record, process, summarise, and report
financial data and have identified for the company’s External Auditor any material

weaknesses in internal control; and (b) any fraud, whether or not material, that
involves management or other employees who have a significant role in the
company’s internal controls; and
• Have indicated in their report whether or not there were significant changes in internal
controls or in other factors that could significantly affect internal controls subsequent
to the date of evaluation, including any corrective actions with regard to significant
deficiencies and material weaknesses.
CEO. The CEO has ultimate responsibility and “ownership” of the internal control system.
The individual in this role sets the tone at the top that affects the integrity and ethics and other
factors that create the positive control environment needed for the internal control system to
thrive. Aside from setting the tone at the top, much of the day-to-day operation of the control
system is delegated to other senior managers in the company, under the leadership of the
CEO.
CFO. Much of the internal control structure flows through the accounting and finance area of
the organisation under the leadership of the CFO. In particular, controls over financial
reporting fall within the domain of the Chief Financial Officer. The Audit Committee should
use interactions with the CFO, and others, as a basis for their comfort level on the internal
control over financial reporting.
This is not intended to suggest that the CFO must provide the Audit Committee with a level of
assurance regarding the system of internal control over financial reporting. Rather, through
interactions with the CFO and others, the Audit Committee should get a “gut feeling” about
the completeness, accuracy, validity and maintenance of the system of internal control over
financial reporting.
Controller. Much of the basics of the control system come under the domain of this position.
It is key that the Controller understand the need for the internal control system, is committed
to the system, and communicates the importance of the system to all people in the accounting
organisation. Further, the Controller must demonstrate respect for the system though his or
her actions.
Internal Audit. A main role for the Internal Audit team is to evaluate the effectiveness of the
internal control system and contribute to its ongoing effectiveness. With Internal Audit
reporting directly to the Audit Committee of the Board of Directors and/or the most senior
levels of management, it is often this function that plays a significant role in monitoring the
internal control system.
Board of Directors/Audit Committee. A strong, active Board is necessary. This is particularly

important when the organisation is controlled by an executive or management team with tight
reins over the organisation and the people within the organisation. The Board should
recognise that its scope of oversight of the internal control system applies to all three major
areas of control: over operations, over compliance with laws and regulations, and over
financial reporting. The Audit Committee is the Board’s first line of defence with respect to
the system of internal control over financial reporting.
All Other Personnel. The internal control system is only as effective as the employees
throughout the organisation that must comply with it. Employees throughout the organisation

should understand their role in internal control and the importance of supporting the system
through their own actions and encouraging respect for the system by their colleagues
throughout the organisation.
Compensating Controls
It is important to realise that both the design and compliance with the internal control system
is important. The Audit Committee should be “tuned-in” to the tone-at-the-top of the
organisation as a first indicator of the functioning of the internal control system.
In addition, the Audit Committee should realise that the system of internal control should be
scaled to the organisation. Some organisations will be so small, for example, that they will
not be able to have appropriate segregation of duties. The message here is that the lack of
segregation of duties is not automatically a material weakness, or even a reportable condition,
depending on the compensating controls that are in place.
For example, suppose a company’s accounting department is so small that it is not possible to
segregate duties between the person that does the accounts payable, and the person that
reconciles the bank statements. In this case, it is one and the same person, so the implication
is that there are no checks and balances on the accounts payable person, who could be writing
cheques to a personal account, then passing on them during the bank reconciliation process
(that is, there is no one to raise the red flag that personal cheques are being written on the
company account).
Compensating controls could make up for this apparent breech in the internal control system.
Here are some examples of compensating controls in this situation:
• All cheques are hand signed by officers of the company, rather than using a signature
plate that is in the control of the person that prepared the cheques.
• The bank reconciliation may be reviewed by the person’s manager.
• A periodic report of all cheques that are cleared at the bank could be prepared by the
bank and forwarded to an officer of the company for review.
The Audit Committee should be aware of situations like this, and be prepared to ask questions
and evaluate the answers when an obvious breach in internal control surfaces.
Management Override of Controls
Another area that the Audit Committee needs to focus on is the ability of management to
override internal controls over financial reporting to perpetrate a fraud. Examples of
techniques used by management in overriding internal controls over the financial reporting
function include:
• Back dating sales documents to a prior period;
• Making adjusting entries during the financial reporting closing process; or
• Reclassifying items improperly between the income statement and the balance sheet.

Some of these override techniques were used in some accounting scandals and have gained
substantial notoriety.
The Audit Committee has the responsibility to help prevent or deter a management override of
controls. It is important for the Audit Committee to understand that there is a system to
uncover an override, as well as follow-up to determine its appropriateness. Questions about
management override, and the controls over management override, as well as audit steps to
detect if a management override has occurred, should be addressed to the CEO, CFO, CAE,
and External Auditor during the respective executive sessions with the Audit Committee.
Conclusion
This document should have given you a sense of what people mean when they refer to
internal control. The concepts are not complex, but sometimes the application of internal
control can be a challenge in an organisation, depending on its size and the corporate culture.
However, it is vitally important to design the system of internal control to achieve the
objectives of:
• Effectiveness and efficiency of operations;
• Reliability of financial reporting; and
• Compliance with applicable laws and regulations.
Internal Control Questionnaire
This questionnaire focuses on the five interrelated components of an internal control system,
as described in the COSO Internal Control – Integrated Framework3 publication.
The Audit Committee’s role in the internal control structure of the Company focuses on
internal controls over financial reporting and the various systems (human resources,
computing, and other) available to support that process, and this document is created to
facilitate that role. The Audit Committee needs to be assured that the controls are in place and
operating effectively.
This can be achieved through the Audit Committee’s interaction with senior management,
External Auditor, Internal Audit, and other key members of the financial management team.
Instructions for Using this Document
This questionnaire is created around the five interrelated components of an internal control
structure. Within each component is a series of questions that the Audit Committee should
focus on to assure itself that controls are in place and functioning. These questions should be
discussed in an open forum with the individuals that have a basis for responding to the
questions.
3
The questions in this questionnaire are adapted from “Evaluation Tools,” Volume 2 of the COSO
Internal Control – Integrated Framework, published September 1992, by the Audit Committee of
Sponsoring Organisations.

The Audit Committee should ask for detailed answers and examples from the management
team, including key members of the financial management team, Internal Audit and External
Auditor to assure itself that the system is operating as management represents.
Evaluation of the internal control structure is not a one-time, but rather a continuous event for
the Audit Committee. The Audit Committee members should always have their eyes and ears
open for potential weaknesses in internal control, and should continually probe the
responsible parties regarding the operation of the system.
These questions are written in such a manner that a “No” response indicates a weakness that
must be addressed.
Control Environment—Integrity and Ethical Values
1. Does the organisation have a comprehensive Code of Conduct or other policies

addressing acceptable business practice, conflicts of interest, and expected standards
of ethical and moral behaviour?
2. Is the code distributed to all employees?
3. Are all employees required to periodically acknowledge that they have read,
understood, and complied with the code?
4. Does management demonstrate through actions its own commitment to the Code of
Conduct?
5. Are dealings with customers, suppliers, employees, and other parties based on honesty
and fair business practices?
6. Does management take appropriate action in response to violations of the Code of
Conduct?
7. Is management explicitly prohibited from overriding established controls? What
controls are in place to provide reasonable assurance that controls are not overridden
by management? Are deviations from this policy investigated and documented? Are
violations (if any) and the results of investigations brought to the attention of the Audit
Committee?
8. Is the organisation proactive in reducing fraud opportunities by (1) identifying and
measuring fraud risks, (2) taking steps to mitigate identified risks, (3) identifying a
position within the organisation to “own” the fraud prevention program, and (4)
implementing and monitoring appropriate preventative and detective internal controls
and other deterrent measures?
9. Does the company use an anonymous ethics and fraud hotline, and, if so, are
procedures in place to investigate and report results to the Audit Committee?
Control Environment—Commitment to Competence

1. Is the level of competence, and the requisite knowledge and skills defined for each job
in the accounting and Internal Audit organisations?
2. Does management make an effort to determine whether the accounting and Internal
Audit organisations have adequate knowledge and skills to do their jobs?

Control Environment—Board of Directors and Audit Committee
1. Are the Audit Committee’s responsibilities defined in a charter? If so, is the charter
updated annually and approved by the Board of Directors?
2. Are Audit Committee members independent of the company and of management? Do
Audit Committee members have the knowledge, industry experience, and financial
expertise to serve effectively in their role?
3. Are a sufficient number of meetings held, and are the meetings of sufficient length and
depth to cover the agenda, and provide healthy discussion of issues?
4. Does the Audit Committee constructively challenge management’s planned decisions,
particularly in the area of financial reporting, and probe the evaluation of past results?
5. Are regular meetings held between the Audit Committee and the Chief Financial
Officer, the Chief Audit Executive, other key members of the financial management
and reporting team, and the External Auditor? Are executive sessions conducted on a
regular basis?
6. Does the Audit Committee approve Internal Audit’s annual audit plan?
7. Does the Audit Committee receive key information from management in sufficient
time in advance of meetings to prepare for discussions at the meetings?
8. Does a process exist for informing Audit Committee members about significant issues
on a timely basis and in a manner conducive to the Audit Committee having a full
understanding of the issues and their implications?
9. Is the Audit Committee informed about personnel turnover in key functions including
the audit team, senior executives, and key personnel in the financial accounting and
reporting teams? Are unusual employee turnover situations observed for patterns or
other indicators of problems?
Control Environment—Management’s Philosophy and Operating Style
1. Is the accounting function viewed as a team of competent professionals bringing

information, order, and controls to decision-making?
2. Is the selection of accounting principles made in the long-term best interest of the
organisation (as opposed to short-term maximisation of income)?
3. Are valuable assets, including intellectual assets, protected from unauthorised access
and use?
4. Do managers respond appropriately to unfavourable signals and reports?
5. Are estimates and budgets reasonable and achievable?
Control Environment—Organisational Structure
1. Is the organisational structure within the accounting function and the Internal Audit
function appropriate for the size of the organisation?
2. Are key managers in the accounting and Internal Audit functions given adequate
definition of their responsibilities?

3. Do sufficient numbers of employees exist, particularly at the management levels in the
accounting and Internal Audit functions to allow those individuals to effectively carry
out their responsibilities?
Control Environment—Assignment of Authority and Responsibility
1. Is the authority delegated appropriate for the responsibilities assigned?

2. Are job descriptions in place for management and supervisory personnel in the
accounting and Internal Audit functions?
3. Do senior managers get involved as needed to provide direction, address issues,
correct problems and/or implement improvements?
Control Environment—Human Resources Policies and Practices
1. Are policies and procedures in place for hiring, training, promoting, and compensating
employees in the accounting and Internal Audit functions?
2. Do employees understand that sub-standard performance will result in remedial
action?
3. Is remedial or corrective action taken in response to departures from approved
policies?
4. Do employees understand the performance criteria necessary for promotions and
salary increases?
Risk Assessment
1. Does the organisation consider risks from external sources such as creditor demands,
economic conditions, regulation, labour relations (e.g. unions), etc.?
2. Does the organisation consider risks from internal sources such as key employees
(retention and succession planning), financing and the availability of funding for key
programs, competitive compensation and benefits, information systems security and
backup systems?
3. Is the risk of a misstatement in the financial statements considered and are steps taken
to mitigate that risk?
4. If applicable, are the risks associated with foreign/off-shore operations considered,
including their impact on the financial reporting process?
Control Activities
1. Does the organisation have a process in place to ensure that controls as described in its
policy and procedures manuals are applied as they are meant to be applied?
2. Do the policy and procedures manuals document all important policies and
procedures? Are these policies and procedures reviewed and updated on a regular
basis? If so, by whom?

3. Do supervisory personnel review the functioning of controls? If so, how is that review
conducted and what happens to the results? Is appropriate and timely follow-up action
taken on exceptions?
Information and Communication
1. Is a process in place to collect information from external sources, such as industry,

economic, and regulatory information that could have an impact on the business or the
financial reporting process?
2. Are milestones to achieve financial reporting objectives monitored to ensure that
timing deadlines are met?
3. Is necessary operational and financial information communicated to the right people in
the organisation on a timely basis and in a format that facilitates its use, including new
or changed policies and procedures?
4. Is a process in place to respond to new information needs in the organisation on a
timely basis?
5. Is there a process in place to collect and document errors or complaints to analyse,
determine the cause, and eliminate a problem from recurring in the future?
6. Is a process established and communicated to officers, employees and others, about
how to communicate suspected instances of wrongdoing by the company or
employees of the company? Furthermore, does a process exist to ensure that anyone
making such a report is protected from retaliation?
Monitoring
1. Do officers and employees understand their obligation to communicate observed

weaknesses in design or compliance with the internal control structure of the
organisation to the appropriate supervisory or management personnel?
2. Are interactions with external stakeholders periodically evaluated to determine if they
are indicative of a weakness in the internal control structure? (For example, consider
the frequency of customer complaints about incorrect bills.)
3. Is there follow-up on recommendations from Internal Audit and the External Auditor
for improvements to the internal control system?
4. Are personnel asked to periodically state whether they understand and comply with
the organisation’s Code of Conduct?
5. Are personnel required to sign off, indicating their performance of critical control
activities such as performing reconciliations?
6. Does Internal Audit have the right number of competent and experienced staff?
7. Do they have access to the Board of Directors and Audit Committee?
8. Is the reporting structure in place to ensure their objectivity and independence?
9. Is the work of Internal Audit appropriate to the organisation’s needs, and prioritised
with the Audit Committee’s direction?

Appendix H. Key Questions for the Audit Committee to Ask
On the strategic processes for risk, control and governance, how do we know:
1. That the risk management culture is appropriate?
2. That there is a comprehensive process for identifying and evaluating risk, and for
deciding what levels of risk are tolerable?
3. That the Risk Register is an appropriate reflection of the risks facing the organisation?
4. That appropriate ownership of risk is in place?
5. That management has an appropriate view of how effective internal control is?
6. That risk management is carried out in a way that really benefits the organisation or is
it treated as a box ticking exercise?
7. That the organisation as a whole is aware of the importance of risk management and of
the organisation’s risk priorities?
8. That the system of internal control will provide indicators of things going wrong?
9. That the Statement on Internal Control is meaningful, and what evidence underpins it?
10. That the Statement on Internal Control appropriately discloses action to deal with
material problems?
11. That the Board of Directors is appropriately considering the results of the
effectiveness review underpinning the Statement on Internal Control?
On risk management processes, how do we know:

1. How senior management supports and promote risk management?
2. How well people are equipped and supported to manage risk?
3. That there is a clear risk strategy and policies?
4. That there are effective arrangements for managing risks with partners?
5. That the organisation’s processes incorporate effective risk management?
6. If risks are handled well?
7. If risk management contributes to achieving outcomes?
On the planned activity and results of both internal and external audit, how do we
know:
1. That the Internal Audit strategy is appropriate for delivery of a positive reasonable
assurance on the whole of risk, control and governance?
2. That the periodic audit plan will achieve the objectives of the Internal Audit strategy,
and in particular is it adequate to facilitate a positive, reasonable assurance?
3. That Internal Audit has appropriate resources, including skills, to deliver its
objectives?
4. That Internal Audit recommendations agreed by management are actually
implemented?
5. That any issues arising from line management not accepting Internal Audit
recommendations are appropriately escalated for consideration?
6. That the quality of Internal Audit work is adequate? / What does application of the
Internal Audit Quality Assessment Framework tell us about the quality of the Internal
Audit Department?
7. That there is appropriate co-operation between Internal Audit and the External
Auditor?
On the accounting policies, the accounts, and the annual report of the organisation, how
do we know:
1. That the accounting policies in place comply with relevant requirements, particularly
the Financial Reporting Manual?
2. That there has been due process in preparing the accounts and annual report and is that
process robust?
3. That the accounts and annual report have been subjected to sufficient review by
management and by the Managing Director and the Board of Directors?
4. That when new accounting issues arise, appropriate advice on accounting treatment is
obtained?
5. That there is an appropriate anti-fraud policy in place and that losses are suitably
recorded?
6. That suitable processes are in place to ensure accurate financial records are kept? That
suitable processes are in place to ensure fraud is guarded against and regularity and
propriety is achieved?
7. That financial control, including the structure of delegations, enables the organisation
to achieve its objectives with good value for money?
8. If there are any issues likely to lead to qualification of the accounts?
9. If the accounts have been qualified, that appropriate action is being taken to deal with
the reason for qualification?
10. That issues raised by the External Auditor are given appropriate attention?
On the adequacy of management response to issues identified by audit activity, how do

we know:
1. That the implementation of recommendations is monitored and followed up?
2. That there are suitable resolution procedures in place for cases when management
reject audit recommendations which the External Auditor stands by as being
important?
On assurances relating to the corporate governance requirements for the organisation,

how do we know:
1. That the range of assurances available is sufficient to facilitate the drafting of a
meaningful Statement on Internal Control?

2. That those producing the assurances understand fully the scope of the assurances they
are being asked to provide, and the purpose to which they will be put?
3. That mechanisms are in place to ensure that assurances are reliable?
4. That assurances are ‘positively’ stated (i.e. premised on sufficient relevant evidence to
support them)?
5. That the assurances draw appropriate attention to material weaknesses or losses which
shall be addressed?
6. That the Statement on Internal Control realistically reflects the assurances on which it
is premised?
On the work of the Audit Committee itself, how do we know:

1. That we are being effective in achieving our terms of reference and adding value to
corporate governance and control systems of the organisation?
2. That we have the appropriate skills mix?
3. That we have an appropriate level of understanding of the purpose and work of the
organisation?
4. That we have sufficient time to give proper consideration to our business?
5. That our individual members are avoiding any conflict of interest?
6. What impact we are having on an organisation?

Appendix I. Audit Committee Competency Framework
All members of the Audit Committee shall have, or acquire as soon as possible after
appointment:
• Understanding of the objectives of the organisation and current significant issues for
the organisation;
• Understanding of the organisation’s structure, including key relationships;
• Understanding of the organisation’s culture;
• Understanding of any relevant law or other rules governing the organisation;
• Broad understanding of the organisation’s environment, particularly accountability
structures and current major initiatives.
The Audit Committee shall corporately possess:

• Knowledge / skills / experience (as appropriate and required) in:
o Accounting;
o Risk management;
o Audit ;
o Technical or specialist issues pertinent to the organisation’s business.
• Experience of managing similar sized organisations;
• Understanding of the wider relevant environments in which the organisation operates.

Appendix J. Audit Committee Self Assessment Checklist
Composition, Establishment and Duties
1. Does the Audit Committee have written terms of reference that adequately and
realistically define the Audit Committee’s role?
2. Have the terms of reference been adopted by the Board of Directors?
3. Are the terms of reference reviewed annually to take into account governance
developments (including integrated governance principles) and the remit of other
Committees within the organisation?
4. Has the Audit Committee established a plan for the conduct of its own work across the
year?
5. Has the Audit Committee been provided with sufficient membership, authority and
resources to perform its role effectively and independently?
6. Are changes to the Audit Committee’s current and future workload discussed and
approved at Board of Directors level?
7. Are Audit Committee members independent of the management team?
8. Does the Audit Committee report regularly to the Board of Directors?
9. Are members, particularly those new to the Audit Committee, provided with training?
10. Does the Board ensure that members have sufficient knowledge of the organisation to
identify key risk areas and to challenge both line management and the External
Auditor on critical and sensitive matters?
11. Does at least one Committee member have a financial background?
12. Does the Audit Committee prepare an annual report on its work and performance in
the preceding year for consideration by the Board of Directors?
Compliance with Laws and Regulations
1. Does the Audit Committee have a mechanism to keep it aware of topical, legal and
regulatory issues?
Internal Control and Risk Management
1. Has the Audit Committee formally considered how it integrates with other
Committees that are reviewing risk e.g. risk management?
2. Has the Audit Committee formally considered how its work integrates with wider
performance management and standards compliance?
3. Has the Audit Committee been briefed on its assurance responsibilities with regard to
internal control and risk management, particularly with regard to the Statement on
Internal Control, the Assurance Framework and the Chief Audit Executive’s opinion?

4. Has the Audit Committee reviewed whether the reports it receives are timely and have
the right format and content to ensure its internal control and risk management
responsibilities are discharged?
5. Is the Audit Committee satisfied that the Board of Directors has been advised that
assurance reporting is in place to encompass all the organisation’s responsibilities?
6. Is there clarity over the timing and content of the assurance statements received by the
Audit Committee from the Chief Audit Executive?
Internal Audit
1. Do formal terms of reference exist, defining Internal Audit’s objectives,

responsibilities and reporting lines?
2. Are the terms of reference approved by the Audit Committee and routinely
reviewed?
3. Do the terms of reference adequately specify the relationship between the Chief
Audit Executive and the Audit Committee?
4. Are the key principles of the terms of reference set out in the Standing Financial
Instructions?
5. Does the Audit Committee review and approve the Internal Audit plan at the
beginning of the financial year?
6. Does the Audit Committee approve any material changes to the plan?
7. Are audit plans derived from clear processes based on risk assessment with clear
links to the Assurance Framework?
8. Does the Audit Committee receive periodic reports from the Chief Audit
Executive?
9. Has the Audit Committee established a process whereby it reviews any material
objection to the plans and associated assignments that cannot be resolved through
negotiation?
10. Does the Audit Committee effectively monitor the implementation of management
actions arising from audit reports?
11. Does the Chief Audit Executive have a direct line of reporting to the Audit
Committee and its Chairperson?
12. Are any scope restrictions placed on Internal Audit and, if so, what are they and
who establishes them?
13. Is Internal Audit free from any operating responsibilities or conflicts of interest
that could impair its objectivity?
14. Has the Audit Committee determined the appropriate level of detail it wishes to
receive from Internal Audit?
15. Does the Audit Committee hold periodic private discussions with the Chief Audit
Executive?
16. Does the Audit Committee review the effectiveness of Internal Audit and the
adequacy of staffing and resources within Internal Audit?
17. Has the Audit Committee agreed a range of Internal Audit performance measures
to be reported on a routine basis?
18. Is there appropriate cooperation with the External Auditor?
19. Are there any quality assurance procedures to confirm whether the work of
Internal Audit is properly planned, completed, supervised and reviewed?
External Audit
1. Do the External Auditor present their audit plans and strategy to the Audit Committee
for approval?
2. Has the Audit Committee satisfied itself that work not relating to the financial
statements work is adequate and appropriate?
3. Does the Audit Committee receive and monitor actions taken in respect of prior years’
reviews?
4. Does the Audit Committee review the External Auditor's annual audit letter?
5. Does the Audit Committee hold periodic private discussions with the External
Auditor?
6. Does the Audit Committee assess the performance of the External Auditor?
Annual Accounts
1. Is the Audit Committee's role in the approval of the annual accounts clearly defined?
2. Is a Committee meeting scheduled to discuss proposed adjustments to the accounts
and issues arising from the audit?
3. Does the Audit Committee annually review the accounting policies of the
organisation?
Administrative Arrangements
1. Does the Audit Committee have a plan of matters to be dealt with over the coming
year?
2. Are papers circulated in good time and are minutes received as soon as possible after
the meetings?
3. Does the Audit Committee meet the appropriate number of times to deal with planned
matters?
4. Are Committee papers distributed in sufficient time for members to give them due
consideration?
5. Are Committee meetings scheduled prior to important decisions being made?
6. Is the timing of Committee meetings discussed with all the parties involved?
Other Issues

1. Has the Audit Committee considered the costs that it incurs: and are the costs
appropriate to the perceived risks and the benefits?
2. Does the Audit Committee assess its own effectiveness periodically?
3. Do the Annual Report and Financial Statements include a description of the Audit
Committee's establishment and activities?

Appendix K. Model of Corporate Governance Questionnaire
Audit Committee members, when carrying out their assessment of the effectiveness of the
organisation’s corporate governance arrangements, may wish to consider (in addition to
reviewing reports from both Internal Audit and the External Auditor) the following questions
and any assurances they might deem appropriate.
The questions are included for guidance only. They are not intended to be exhaustive and will
need to be tailored to the particular circumstances of the organisation.
The Board of Directors
Composition and Balance
1. Has the Board of Directors taken steps to ensure that it is of sufficient size such that
the balance of skills and experience is appropriate for the organisation, yet not so large
as to become unwieldy?
2. Do the independent members of the Board of Directors form a majority for voting
purposes?
3. Has the Board of Directors taken steps to ensure that power and information are not
concentrated in one individual?
4. Does the Board of Directors meet regularly and are meetings well attended?
5. Has the Board of Directors defined its quorum requirements and what happens if it is
not quorate at the outset of a meeting?
Role and Responsibilities
1. Does the Board of Directors recognise its collective responsibility and accountability
for the success of the organisation?
2. Does the Board of Directors recognise its collective responsibility for risk
management, internal control and the governance of the organisation?
3. Is there a formal schedule of matters specifically reserved for decision by the Board of
Directors?
4. Has the Board of Directors developed formal financial and operational procedures to
regulate the organisation?
5. Are the roles of Chairperson of the Board of Directors clearly established, set out in
writing and agreed by the Board of Directors?
6. Are there clearly defined roles and responsibilities for members of the Board of
Directors and senior staff?
7. Is there a formal and transparent structure of delegated powers and authorities?

General Processes
1. Has the Board of Directors established appropriate procedures to ensure that all
applicable laws and regulations are complied with?
2. Has the Board of Directors established procedures to ensure that funds are: properly
safeguarded; used economically, efficiently and effectively; and used for the purpose
they were intended?
3. Has the Board of Directors taken steps to ensure that its members conduct themselves
in accordance with high standards of personal behaviour? Is there a formal definition
of the standards of behaviour expected of members of the Board of Directors and
senior staff?
4. Has the Board of Directors established procedures to identify, record and monitor
conflicts of interest?
5. Is there an agenda item at the beginning of each Board of Directors meeting that
requires members attending to declare any interest that any of them may have in the
business of that meeting?
Appointments to the Board of Directors and its Committees
1. Is there a formal, rigorous and transparent procedure for appointing new members to
the Board of Directors and its Committees?
2. Has the Board of Directors appointed a nominations Committee, with a majority of
independent members, to develop recommendations?
3. Are appointments to the Board of Directors made on merit and against objective
criteria?
4. Does the Board of Directors have plans in place for the orderly succession of members
of the Board of Directors and senior management, so as to maintain an appropriate
balance of skills and experience within the organisation?
5. Are members of the Board of Directors and key Committees required to submit
themselves for re-election at regular intervals, subject to continued satisfactory
performance?
6. Are the duties, terms of office and remuneration (if any) of the members of the Board
of Directors clearly defined?
Information and Professional Development
1. Has the Board of Directors taken steps to ensure that it and its Committees are
supplied in a timely manner with information in a form and of a quality appropriate to
enable it to discharge its duties?
2. Does the Board of Directors take steps to ensure that its members, and any individuals
co-opted to its Committees, receive an appropriate induction on joining the Board of
Directors and its Committees?

3. Does the Board of Directors take steps to ensure that its members, and any individuals
co-opted to its Committees, continually update and refresh their skills and knowledge?
4. Are procedures in place to ensure that members of the Board of Directors have access
to independent professional advice, at the organisation’s expense, where they judge it
necessary to discharge their responsibilities as members of the Board of Directors?
5. Do all members of the Board of Directors have access to the impartial advice and
services of the secretary to the Board of Directors (or equivalent)?
Performance Evaluation
1. Does the Board of Directors undertake a formal and rigorous regular evaluation of its
own performance and that of its Committees and individual members of those bodies?
Remuneration and Reward Arrangements
1. Has the Board of Directors established a formal, transparent procedure (such as a

remuneration Committee) for making recommendations on the remuneration and
terms of employment of the Directors and other senior officers?
2. Does the Board of Directors take appropriate action to ensure that the remuneration
Committee (or equivalent) comprises individuals with the necessary skills, experience
and independence?
3. Are procedures in place to ensure that remuneration is sufficient to attract and retain
appropriate senior staff, but not more than is necessary for this purpose?
4. Are procedures in place to ensure that the organisation discharges its duties regarding
the remuneration of staff, including union recognition, termination of employment and
similar matters?
Dialogue with Stakeholders

1. Has the Board of Directors established clear channels of communication with the
organisation’s major stakeholders?
2. Has the Board of Directors established processes to ensure that communication
channels are fit for purpose and working as intended?
3. Are the names of all members of the Board of Directors made publicly available along
with the process for making appointments to the Board of Directors?
Audit and Accountability

Financial Reporting
1. Is the annual report produced by the Board of Directors a balanced and understandable
assessment of the organisation’s position and prospects?
2. Does the Board of Directors include in the annual report an explanation of its
responsibility for preparing the organisation’s accounts?
3. Does the Board of Directors include a statement confirming compliance with the
principles of corporate governance in the annual report?

Internal Control
1. Does the Board of Directors, at least annually, conduct a review of the effectiveness of
the organisation’s system of risk management and internal controls, covering all risks
and controls including financial, operational and compliance?
2. Does the Board of Directors include a statement on the effectiveness of the system of
risk management, internal control and governance within the annual report?
Audit Committee and Auditors

1. Is the Audit Committee set up in accordance with the requirements of the Board of
Directors?
2. Does the Board of Directors take appropriate action to ensure that the Audit
Committee comprises individuals with the necessary skills, experience and
independence?
3. Have the role and responsibilities of the Audit Committee been agreed by the Board of
Directors and set out in sufficiently detailed written terms of reference?
4. Has the Board of Directors taken steps to ensure that it receives independent, objective
advice as to the arrangements for adequate and effective risk management, control and
governance, and for the economy, efficiency and effectiveness of the organisation’s
activities?
5. Does the Audit Committee review arrangements by which employees may, in
confidence, raise concerns about possible improprieties in matters of financial
reporting or other matters?
6. Has the Board of Directors taken steps to establish and maintain an effective Internal
Audit function, whether in-house, co-sourced or outsourced?
7. Has the Board of Directors taken steps to establish and maintain an objective
relationship with the External Auditor?

Appendix L. Model of Audit Committee Annual Report
The Audit Committee is required to prepare an annual report for submission to the Board of
Directors. The Audit Committee annual report should be supported by the Internal Audit
annual report, which would therefore normally accompany it. The annual report should be
prepared as early as possible after the end of each financial year, with the aim of it being
available before the annual financial statements are signed. The report should be signed and
dated by the Chairperson of the Audit Committee. This model indicates what could be
included in the annual report.
Title
Full name of organisation, Audit Committee Annual Report, financial year. Addressed to
Board of Directors.
Introduction
Period covered; this should relate specifically to the Audit Committee’s work on the relevant
financial year. However, any additional issues should be covered where appropriate,
particularly if they affect the opinion (for example, where the previous year’s annual report
could not include something because of timing, or issues have arisen since the year end).
Membership
Names; details of changes and dates thereof; terms of office; identity of Chairperson; also
separately give details of the Secretary to the Audit Committee.
Meetings
Dates of meetings, note of members attending, and a general statement about who else is
normally in attendance.
Terms of Reference
If applicable, details of changes and their effect on the work of the Audit Committee.
Internal Audit
1. Name of provider; details of any changes made or due; fee basis; Audit Committee’s
assessment of performance for the year (including the use of performance measures
and obtaining the views of the External Auditor).
2. Review of appointment; when market testing is due for consideration.
3. Review of Chief Audit Executive annual report (which may be attached to the Audit
Committee annual report); achievement of planned work; consideration of and

comment on Internal Audit overall opinion of risk management, control and
governance arrangements, as necessary.
4. Review of audit risk assessment and strategy as appropriate. Number of audit days last
year/next year. Details of any restrictions placed on the work of Internal Audit.
5. Review of audit reports (may appropriately focus on only the more significant issues);
Audit Committee’s view of management responses to audit findings and
recommendations; resolution of issues arising.
6. Review of unplanned or special reports; Audit Committee’s view of management
responses to the findings and recommendations; details of any significant
recommendations outstanding.
7. Summary of important findings and recommendations.
8. Confirmation that the Audit Committee has held one or more closed meetings with the
Chief Audit Executive during the course of the year.
External Audit
1. Name of provider; details of any changes made or due; fee basis; Audit Committee’s
assessment of performance for the year (for example, audit planning, timetable set and
met); confirmation to the Board of Directors of recommendation of annual re-
appointment (or deferral to next meeting); when market testing is due for
consideration.
2. Details of any non-audit services provided.
3. Review of the External Auditor’s management letter (draft and final versions where
appropriate); significant points arising; Audit Committee’s view of management
responses to the findings and recommendations.
4. Confirmation that the Audit Committee has held a closed meeting with the External
Auditor following completion of the external audit.
Other Work Done
1. Where undertaken, review of specific parts of the annual accounts (preferably between
Finance Committee and Board of Directors), including members’ responsibility and
Statement on Internal Control, any relevant issue raised in Management Letter, and the
External Auditor’s formal annual opinion.
2. Review of assurances received from management and other significant assurance
providers.
3. Review of the organisation’s risk management strategy.
4. Other work, including reports, letters and other requirements (such as review or
changes to codes of audit practice); special reports or investigations not dealt with
elsewhere (e.g. on major fraud or irregularity); significant changes to the
organisation’s risk management, internal control and governance systems, other formal
certificates or returns seen; review of financial regulations, including amendments,
communication or recommendations made; issues arising on, joint ventures, subsidiary
or associated companies. Recommendations made not dealt with elsewhere.

Other
1. Issues not relevant to the reporting year, such as forthcoming events and issues
relating to prior years.
Opinion
1. Audit Committee’s opinion on the adequacy and effectiveness of organisational

arrangements (up to date of its report) for the following:
• Risk management, control and governance (risk management element includes
accuracy of Statement on Internal Control included with annual statement of
accounts)
• Economy, efficiency and effectiveness (value for money).
2. These opinions should be based on the information presented to the Audit Committee.
3. New arrangements coming into effect in 2009 may require Audit Committees to
consider whether quality control of their organisational returns is adequate.

Appendix M. Model of a Whistle-blowing Policy
Introduction
All employees are encouraged to raise genuine concerns about possible improprieties in
accounting, auditing or other matters, and other malpractices, at the earliest opportunity and in
an appropriate way.
This policy is designed to:

• Support our values.
• Ensure that staff can raise concerns without fear of suffering retribution.
• Provide a transparent and confidential process for dealing with concerns.
The policy not only covers possible improprieties in matters of financial reporting, but also:
• Fraud.
• Corruption, bribery or blackmail.
• Criminal offences.
• Failure to comply with a legal or regulatory obligation.
• Failure to properly safeguard assets.
• Miscarriage of justice.
• Endangering the health and safety of an individual.
• Concealment of any of the above.
Principles
• All concerns raised will be treated fairly and properly.

• We will not tolerate the harassment or victimisation of anyone raising a genuine
concern.
• Any individual making a disclosure will retain their anonymity unless they agree
otherwise.
• We will ensure that any individual raising a concern is aware of who is handling the
matter.
• We will ensure that no one will be at risk of suffering some form of retribution as a
result of raising a concern, even if they are mistaken. We do not, however, extend this
assurance to someone who maliciously raises a matter they know to be untrue.

Grievance Procedure
If any employee believes reasonably and in good faith that malpractice exists in the
workplace, then they should report this immediately to their Head of Department. However, if
for any reason they are reluctant to do so, they should report their concerns to the Director of
Human Resources.
Employees concerned about speaking to a member of staff can speak, in confidence, to an

independent third party by calling the whistle-blowing hotline on (tel). This is provided
through the independent party which supplies a counselling and legal advice service.
Employees’ concerns will be reported to the organisation without revealing their identity.
If these channels have been followed and employees still have concerns, or feel that the
matter is so serious that it cannot be discussed with any of the above, they should contact the
Chairperson of the Audit Committee on (tel).
Individuals who raise concerns internally will be informed of who is handling the matter, how
they can make contact with them, and if any further assistance is required. We will give as
much feedback as we can without any infringement of a duty of confidence owed by us to
someone else.
An individual’s identity will not be disclosed without prior consent. Where concerns are
unable to be resolved without revealing the identity of the person raising the concern (e.g. if
that person’s evidence is required in court), we will enter into a dialogue with the individual
concerned as to whether and how we can proceed.

Appendix N. Model Policy on Using External Auditor for Non-audit
Services
This document sets out the policy for the appointment and remuneration of the External
Auditor for any work undertaken on behalf of the organisation. It outlines the control
processes that will be put in place to ensure compliance with the policy.
Statutory Audit
The Chief Financial Officer will recommend the overall fee for statutory audit to the Audit
Committee. It is the responsibility of the Audit Committee to review the proposed audit fee
and recommend it to the Board of Directors for approval.
The Audit Committee will review the independence and effectiveness of the External Auditor
on an annual basis.
Other Work as Auditor or Reporting Accountants
While it is difficult to be precise about the definition of other work the External Auditor may
undertake as Auditor, it includes the following:
• Any other review of the accounts for regulatory purposes;
• Assurance work related to compliance and corporate governance, including high-level
controls;
• Regulatory reviews commissioned by the Audit Committee;
• Accounting advice and reviews of accounting standards.
The Chief Financial Officer must clear the appointment of the External Auditor for any such
work in advance with the Chairperson of the Audit Committee.
The Audit Committee will receive a quarterly report analysing fees paid for non-audit
services, with additional commentary on assignments agreed during the quarter.
Tax Advisory Services
The External Auditor may provide tax advisory services, including tax planning and
compliance, provided such advice does not conflict with the External Auditor’s statutory
responsibilities and ethical guidance.
The Audit Committee will determine whether the appointment of the External Auditor for any
tax work would conflict with the External Auditor’s statutory duties. Any tax assignment in
excess of (€x) requires the approval of the Chief Financial Officer, who will consult with the
Chairperson of the Audit Committee in respect of any assignment over (€y). The Audit
Committee will receive a quarterly report on the tax advisory services provided by the
External Auditor.

Merger/Acquisition Support
It is permissible for the External Auditor to be appointed to undertake specific merger /

acquisition activities on behalf of the organisation. However, the External Auditor cannot be
appointed to undertake such work without the prior approval of the Chief Financial Officer,
who will consult with the Chairperson of the Audit Committee regarding any assignment that
could involve fees in excess of (€x). Any fees paid in respect of merger / acquisition activity
will be reported quarterly to the Audit Committee.
Other Accounting Advisory and Consultancy Work
There may be occasions when the External Auditor is best placed to undertake other
accounting, investigatory, advisory and consultancy work on behalf of the organisation,
because of the External Auditor’s in-depth knowledge of the organisation. However, the
following are specifically prohibited:
• Work related to accounting records and financial statements that will ultimately be
subject to external audit;
• Management of, or significant involvement in, Internal Audit;
• Secondments to management positions that involve any decision-making;
• Any work where a mutuality of interest is created that could compromise the
independence of the External Auditor;
• Any other work which is prohibited by ethical guidance.
Any assignment in excess of (€x) can only be awarded to the External Auditor after
competitive tender. The inclusion of the External Auditor on a tender list requires the prior
approval of the Chief Financial Officer. The Chief Financial Officer will consult with the
Chairperson of the Audit Committee regarding any tender for work in excess of (€y). Details
of all such work and fees paid will be reported quarterly to the Audit Committee.

Appendix O. Model Policy on Employing Former Employees of the
External Auditor
The Audit Committee has adopted the following policy regarding the employment of former
employees of the organisation’s External Auditor.
For the purposes of this policy, the “External Auditor” means any partner, director, manager,
staff, reviewing actuary or reviewing tax professional associated with the organisation’s
External Auditor who works on any aspect of the annual audit of the organisation’s financial
statements.
For the purposes of this policy, “employee of the organisation’s External Auditor” includes
any person regularly providing professional services on behalf of the External Auditor,
regardless of whether that person is legally an employee of the firm. For example, if the
External Auditor is a partnership, a partner would be deemed an “employee of the
organisation’s External Auditor”. For the purposes of these guidelines, ‘organisation’ includes
ABC Company and its subsidiaries.
No employee of the External Auditor can be hired to a financial reporting oversight role
within two years of their association with the audit. A financial oversight role is any position
that has direct responsibility for overseeing those who prepare the organisation’s financial
statements.
No former employee of the organisation’s External Auditor may be an officer of the

organisation within two years of the termination of their employment with the organisation’s
External Auditor.
No former employee of the organisation’s External Auditor may join the senior executive
team without the approval of the Director of Human Resources and the Chairperson of the
Audit Committee.
Each year, the Director of Human Resources shall inform the Audit Committee of any former
employees of the External Auditor employed by the organisation in the preceding year.

Appendix P. Evaluation of the External Auditor
The following is a suggested checklist framework for the Audit Committee to carry out a
formal review of the effectiveness and efficiency of the External Auditor.
It provides the Audit Committee with a disciplined approach to keeping the External Auditor’s
performance under review.
It will also help to ensure that the External Auditor remains alert to the organisation’s needs
and to maintaining an appropriate relationship with the executive management, the Audit
Committee and the Board of Directors as a whole.
This is not an exhaustive list of questions. The Audit Committee should tailor and adapt the
questions to the specific circumstances.
In carrying out its assessment, the Audit Committee should also consider the views of other
parties who come into contact with the external audit team, such as the Chief Financial
Officer and Internal Audit.
Calibre of External Auditor
1. What is the reputation of the External Auditor? Are there recent or current litigation
cases against the firm?
2. What is the reputation and presence of the External Auditor in the organisation’s
sector?
3. Does the External Auditor have the required resources to audit the organisation?
Quality Processes
1. What quality control processes does the External Auditor operate? (Factors to be
considered include the level and nature of review procedures, the approach to audit
judgements and issues, independent quality control reviews and the External Auditor’s
approach to risk.)?
2. How are partners and key members of the engagement team rewarded? Do these
compensation arrangements threaten the External Auditor’s independence?
3. What is the External Auditor’s process for internal review of accounting judgements,
including an understanding of the key issues?
4. What relevant specialists does the External Auditor employ and how are these
deployed to the audit process?
Audit Team
1. Do the individuals assigned to the external audit team have the requisite expertise
regarding the higher education sector?
2. Are sufficient resources allocated to the audit?

3. What is the scope of the engagement partner’s/other senior personnel’s involvement in
the audit process and is this sufficient?
4. Does the External Auditor have adequate succession plans in place for key team
members? Do these plans meet the relevant audit partner rotation requirements and
facilitate the maintenance of objectivity?
Scope of External Audit
1. Is the scope of external audit adequate to address all of the financial reporting risks
facing the organisation?
2. Does the External Auditor agree the audit scope and plan with the Audit Committee?
3. Is specialist input to the external audit in areas such as taxation and pensions at an
appropriate level?
4. Are all the organisation’s key subsidiaries and business ventures covered by the
external audit?
5. What is the External Auditor’s approach to seeking and assessing management
representations?
6. Does the External Auditor have an effective working relationship with Internal Audit?
Audit Fee
1. Is the external audit fee reasonable given the scope of the external audit, and how does
it compare with that for other similarly sized organisations?
2. How are differences between actual and budgeted fees handled? Are overruns
reasonable and explained to the Audit Committee?
3. Is the quantum of non-audit fees likely to have an impact on audit objectivity?
Audit Communications
1. Does the External Auditor advise the Audit Committee on a timely basis about
significant issues and new developments regarding risk management, corporate
governance, financial accounting and related risks and controls?
2. Does the External Auditor discuss the critical accounting policies and whether the
accounting treatment is conservative or aggressive?
3. Does the External Auditor contribute positively in Audit Committee meetings (and
private sessions)? Are the External Auditor’s papers and oral communications clear,
concise, open, focused and robust?
4. Does the External Auditor resolve accounting issues in a timely manner and keep
management and the Audit Committee apprised of progress as appropriate?
5. Does the External Auditor seek feedback on the quality and effectiveness of the
service it provides? Does it listen and take appropriate action to remedy any issues?

Audit Governance and Independence
1. Does the External Auditor employ open lines of communication/reporting with the
Audit Committee?
2. Are unadjusted audit differences and significant weaknesses in internal controls
clearly communicated on a timely basis?
3. Do the individuals assigned to the audit demonstrate a high degree of integrity in their
dealings with the Audit Committee?
4. Does the External Auditor discuss with the Audit Committee its internal process for
ensuring independence?
5. Does management hold the External Auditor in high regard? Does it consider the audit
process to be objective and challenging?

Appendix Q. External Audit: Model of the Terms of Reference
(The Board of Directors should be notified of any material difference between this model
letter and the External Auditor’s letter.)
To the members of the Board of Directors of (organisation)
Appointment and Qualification
1.As appointed Auditor of (organisation) we agree to the following basis on which we shall
perform our duties.
2.We understand that the Board of Directors (this will require modification where the Board
of Directors does not appoint the Auditor) will assess the Auditor’ work in each year and
undertake a detailed review of the appointment at least every three years. Remuneration will
be fixed by the Board of Directors on the advice of the Audit Committee.
3.We confirm that we are qualified as Auditor in accordance with relevant legislation.
Responsibilities of the Organisation
4.We recognise that the Board of Directors is responsible on behalf of the organisation for:
a.Establishing and maintaining a system of controls – financial and otherwise – in order to

carry on the operation of the organisation in an orderly and efficient manner, ensure
adherence to management policies, safeguard the assets and secure, as far as possible, the
completeness and accuracy of the records.
b.Preparing financial statements that:
i.Comply with the organisation’s charter and statutes, all statutory requirements
relating to the organisation’s financial affairs, the financial memorandum (dated
...................) with the Board of Directors, and other regulations relating to the
constitution and activities of the organisation and which are relevant to its financial
affairs
ii.Show a true and fair view of the state of the organisation’s affairs at 31 December,
and of the cash flows and income and expenditure for the year then ended, taking into
account where relevant and appropriate all required statutory and other disclosure
requirements.
Standards of Audit
5.We will undertake the audit of the organisation’s financial statements and such other matters
as the Board of Directors requires in accordance with Generally Accepted Auditing Standards,
having regard to applicable auditing guidelines and auditing standards issued by the relevant
authorities.

Reporting
a.We as Auditor, are responsible for making a report to the Board of Directors on the
financial statements which are to be laid before the Board of Directors during our tenure
of office.
6.Our report will state whether in our opinion the financial statements show a true and fair
view of the organisation’s affairs at 31 December, and of the cash flow and income and
expenditure for the year then ended.
7.In arriving at our opinion we are required to consider the following matters and to report on
any aspect where we are not satisfied, namely whether:
• Proper records are being kept by the organisation;
• The financial statements agree with the accounting records;
• We have obtained all the information and explanations we think are necessary
for the purpose of our audit;
• The financial statements comply with all legislative or regulatory
requirements.
8.We will also report to the Board of Directors as to whether, in all material respects, monies
expended from whatever source, administered by the organisation for specific purposes, have
been properly applied to those purposes and, if appropriate, managed in compliance with any
relevant legislation.
9.We agreed with the organisation the wording of an unqualified audit report at the time of
our appointment. Any subsequent modifications or qualifications will be based on our
professional judgement, but will comply with Generally Accepted Auditing Standards.
10.We undertake to report to the Board of Directors any significant matters arising from the
audit which might lead to material errors or have an impact on future audits. This could
include areas where economies might be made or resources could be used more effectively,
with advice for improvement. The management letter could include:
• Weaknesses in the structure of accounting systems and internal control;
• Deficiencies in the operation of accounting systems and internal control,
including Internal Audit;
 That the work of Internal Audit has been assessed, and the extent to which
reliance can be placed on the work of Internal Audit in support of external
audit work;
• Inappropriate accounting practices and regulations;
• Non-compliance with legislation, accounting standards, Board of Directors
requirements or other regulations.
Irregularities, Including Fraud

11.The Board of Directors is responsible for ensuring the establishment and maintenance of
adequate risk management, control and governance arrangements. It is also responsible for
ensuring compliance with statutory, taxation and other regulations and for the prevention and
detection of irregularities, including fraud. We are not required to search specifically for such
matters and our audit should not therefore be relied on to disclose them. However, we will
plan and conduct our audit so that we have a reasonable expectation of detecting material
misstatements in the accounts resulting from irregularities, including fraud or breach of
regulations.
12.We will report in writing to the Board of Directors any serious weaknesses, fraud,
irregularities or accounting breakdowns we come across in the normal course of our duties.
Other Work
13.We may be asked from time to time to provide additional services beyond the scope of the
audit described above. This could involve investigation work and value for money reviews.
Precise requirements will be agreed between the Board of Directors and ourselves in a
separate engagement letter before any work is undertaken. Any systems development or
consultancy work will be the responsibility of separate staff.
Access
14.We shall have rights of access at all times to the books, accounts and vouchers of the
organisation and to such information and explanations as we think necessary to perform our
duties. We also expect to have access to Internal Audit files and working papers. We, in turn,
agree to comply with any requests from Internal Audit and the Board of Directors for access
to any information, files or working papers obtained or prepared during our audit which they
need to discharge their responsibilities. Where necessary, the Board of Directors will
exchange letters dealing with confidentiality and the terms under which access is given with
both parties.
15.We shall have the right of access to the Chairperson of the Audit Committee, the right to
ask the Chairperson to convene a meeting of the Audit Committee if necessary, and the right
to attend Audit Committee meetings where relevant business is to be discussed.
Annual Meetings
16.We will be entitled to attend the meeting of the Board of Directors to which the
organisation’s annual reports and financial statements of accounts are presented. We will also
be entitled to receive all notices of and other communications relating to that meeting which
any member of the Board of Directors is entitled to receive, and to be heard at any such
meeting on any part of the business which concerns us as External Auditor.
Termination of Appointment
17.We understand that if there are serious shortcomings on our part the Board of Directors
may pass a resolution to remove us before the expiry of our term of office, notwithstanding
any agreement between us and the organisation.

Fees
18.(A paragraph setting out the External Auditor’s terms for charging and collecting fees
should be included.)
Other Terms
19.(The External Auditor may include certain additional paragraphs for internal purposes, for
example on confidentiality, conflicts of interest, quality of service, complaints procedure and
legal jurisdiction.)
Agreement of Terms
20.If the contents of this letter are not in accordance with your understanding of the
arrangements made, we shall be pleased to receive your observations and give you any further
information you require. Otherwise we shall be grateful if you would confirm in writing your
agreement to the terms of this letter by signing the enclosed copy and returning it to us. Once
agreed, this letter will remain effective from one audit appointment to another until it is
replaced.
Yours Sincerely
(Signed by the External Auditor)
On behalf of the Board of Directors of (organisation), I confirm that the above terms are
satisfactory.
Signed
Position
Date

Appendix R. Guidelines for Hiring the Chief Audit Executive (CAE)
The Internal Audit function is a key mechanism in the internal control structure, so careful
efforts must be taken in hiring the right Chief Audit Executive (CAE), one that fits the needs
of the organisation with the necessary technical expertise, but also one that meets other
requirements (industry experience, temperament, integrity, management and human
relationship skills, etc.).
Role of the Chief Audit Executive
A critical activity of the Audit Committee is to be involved in the hiring of the CAE of the
organisation. The CAE will have a high degree of interaction with the Audit Committee, so
the Audit Committee should be comfortable working with this person. In many companies,
the CAE will report functionally to the Audit Committee and administratively to a senior
executive of the company.
CAE Qualifications
In general, candidates for a CAE position should have distinguished themselves

professionally by earning a CPA or certified Internal Auditor (CIA) credential, significant
experience (10 years or more) in a management role, and strong technical skills in accounting
and auditing. In addition, because of the breadth of experience it offers, the Audit Committee
should seek candidates that have experience in public accounting (or its equivalent) and
possibly an advanced business degree such as an MBA.
The following questions are ones the Audit Committee should consider asking candidates that
have passed the initial employment screening by either the organisation’s human resources
department or an outside recruiting firm. Note that some sample questions may not be
appropriate for your organisation or the candidate.
1. What do you consider to be Internal Audit’s role within the business?

2. What do you see as the biggest challenges for an Internal Audit team in the short run
(3 to 6 months), medium term (6 to12 months) and over the next 2 to 3 years?
3. What experience do you have in our industry, and how do you plan to keep abreast of
the significant developments relevant to Internal Audit in this industry? What is your
experience in addressing different business practices in different countries?
4. Have you ever been offered a gratuity or a payment that could be construed as a bribe?
What were the circumstances, and how did you handle the situation?
5. Have you worked with Audit Committees in the past? What processes have you put in
place to keep the Audit Committee fully and appropriately informed? In the course of
a year, what is the typical number of meetings/communications between the CAE and
the Audit Committee (chair)?
6. In your previous company, what type of technology platform was used? Have you
been involved in an enterprise resource planning (ERP) system implementation? What

role did you play in the process and how did you make sure that the proper controls
were in place when the system went live?
7. Give some examples of situations you have faced that required special meetings with
the Audit Committee in executive session as a result of disagreements with
management. How were these situations resolved with management? Have there been
situations in which management has tried to squash your recommendations or
discredit your findings, and how did you respond to this? In retrospect, would you
now handle these situations differently?
8. Have you worked with the Audit Committee of Sponsoring Organisations (the
Treadway Commission) Internal Control Framework? How has the framework
influenced your process in evaluating the adequacy of internal controls? How is this
framework used to design your Internal Audits?
9. Have you used technology in conducting Internal Audits, and how has it enhanced
conducting of the Internal Audit? How would you recognise a problem that might
exist either in the Internal Audit data, or in the company’s records? What would you
do about it?
10. Do you use a formal project planning process, which is applied consistently, for all
Internal Audits? If so, what benefits have you derived in meeting your team’s goals
and objectives? What is your average report cycle time from the end of fieldwork?
11. How would you or the Internal Audit team ensure the identification of all locations
required to be audited under the rules of the Sarbanes-Oxley Act with respect to
section 404 on internal control? Have you ever conducted a formal risk assessment,
and how have you incorporated the results into setting up an audit plan?
12. What role have you played in assisting divisions, subsidiaries, or locations in the
implementation of recommendations?
13. When you or your team conducts an internal audit, do you have a service orientation
to your audit process? Do you work to improve the effectiveness and efficiency of the
operations and controls in each audit area? How would you make your
recommendations to management? What process would you use to resolve differences
of opinion?
14. Would you use a process for conducting a “customer satisfaction” survey after an
internal audit is completed? How would you integrate this feedback into future audits?
15. How would you ensure that the personnel in Internal Audit have the necessary skills to
ensure an adequate understanding of divisional or departmental business?
16. What roles do the organisation’s strategic and technology plans play in the
development of an audit plan?
17. Have you gone out to divisions, subsidiaries, or locations to ensure that they have
significant input into audit objectives and scopes? How is this achieved? How have
you resolved differences of opinion in this area without compromising the goals you
have established for an audit?
18. How many people have you managed, either as direct reports, or within an
organisation that you might have overseen? How would you describe your
management style? Have you ever participated in a 360-degree assessment process? If

so, what did you learn about yourself that surprised you? How did the results of the
assessment change your behaviour?

Appendix S. Internal Audit: Model of the Terms of Reference
The Internal Audit Department is responsible for providing an objective, independent

appraisal of all the organisation’s activities, financial and otherwise. It should provide a
service to the whole organisation, including the Board of Directors and all levels of
management. It is not an extension of, nor a substitute for, good management, although it can
have a role in advising management.
The Internal Audit Department is responsible for evaluating and reporting to the
organisation’s Audit Committee and Board of Directors, thereby providing them with
assurance on the arrangements for risk management, control and governance. It remains the
duty of management, not Internal Audit, to operate these arrangements.
Scope
The entire organisation’s activities fall within the remit of the Internal Audit Department. The
Internal Audit Department will consider the adequacy of controls necessary to secure
propriety, economy, efficiency and effectiveness in all areas. It will seek to confirm that
management has taken the necessary steps to achieve these objectives and manage the
associated risks.
The scope of Internal Audit work should cover all operational and management controls, and
should not be restricted to the audit of systems and controls necessary to form an opinion on
the financial statements. This does not imply that all systems will be subject to review, but
rather that all will be included in the audit risk assessment and hence considered for review
following the assessment of risk.
It is not within the remit of the Internal Audit Department to question the appropriateness of
policy decisions. However, Internal Audit is required to examine the arrangements by which
such decisions are made, monitored and reviewed, and related risks identified and managed.
The Internal Audit Department may also conduct any special reviews requested by the Board
of Directors, Audit Committee or Management, provided such reviews do not compromise its
objectivity or independence, or achievement of the approved audit plan.
Responsibilities
The Chief Audit Executive is required to give an annual opinion to the Board of Directors,
through the Audit Committee, on the adequacy and effectiveness of the arrangements for risk
management, control and governance and for economy, efficiency and effectiveness (value for
money) within the organisation, and the extent to which the Board of Directors can rely on
these. The Chief Audit Executive should also comment on other activities for which the Board
of Directors is responsible, and to which the Internal Audit Department has access.
To provide the required assurance, the Internal Audit Department will undertake a programme
of work, based on a strategy authorised by the Board of Directors or the Audit Committee.

The programme will evaluate the arrangements in place to:
• Establish and monitor the achievement of organisational objectives
• Identify, assess and manage risks to the achievement of those objectives
• Assess compliance with policies, laws and regulations
• Ascertain the integrity and reliability of financial and other information provided to
management and stakeholders, including that used in decision-making
• Ascertain that systems of control are laid down and operate to promote the economic,
efficient and effective use of resources and to safeguard assets.
Standards and Approach
The Internal Audit Department’s work will be performed with due professional care, in
accordance with Generally Accepted Auditing Standards.
In achieving its objectives, the Internal Audit Department will develop and implement an
audit strategy that assesses the organisation’s arrangements for risk management, control and
governance and for achieving value for money.
The Chief Audit Executive will implement measures to monitor the effectiveness of the
Department and compliance with standards. The Audit Committee will consider and approve
these performance measures and may also ask the External Auditor to provide an independent
assessment of Internal Audit’s effectiveness.
Independence
The Internal Audit Department has no executive role, nor does it have any responsibility for
the development, implementation or operation of systems. However, it may provide
independent and objective advice on risk management, control and governance, value for
money and related matters, subject to resource constraints.
Within the organisation, responsibility for risk management, control and governance
arrangements and the achievement of value for money rests with the Board of Directors and
the Management, who should ensure that appropriate and adequate arrangements exist
without reliance on the organisation’s Internal Audit Department. Where there are differences
of opinion between Internal Audit and the Management, the Board of Directors (on the advice
of the Audit Committee) should ultimately determine whether or not to accept audit
recommendations, recognise and accept the risks of not taking action, and instruct
management to implement recommendations.
Access
The Internal Audit Department has rights of access to all the organisation’s records,
information and assets which it considers necessary to fulfil its responsibilities. The Chief
Audit Executive has a right of direct access to the Chairperson of the Board of Directors and
the Chairperson of the Audit Committee. In turn, the Internal Audit Department agrees to
comply with any requests from the External Auditor for access to any information, files or

working papers obtained or prepared during audit work which they need to discharge their
responsibilities.
Reporting
The Chief Audit Executive must submit an annual report to the Board of Directors through the
Audit Committee. This report must relate to the organisation’s financial year, and include any
significant issues affecting the opinion up to the date of preparing the report.
The report should give an opinion on the adequacy and effectiveness of the organisation’s
arrangements for:
• Risk management, control and governance;
• Economy, efficiency and effectiveness; and
• The extent to which the Board of Directors can rely on them.
The Chief Audit Executive should also prepare, before the beginning of the year, an audit risk
assessment and audit plan supported by an assessment of resource needs. These should be
submitted to the Board of Directors for approval following consultation with relevant
managers, and after consideration by the Audit Committee.
The Chief Audit Executive is accountable to the Board of Directors through the Audit
Committee for the performance of the service. The Chief Audit Executive should also report
audit findings to relevant managers and draw the attention of the Audit Committee to key
issues and recommendations. This may be done by providing the Audit Committee with
copies of all reports, or by reporting on an exception basis, or by providing a summary of key
issues.
The Internal Audit Department should usually produce its reports, in writing, within one
month of completing each audit, giving an opinion on the system reviewed and making
recommendations to improve systems where appropriate. Such reports should be copied to the
Audit Committee and to the External Auditor, entirely or in summary. Managers will be
required to respond to each audit report, usually within one month of issue, stating their
proposed action with a timetable for implementing agreed recommendations. Material
recommendations will usually be followed up within a defined timescale. In addition, the
Audit Committee will monitor the implementation of audit recommendations.
The Chief Audit Executive should report to the Management any serious weaknesses,
significant fraud or major accounting breakdown discovered during the normal course of audit
work. If the Management refuses to report the matter to the Chairperson of the Audit
Committee and to the Chairperson of the Board of Directors, then the Chief Audit Executive
must report to them directly.
Liaison
The Chief Audit Executive will liaise with the External Auditor to optimise the audit services
provided to the organisation.

Appendix T. Engaging Independent Counsel and Other Advisers
When selecting independent counsel or other advisers (expert/adviser) for an engagement

within the company, the Audit Committee should not only consider the education, training,
and experience of the specialists and staff assistants actually performing the work, but it
should determine that the service provider: (1) maintains integrity and objectivity; (2) is free
of conflicts of interest with respect to the members of the Audit Committee and the
organisation; (3) has the expertise and resources necessary to do the work it is under
consideration to do; and (4) has a reputation for reliability, among other considerations.
Although the nature of every engagement will be different, the initial steps the Audit
Committee (or its designee) should undertake when engaging external resources include the
following:
1. Determine that the expert/adviser has the competence and experience to perform the
requested service. Check references with other clients of the service provider.
2. Determine whether the expert/adviser has a conflict of interest with respect to the
organisation. Such a conflict might arise if the expert/adviser has a relationship with
the External Auditor, or if they provide service to a competitor. Depending on the
nature of the service to be offered, a conflict could arise if the expert/adviser has a
relationship with a member of the Board of Directors, or a member of the
organisation’s management. Be aware of other potential conflicts of interest that may
distract, or undermine, the work to be done.
3. Determine if the expert/adviser has sufficient resources to perform the work in the
time frame specified by the Audit Committee.
4. Evaluate the scope of work to be performed and other issues, including the proposed
plan for payment of fees and expenses.
5. Make sure all parties (including management and the expert/adviser) understand that
the Audit Committee is the owner of the service relationship. Make sure that
management understands that the expert/adviser is working on behalf of the Audit
Committee and the Audit Committee expects management to be fully cooperative and
forthcoming with respect to any information that may be requested.
6. Determine the criteria that will be used to measure the expert’s/adviser’s work and
document those criteria in an agreement with the service provider.

Appendix U. Model of an Internal Audit Plan
The role of Internal Audit is to provide an independent, objective opinion on an organisation’s

risk management, internal control and governance and the processes in place for ensuring
effectiveness, efficiency and economy.
Each audit plan will be different and tailored to the organisation’s needs. However, there are
common elements that the Audit Committee should expect to see when reviewing the audit
plan, albeit in practice these elements might be presented in many different ways. These
elements are as follows.
Overview of the Audit Approach
The Audit Committee should expect the audit planning document to set out that the audit plan
has been developed by:
• Taking account of the risks identified by the organisation in its risk register and other
documents;
• Using Internal Audit’s experience of the organisation and the sector more generally to
identify other areas of risk which may warrant attention;
• Discussing all identified risks and other relevant issues with the organisation’s
management to identify the potential scope of Internal Audit.
Risk-focused Internal Audit Coverage
Where the organisation’s risk management policy allocates each risk a likelihood and impact
rating between ‘high’ and ‘low’, the audit plan might for example focus on ‘high’ and
‘medium’ priority risks over (say) a three-year period. However the Internal Audit is focused,
the Audit Committee should be fully informed of:
• Which areas are being addressed;

• How many audit days have been allocated to each area;
• When the fieldwork is being undertaken;
• When Internal Audit will report their findings.
Other Reviews
The Internal Audit strategy may address some areas that do not feature as a high or medium
risk. These are nevertheless areas where the organisation would benefit from an Internal Audit
review, or they are being reviewed to provide assurance to the Audit Committee and to the
External Auditor regarding operation of the key financial and management information
systems. The audit days, fieldwork and reporting expectations for these areas should also be
identified in the audit plan.
Contingencies
It is important to adopt a flexible approach in determining Internal Audit resources, in order to
accommodate any unforeseen audit needs. The audit plan should give an indication as to how
many ‘man days’ have been allowed for contingencies.
Follow-up
For Internal Audit to be as effective as possible, its recommendations need to be implemented.

Specific resources should be included within the plan to provide assurance to the organisation
and the Audit Committee that agreed audit recommendations have been implemented
effectively and on a timely basis.
Planning, Reporting and Liaison
The Audit Committee should expect the Internal Audit plan to identify a number of audit days
relating to the following:
• Quality control review by the audit manager;

• Production of reports, including the strategic plan and annual Internal Audit report;
• Attendance at Audit Committee meetings;
• Regular contact with the organisation’s management;
• Liaison with the External Auditor;
• Internal quality assurance reviews.
The Internal Audit Team
Where the Internal Audit is outsourced, the Audit Committee (and management) should
expect a brief introduction to the key individuals working on the audit. This might include
partners, managers and any specialist advisers.
Timing
The audit plan should set out the timing of the fieldwork and confirm the form and timeliness
of reports to management and to the Audit Committee. For example:
• A report for each area of work undertaken within X days of finishing the fieldwork;
• A progress report for each Audit Committee meeting;
• An annual report on Internal Audit coverage to the Audit Committee (reporting to fit
in with the Audit Committee meeting dates).
Internal Audit Performance Indicators
Internal Audit might propose a series of performance indicators against which management
and the Audit Committee can measure the audit’s performance.

Appendix V. Model of an Internal Audit Report
The role of Internal Audit is to provide an independent, objective opinion on an organisation’s

risk management, internal control and governance and the processes in place for ensuring
effectiveness, efficiency and economy.
Each audit report will be different and tailored to the organisation’s needs. However, there are
common elements that the Audit Committee should expect to see when reviewing the audit
reports, or a summary of those reports, albeit in practice these elements might be presented in
many different ways. These elements are as follows:
Background and introduction - Places the audit report within the context of the overall audit
plan.
Definitions - Defines any ‘priority’ or ‘risk’ terminology used in the report. For example:
• High - Inadequate systems and controls which if not addressed could expose the
organisation to significant financial, operational or reputational risk and adversely
impact on implementation of its strategic plan.
• Medium - Systems and controls which are not fully effective, and failure to improve
them could adversely affect operational plans at departmental level.
• Low - Good practice dictates that some enhancements to existing systems and controls
are desirable.
Objectives - Describes the purpose of the audit.
Executive summary - A summary of the key observations, findings and recommendations.

This section might deal only with those findings deemed high risk or priority.
Observations and findings – Details of the control weaknesses identified during the audit,
together with any other observations.
Opinion - Sets out the Auditor’s opinion of the systems being audited.
Summary - Sets out:

• Risk management and control weaknesses.
• Recommendations to enhance risk management and controls.
• The priority of the recommendation.
• Management’s response.
• Responsibility for action.
• Implementation timetable.

It is particularly important for the Audit Committee to ensure follow-up on Internal Audit
recommendations, to make sure that management is taking effective corrective action in a
timely manner.

Appendix W. Evaluation of Internal Audit
The following is a four-part checklist of questions to consider as part of a complementary

framework for assessing the Internal Audit function. Section A addresses the Audit
Committee’s own perceptions of the Internal Audit function. Where appropriate, Sections B,
C and D can be used to record the views of management, the External Auditor and, where the
organisation has its own in-house Internal Audit function, the Chief Audit Executive (i.e. self-
assessment).
Section A
This part of the checklist should be completed by the Audit Committee prior to feedback from
other areas of the organisation.
Understanding
1. How well does Internal Audit demonstrate that it:

• Recognises its direct reporting responsibility to the Board of Directors and to
the Audit Committee?
• Has a strong understanding of the responsibilities and operation of the Audit
Committee?
• Understands the expectations of the Audit Committee and the Board of
Directors?
• Understands the organisation’s business and risk environment?
Charter and Structure
1. Do the terms of reference for Internal Audit define:

• Roles and responsibilities, including those in relation to other internal
functions?
• Expectations of management?
• Scope of Internal Audit work?
• Access to information?
2. Evaluate Internal Audit’s terms of reference in light of the organisation’s current and
future needs.
3. Are Internal Audit’s terms of reference visible to all appropriate people within the
organisation?
Skills and Experiences
1. How well does Internal Audit’s staffing reflect its roles and responsibilities?

2. On the basis of the work performed by Internal Audit over the past 12 months, does it
appear to have the right staff mix and competences in any specialist areas?
3. Evaluate Internal Audit’s independence from the activities it audits.
4. How would you assess the Audit Committee’s confidence in Internal Audit?
Communication
1. Has Internal Audit attended all the Audit Committee meetings it was scheduled to
attend?
2. Has Internal Audit made itself available for consultation outside of Audit Committee
meetings?
3. Evaluate Internal Audit’s responsiveness to requests from the Audit Committee,
including requests for special investigations.
4. Evaluate Internal Audit’s frankness and candour with the Audit Committee.
5. Evaluate Internal Audit’s handling of difficult or contentious issues.
6. Does Internal Audit ensure that the Chairperson of the Audit Committee is fully
briefed on significant findings or developments prior to Audit Committee meetings?
7. Evaluate the usual level of preparation for Audit Committee meetings demonstrated by
Internal Audit.
8. Evaluate the quality, relevance and clarity of Internal Audit reports/papers tabled with
the Audit Committee.
9. Have reports been received from Internal Audit on a timely basis?
10. Does Internal Audit promptly advise the Audit Committee about significant issues and
developments, including on special projects such as fraud investigations?
11. Does Internal Audit promptly advise the Audit Committee about significant changes to
the Internal Audit plan?
12. Evaluate the strength of Internal Audit’s process for monitoring the status of open
matters / recommendations.
13. Has Internal Audit contributed to the Audit Committee’s understanding of the overall
assurance framework within the organisation and the role that Internal Audit plays in
this framework?
Performance
1. Assess the quality of the Internal Audit plan in terms of its:

• Comprehensiveness, clarity and timeliness.
• Coverage of priority and high-risk areas.
2. Did the original Internal Audit plan leave unanswered any significant issues of
concern to the Audit Committee?
3. Is it clear from its reporting to the Audit Committee that Internal Audit:
• Has delivered the services outlined in the plan?

• Has been in accordance with the agreed timetable?
• Has performed the audit work necessary to reach its opinions/conclusions?
4. Is there evidence of effective co-ordination of internal and external audit work?
5. Are success measures (or key performance indicators) used for evaluating the
performance of the Internal Audit function and, if so, have they been achieved?
6. Do you consider that Internal Audit has added value to the organisation?
7. In what way has Internal Audit added value to the organisation?
8. How would you assess Internal Audit’s overall performance?
Section B
This part of the checklist should be completed by the Chief Financial Officer and/or other
senior managers and officers who have regular contact with Internal Audit.
Planning
1. Are Internal Audit’s terms of reference sufficiently visible to everyone within the
organisation?
2. Has there been sufficient pre-planning and co-ordination by Internal Audit before the
start of each phase of the Internal Audit or special project?
3. Has Internal Audit discussed its approach and major areas of audit focus with you?
4. Have you raised any major areas of concern that have not been reviewed by the
Internal Audit team?
Skills and Experience
1. Do you consider that the Internal Audit team have sufficient expertise, professional
experience, project management ability, interpersonal skills and seniority to effectively
carry out the work required?
2. Assess the strength of Internal Audit’s understanding of the organisation and its risk
involvement.
3. How strongly have the members of the Internal Audit team demonstrated an
appreciation of the issues key to your role and responsibilities?
4. Have members of the Internal Audit team consistently demonstrated independence in
all their deliberations?
5. Have members of the Internal Audit team been adequately supervised?
Work Programme
1. Has effective co-operation been achieved between Internal Audit and your department,
including avoidance of undue disruption to normal activities?

2. Is there a formal process to ensure that Internal Audit keeps you up to date with
audit/project progress?
3. Has Internal Audit provided early identification and advice regarding contentious
issues, problem areas and delays?
4. Has Internal Audit suggested how such issues could be resolved?
5. Were such suggestions realistic, robust and presented clearly and on a timely basis?
6. How responsive has Internal Audit been to the organisation’s needs, including requests
for special investigations?
7. Are Internal Audit reports:
• Relevant, clear and constructive?
• Sufficiently detailed to provide assurance that the necessary audit work has
been carried out to support the opinions/conclusions?
• Sufficiently detailed to enable effective management action?
• Issued on a timely basis?
8. Have Internal Audit findings been discussed with you prior to being tabled with the
Audit Committee?
9. Has Internal Audit followed up recommendations to see if they have been
implemented?
10. Do you have any major unresolved disagreements with Internal Audit?
Overall Performance
1. Has Internal Audit added value to the organisation?

2. In what ways has Internal Audit added value to the organisation?
Section C
This checklist should be completed by the External Auditor.
Terms of Reference
1. Evaluate Internal Audit’s current terms of reference given your understanding

of the organisation, its risk environment and current developments in Internal
Audit.
2. From your knowledge of Internal Audit and industry best practice, do you
consider that Internal Audit’s current terms of reference are maintained at a
high-quality level?
1. Do you consider the Internal Audit team to have the professional experience,
technical skills, interpersonal skills and seniority to effectively carry out the

Internal Audit work required?
2. Evaluate the senior members of the Internal Audit team’s understanding of the
organisation, its business and its risk environment.
3. From your dealings with members of the Internal Audit team and your
knowledge of Internal Audit and industry best practice, evaluate the sufficiency
of Internal Audit’s resources to adequately deliver the services outlined in its
Internal Audit plan within the timeframes identified.
4. Does Internal Audit’s staffing appear to adequately reflect its roles and
responsibilities?
5. In your assessment, is the Internal Audit methodology robust and does it reflect
the latest thinking in Internal Audit?
Work Programme
1. Are there regular discussions between internal and external audit on strategies
for internal and external audit, assessment of risks and the implications of audit
findings/audit work?
2. Has progress against the plan been monitored jointly by internal and external
audit regularly throughout the year?
3. Have you received copies of all Internal Audit reports issued by Internal Audit?
4. Have copies of Internal Audit reports been received on a timely basis?
5. Are Internal Audit reports of a standard comparable to best practice in other
organisations?
6. To the best of your knowledge, are there any major areas of risk or concern that
Internal Audit has not appeared to cover?
Section D
Where the organisation has its own in-house Internal Audit function, the Audit Committee
might ask the Chief Audit Executive to complete this checklist (i.e. self assessment).
Understanding
1. Evaluate Internal Audit’s understanding of:

• The responsibilities and operation of the Audit Committee.
• The organisation.
• The organisation’s risk environment.
• The organisation’s control framework.
Charter and Structure

1. Do the terms of reference for Internal Audit define in sufficient detail for the purposes
of directing Internal Audit:
• Roles and responsibilities, including those in relation to other internal
functions?
• Expectations of the Board of Directors/Audit Committee, officers and
management?
• Scope of Internal Audit work?
• Access to information?
2. Evaluate Internal Audit’s current terms of reference in light of the organisation’s
current and future needs.
3. Assess the structure of Internal Audit in terms of enhancing its:
• Objectivity.
• Understanding of the organisation’s business issues.
• Ability to respond to the organisation’s needs.
1. Assess the staff mix and competences of the Internal Audit team.
2. Evaluate Internal Audit’s independence from the activities it audits.
Communication
1. Evaluate Internal Audit’s responsiveness to requests from the Audit Committee,

including requests for special investigations.
2. Evaluate Internal Audit’s frankness and candour with the Audit Committee.
3. Evaluate Internal Audit’s handling of difficult or contentious issues.
4. Over the last 12 months, has the Chairperson of the Audit Committee been fully
briefed on significant findings or developments prior to Audit Committee meetings?
5. Evaluate Internal Audit’s process to monitor the status of open matters /
recommendations.
Performance
1. In what way has Internal Audit added value to the organisation?

2. How would you assess Internal Audit’s overall performance?

Appendix X. Self-Assessment of the Audit Committee
This self-assessment has been prepared for Audit Committee members. It is intended that each
Audit Committee member will complete it independently. The assessment exercise could be
carried out at a special meeting of the Audit Committee or at some form of away-day.
The Chairperson of the Audit Committee or an external facilitator should, after collating the
responses, lead a discussion on the key points arising from the questionnaire and feed back
any matters of interest, focusing on those areas which clearly need improvement or where
there is great variation in answers. When using a facilitator, care needs to be taken if this
person is in some way conflicted because of the closeness of his or her relationship with the
Audit Committee; for example, a degree of circularity is involved in using internal or External
Auditor, as the Audit Committee has a responsibility to review the Auditor’s performance.
The results of the self-assessment and any action plans arising should be reported to the Board
of Directors after discussion with the Chairperson of the Board of Directors.
The Chairperson of the Audit Committee may wish to tailor this checklist to the specific
circumstances of their organisation, giving more weight to some aspects of the self-
assessment than others. Appropriate weighting will be influenced by a number of factors
including, but not limited to:
• The Audit Committee’s terms of reference.
• The organisation’s strategies and risk assessments.
• The organisation’s risk and control environment.
• The outcomes of previous self-assessments.
• The stage of maturity of the Audit Committee.
• The views of stakeholders on the organisation’s corporate governance performance.
• Current and emerging trends and factors.
The Chairperson of the Audit Committee may wish to adapt the questionnaire such that the
full version is carried out on a cyclical basis, say every three to five years. In the intervening
years, they may choose to evaluate the Audit Committee’s effectiveness by means of a general
discussion around the Audit Committee table, or by using a curtailed form of the
questionnaire.
Creating an effective Audit Committee

1. Have the Audit Committee’s terms of reference been approved by the Board of
Directors?
2. Does the Audit Committee review annually its terms of reference and recommend any
necessary changes to the Board of Directors?
3. Is there clarity around what is expected of the Audit Committee (e.g. how the Audit
Committee supports the Board of Directors in discharging its responsibility for
governance, risk and control)?

4. Are Committee members independent of the organisation’s management, and do they
exercise their own judgement, voice their own opinions and act freely from any
conflicts of interest?
5. Are Committee members appointed by the Board of Directors on the basis of agreed
criteria, and are appropriate succession plans in place?
6. Does the Audit Committee have sufficient skills, experience, time and resources to
undertake its duties, including at least one member with recent and relevant experience
in finance, accounting or auditing?
7. Is the Audit Committee over-reliant on any individual member (e.g. the member with
recent and relevant experience in finance, accounting or auditing)?
8. Does the Audit Committee have sufficient understanding of the organisation and the
industry (e.g. how the organisation operates within the industry)?
9. Do all Committee members demonstrate the highest level of integrity (including
maintaining utmost confidentiality and identifying, disclosing and managing conflicts
of interest)
10. Does the Audit Committee have access to appropriate secretarial services?
11. Are funds available to enable the Audit Committee to take independent legal,
accounting or other advice when it reasonably believes it necessary to do so?
Running an Effective Audit Committee

1. Does the Chairperson of the Audit Committee have an effective leadership style (e.g.
decisive, open-minded, courteous, sets a good example, allows members to contribute,
holds members to high standards)?
2. Does the Chairperson of the Audit Committee ensure a healthy dynamic (e.g. relates
well to other members/attendees, deals effectively with dissent and works
constructively towards consensus)?
3. Does the Chairperson ensure that the Audit Committee’s workload is dealt with
effectively?
4. Does the Audit Committee work constructively as a team?
5. Does the Audit Committee maintain constructive working relationships with those
individuals who attend its meetings?
6. Does the relationship between the Audit Committee and a) the chief executive and b)
members of the senior management team strike the right balance between challenge
and mutuality?
7. Do the Audit Committee’s discussions enhance the quality of management’s decision-
making (e.g. does the Audit Committee engage those reporting to it in dialogue that
stimulates and enhances their thinking and performance)?
8. Does the Audit Committee provide effective support to the Board of Directors in
fulfilling its responsibilities and adding value to the organisation?
9. Does the Audit Committee have a comprehensive work plan that covers its main
responsibilities and maps across to the requirements of the Board of Directors?

10. Do the meeting arrangements enhance the Audit Committee’s effectiveness (e.g.
frequency, timing, duration, venue and format)?
11. Do Audit Committee meetings allow sufficient time for the discussion of substantive
matters?
12. Are meeting agendas and related background information circulated in a timely
manner to enable full and proper consideration to be given to the issues?
13. Are the papers provided to the Audit Committee appropriate (e.g. not overly lengthy
and clearly explaining the key issues and priorities)?
14. Is sufficient time allowed between Audit Committee meetings and meetings of the
Board of Directors to allow any work arising to be carried out and reported to the
Board of Directors as appropriate?
15. Is the Audit Committee free from inappropriate management influence during
meetings?
16. Are meeting attendees (e.g. officers and External Auditor) appropriately involved in
Audit Committee meetings?
17. Are arrangements in place for the Audit Committee to meet with the External and
Internal Auditors during the year without the presence of management?
18. Are the meeting minutes clear, accurate, consistent, complete and timely, and do they
include key elements of debates, appropriate details of recommendations and any
follow-up action?
19. Does the follow-up process for outstanding actions arising from Audit Committee
meetings work well?
20. Do the Auditors (internal and external) co-operate appropriately to ensure the
completeness of assurance coverage?
21. Is the dialogue with Internal and External Auditors and management appropriate given
the work the Audit Committee undertakes? Is ‘bad news’ communicated to the Audit
Committee in a timely manner?
22. Is the Audit Committee kept fully informed on all material matters between meetings,
including appropriate external information (e.g. emerging risks and material regulatory
changes)?
23. Does the Audit Committee report to the Board of Directors on a timely and accurate
basis, and are such communications comprehensive, meaningful and focused?
Professional Development
1. Is an induction programme provided for new Audit Committee members (e.g. the
Audit Committee’s role, terms of reference and expected time commitment by
members; overview of the organisation; and the main operational and financial
dynamics and risks)?
2. Do Audit Committee members receive appropriate and timely ongoing professional
development (e.g. regulatory matters, accounting and financial reporting, audit and
risk)?

3. Do Audit Committee members have the opportunity to attend formal courses and
conferences, internal talks and seminars, and briefings by external advisers such as the
organisation’s auditor and lawyers?
4. Do the induction and professional development programmes adequately equip Audit
Committee members to understand the organisation’s industry (e.g. operational and
financial risks facing organisations within the industry)
Overseeing Financial Reporting

1. Does the Audit Committee have effective mechanisms to understand and gain
confidence over the:
• Appropriateness of the organisation’s critical accounting policies, estimates
and judgements?
• Clarity and completeness of disclosures in the financial statements?
• Impact on the financial statements of any developments in accounting
standards or generally accepted accounting practice?
• Statement on Internal Control included in the financial statements and the basis
on which it is given?
2. If the Audit Committee were not satisfied with any aspect of the proposed financial
reporting, would it report such views to the Board of Directors and seek changes?
3. Does the Board of Directors publish a balanced, comprehensive annual report on a
timely basis?
Overseeing Governance, Risk Management and Internal Control

1. Is the Audit Committee satisfied that appropriate processes are in place to:
• Ensure that the Board of Directors and the management conduct themselves in
accordance with high standards of behaviour?
• Ensure compliance with applicable regulation and best practice
recommendations?
• Ensure the appointment of appropriate individuals to the Board of Directors,
key Committees and senior management positions?
• Ensure appropriate communication with the organisation’s stakeholders,
including the Board of Directors?
• Clearly articulate the organisation’s risk appetite for each material category of
risk?
• Identify, evaluate and monitor key risks facing the organisation (including
financial, strategic and operational – such as failure to attract and retain high-
quality managers, maintaining excellence in management, and unpredictable
government policy – as well as reputational)?
• Enable it to understand how each material risk may impact on the
organisation’s operations and financial condition?

• Monitor changes in the organisation’s risk profile?
• Provide it with suitable reports on the effectiveness of the systems of internal
control?
• Ensure that the system of key controls is fit for purpose and working as
intended?
• Ensure that funds are properly safeguarded?
Overseeing Value for Money
1. Are appropriate processes and procedures in place to ensure:

• That company funds are spent for their intended purpose?
• The economy, efficiency and effectiveness of the organisation’s operations?
Overseeing External Audit
1. Does the External Auditor dedicate appropriately qualified and experienced staff and
resources to the organisation’s audit?
2. Does the external audit partner make appropriate use of their direct access to the Audit
Committee?
3. Are the independence and objectivity of the External Auditor compromised in any
way?
4. Are the nature and extent of non-audit services provided by the Auditor appropriate?
5. Does the external audit plan focus on the organisation’s key risks and controls?
6. Is the external audit plan reviewed and approved by the Audit Committee?
7. Does the Audit Committee have an appropriate dialogue with the External Auditor
regarding major issues arising during the course of the audit, the key accounting and
audit judgements and the levels of errors identified during the audit?
8. Does management respond to external audit recommendations in a timely and
appropriate manner?
9. Does the Audit Committee regularly review the effectiveness of the external audit?
Overseeing Internal Audit
1. Is the organisation’s Internal Audit function appropriately resourced (whether in-

house, co-sourced or outsourced)?
2. Is the Audit Committee comfortable with the quality of Internal Audit work?
3. Does the Chief Audit Executive make appropriate use of his/her direct access to the
Audit Committee?
4. Are the independence and objectivity of Internal Audit compromised in any way?
5. Does the Internal Audit plan focus on the organisation’s key risks and controls?

6. Is the Internal Audit plan reviewed and approved by the Audit Committee?
7. Does management respond to Internal Audit’s recommendations in a timely and
appropriate manner?
8. Does the Audit Committee regularly review the effectiveness of the Internal Audit
function?

Audit Committee Handbook

Uploaded by

Copyright:

Available Formats

You might also like

Audit Committee Handbook

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit Committee Handbook

Uploaded by

Copyright:

Available Formats

ABC COMPANY

AUDIT COMMITTEE HANDBOOK

Good practice principles for Audit Committees.....................................................................5

Role of the Audit Committee.................................................................................................6

Membership, Independence, Objectivity and Understanding................................................6

Relationship with the Executive.........................................................................................7

Training and Development.................................................................................................9

Internal and External Audit................................................................................................9

Co-ordination between the Audit Committee and the Board of Directors.......................10

Appendix A. Model Audit Committee Charter.....................................................................11

Appendix B. The Role of the Chairperson...........................................................................16

Appendix C. Committee Support.........................................................................................18

Appendix D. Model Letter of Appointment to the Audit Committee..................................20

Audit Committee Handbook Page 2

Appendix F. Fraud and the Responsibilities of the Audit Committee..................................24

Appendix G. Internal Control: A Tool for the Audit Committee..........................................27

Appendix H. Key Questions for the Audit Committee to Ask.............................................38

Appendix I. Audit Committee Competency Framework....................................................41

Appendix J. Audit Committee Self Assessment Checklist...................................................42

Appendix K. Model of Corporate Governance Questionnaire.............................................46

Appendix L. Model of Audit Committee Annual Report.....................................................50

Appendix M. Model of a Whistle-blowing Policy...............................................................53

Appendix N. Model Policy on Using External Auditor for Non-audit Services..................55

Appendix O. Model Policy on Employing Former Employees of the External Auditor.....57

Appendix P. Evaluation of the External Auditor..................................................................58

Appendix Q. External Audit: Model of the Terms of Reference .........................................61

Appendix R. Guidelines for Hiring the Chief Audit Executive (CAE)................................65

Appendix S. Internal Audit: Model of the Terms of Reference ..........................................68

Appendix T. Engaging Independent Counsel and Other Advisers.......................................71

Appendix U. Model of an Internal Audit Plan.....................................................................72

Appendix V. Model of an Internal Audit Report..................................................................74

Appendix W. Evaluation of Internal Audit...........................................................................76

Appendix X. Self-Assessment of the Audit Committee.......................................................82

Audit Committee Handbook Page 3

Audit Committee Handbook Page 4

Good practice principles for Audit Committees

1. Role of the Audit Committee

2. Membership, Independence, Objectivity and Understanding

Audit Committee Handbook Page 5

Role of the Audit Committee

Membership, Independence, Objectivity and Understanding

Audit Committee Handbook Page 6

Relationship with the Executive

Audit Committee Handbook Page 7

All members of Audit Committees shall have a clear understanding of:

Because of the importance of financial management and financial reporting to every

The Audit Committee shall be empowered to either:

Audit Committee Handbook Page 8

Training and Development

Overall assurance of this kind is unlikely to be capable of expression in a single phrase,

Internal and External Audit

Co-ordination between the Audit Committee and the Board of Directors

The work of the Audit Committee needs to be effectively communicated if it is to be

Appendix A. Model Audit Committee Charter

Audit Committee Handbook Page 11

The Audit Committee will carry out the following responsibilities:

Audit Committee Handbook Page 12

• Consider the effectiveness of the company's internal control system, including

Audit Committee Handbook Page 13