Audit Committee Trends and Activities

Knowledge Report
Audit Committee Trends and Activities

November 2009
i
i
Disclaimer
Copyright © 2009 by The Institute of Internal Auditors’ (IIA’s) Global Audit Information Network
(GAIN) located at 247 Maitland Avenue, Altamonte Springs, Fla. 32701. All rights reserved.
Published in the United States of America.
Except for the purposes intended by this publication, readers of this document may not
reproduce, redistribute, display, rent, lend, resell, commercially exploit, or adapt the statistical and
other data contained herein without the permission of GAIN or The IIA.
The information included in this document is general in nature and is not intended to address any
particular individual, internal audit activity, or organization. Based on the date of issuance and
changing environments, no individual, internal audit activity, or organization should act on the
information provided in this document without appropriate consultation or examination.
About This Report

As part of its services, The IIA will publish a series of reports on topics of appeal to chief audit
executives (CAEs) and other internal auditors that provide leading practices based on survey
results and recommendations from audit professionals in the field. This report provides a
summary of key study findings and recommendations from IIA members to help those looking to
maximize their relationship with audit committee members and add value to overall audit
committee activities.
Please note that The IIA surveys referenced in this report are not statistically based and their
results are not representative of the entire population of internal auditors. Rather, they are
benchmarking surveys based on the responses of CAEs and other internal audit professionals
who are members of GAIN. In addition, results from these surveys are solely intended to provide
information (i.e., tools, resources, and/or other knowledge) that is based on the responses of
survey participants only.
ii
ii
Executive Summary
Since the early 20th century, audit committees have played a special role in public companies
overseeing the accuracy and integrity of financial information. In fact, the importance of the audit
committee has increased throughout the decades due in part to corporate scandals such as
Enron and WorldCom, the passing of the U.S. Sarbanes-Oxley Act of 2002, and the growing
trend in data and identity theft. Each of these events have helped not only to bring the importance
of the audit committee to the forefront, but changed its role over time to cover much more than
oversight of financial reporting information.
In the United States, for instance, most public companies and many private organizations have
an audit committee. According to The IIA’s latest information from its Global Audit Information
Network (GAIN) Annual Benchmarking Study — a year-round survey that compiles the responses
of more than 600 chief audit executives (CAEs) from organizations around the world —
95 percent of respondents indicated their organizations have an audit committee in place.
A July 2008 Flash survey report of 279 IIA members on audit committee activities also confirms
the prevalence of audit committees in today’s business sector. According to the survey, nearly all
respondents (98 percent) stated their organization has an audit committee or equivalent in place. 1
Besides reviewing the internal and external audit plan and participating in the selection of
accounting policies, these audit committees are responsible for reviewing evaluations on the
effectiveness and efficiency of information systems; assessing the effectiveness of policies on
unethical and illegal procedures; and reviewing policies of risk management, control, and
governance.
This last role — reviewing policies of risk management, control, and governance — was
discussed at a recent IIA roundtable of 28 CAEs working in Fortune 100 and 250 companies,
service providers, and regulators from the U. S. Public Accounting Oversight Board (PCAOB) and
U.S. Securities and Exchange Commission (SEC) held in March 2009. According to the
roundtable participants, CAEs can ramp up communication with the audit committee on
enterprise risk management (ERM) issues by offering audit committee members risk
management education during regular meetings or special sessions and even expanding ERM
discussions with the board, including an assessment of strategic risks. Other areas in which
internal auditors can offer assistance to the audit committee include helping to evaluate whether
the company has satisfied its internal and external reporting objectives as well as helping to
assess the quality of the organization’s financial reporting activities.
This Knowledge Report summarizes some of the key points, recommendations, and leading
practices on audit committees from guidance-setting organizations, internal audit professionals,
and researchers, as well as information from The IIA’s GAIN Flash surveys and Annual
Benchmarking Study. In addition, The IIA performed an in-depth Flash survey in March 20092 that
asked participants probing questions to obtain a series of leading practices on key audit
committee areas of interest.
1
Nearly 61 percent of IIA Flash survey participants work in a public organization, compared to 40 percent who work
for a private company, with revenue sizes ranging from more than US $10 billion to less than US $10 million. In
addition, 44 percent of respondents work for a local or regional organization, while 21 percent and 35 percent worked
in a national and international organization, respectively.
2
A total of 100 GAIN members were invited to participate in a survey on leading audit committee practices
(―Recommendations for Audit Committee Effectiveness and Improvement‖) based on their high-level of involvement
with GAIN. As of March 2009, a total of 1,705 internal auditors, mostly CAEs, are members of GAIN. Of the 100
invitees, 26 responded to the survey but only 23 indicated their organization has an audit committee or equivalent.
Survey results are based on these 23 respondents.
iii
iii
Leading Practices From IIA Members
Key audit committee areas
represented in the March 2009 Snapshot of Leading Practices
Flash survey include:
Main role of the audit committee. According to CAEs
The audit committee’s participating in a March 2009 Flash survey, the main role
main role and its of the audit committee should be to ensure controls over
relationship with the financial statement preparation are designed effectively
CAE. and operating as planned.
Audit committee Relationship with the CAE. The ideal relationship
structure, composition, between the CAE and audit committee is one in which
and charter. there is open dialogue and regular interaction between the
Audit committee two parties.
meetings. Audit committee structure. The top three organization
Audit committee characteristics that should be taken into account prior to
performance and creating an audit committee are the organization’s
training. complexity, size, and the extent of responsibilities and
Audit committee expertise assigned to the audit committee.
communications and Audit committee member composition. The top three
implementation. attributes audit committee members should have are
inquisitiveness, outspokenness, and courage, while key
The main role of the audit areas of expertise that should be represented in the audit
committee. According to CAEs committee include finance and accounting, industry-
participating in the in-depth specific knowledge, and internal and external auditing.
survey, the main role of the Audit committee charter. Information that should be
audit committee should be to included in the audit committee’s charter include the
ensure controls over financial committee’s roles and responsibilities; purpose, mission,
statement preparation are and objectives; composition and the qualifications of
designed effectively and committee members; and level of authority.
operating as planned. Other Audit committee meetings. The main purpose of audit
responsibilities cited include committee meetings should be to review and discuss
overseeing the internal control internal and external audit issues and activities and
environment as well as key financial results, statements, and reports. Information
areas of internal audit function. should be distributed several days prior to the meeting and
includes the meeting’s agenda and prior meeting minutes,
Relationship with the CAE. the executive summaries of audit reports issued since the
Survey participants were asked last meeting, and a timeline of planned and current audits.
to describe the ideal Audit committee performance and training. The use of
relationship between the CAE self-assessments was identified as the number one method
and audit committee. CAEs to measure committee performance, while training should
responding to the survey be provided on specific topics of interest to all committee
described this relationship as members either internally or externally.
one in which there is open Audit committee communications and implementation.
dialogue and regular interaction Leading practices for working and communicating with
between the two parties. The the audit committee include telephone calls and e-mails
CAE also must have a direct between meetings to discuss issues prior to regularly
reporting relationship to the scheduled meetings, as well as sending information
audit committee, which in turn, packages prior to the meeting and distributing relevant
would serve to enhance the articles and materials on topics related to risk management
committee’s support and and the organization’s industry and internal controls.
oversight of the internal audit
activity. To establish this
iv
iv
relationship, survey participants indicated that open, proactive communication between the
CAE and audit committee is essential. This communication should take place during formal
and informal meetings between both parties.
Audit committee structure, composition, and charter. CAEs who participated in the survey
were asked to describe the key audit committee characteristics and member attributes that
should be taken into consideration when determining the ideal number of audit committee
members. The top three organization characteristics listed by CAEs include its complexity, size,
and the extent of responsibilities and expertise assigned to the audit committee, while the top
three member attributes are inquisitiveness, outspokenness, and courage (i.e., the ability to
challenge accounting and management positions and investment decisions). Top key areas
of expertise that should be represented in the audit committee include finance and accounting,
industry-specific knowledge, and internal and external auditing. Regarding years of service,
more than half of survey respondents believe committee members should serve no less than
five years on the audit committee.
Additionally, CAEs were asked to identify whether they should be asked for input regarding
committee operations and whether they should be involved in the selection of committee
members. Overall, more than half of survey respondents believe CAEs should be asked for input
regarding audit committee operations (65 percent), but should not be involved in the selection of
audit committee members (57 percent). One key reason for this reversal is that while providing
input on audit committee operations will not hinder the committee’s ability to objectively assess
the performance of the CAE, helping to select audit committee members might introduce bias in
favor of the CAE when assessing his or her performance.
Survey participants also were asked to provide information regarding the kinds of information that
should be included in the audit committee’s charter. Nearly half of all respondents (48 percent)
identified the committee’s roles and responsibilities as the number one item that should be
included in the audit committee’s charter followed by:
The committee’s purpose, mission, and objectives.

The composition of the audit committee and qualifications of committee members.
The level of authority of the audit committee.
Audit committee meetings. CAEs also were asked to provide feedback on the overall purpose
and structure of audit committee meetings and the kinds of information that should be presented
during these meetings. According to survey participants, the main purpose of an audit committee
meeting should be to review and discuss internal and external audit issues and activities as well
as financial results, statements, and reports.
Because presentation of information is just as important as the topics discussed, respondents

were asked to specify how information should be presented to audit committee members. Overall,
most CAEs stated that information should be distributed several days (anywhere from one to two
weeks) prior to the meeting. The top three items that should be distributed prior to the meeting
include the meeting’s agenda and prior meeting minutes, the executive summaries of each audit
report issued since the last meeting, and a timeline of planned audits and those in progress.
Additionally, CAEs identified the overall format of the information that should be presented during
the meeting and the meeting’s timeframe. As stated by survey participants, CAEs should provide
summarized, concise information included in the previously distributed meeting report, while
meetings should last more than two hours (the average timeframe cited was three to four hours).
v
v
Respondents also were asked for recommendations on executive or private sessions with the
audit committee. More than half of respondents stated that these sessions should be held at least
quarterly and should last anywhere from less than 10 minutes to no more than 45 minutes,
depending on the issues to be discussed and the frequency of executive meetings held
throughout the year.
Audit committee performance and training. Measuring audit committee performance is an

important aspect of the committee’s operations. When asked to describe the best way to measure
audit committee performance, 43 percent of respondents identified the use of self-assessments
followed by checklists of performance items as described in the charter and the benchmarking of
audit committee performance against peers.
Furthermore, all respondents agree that training should be provided on specific topics of interest
to all committee members either internally or externally. Training topics include audit committee
responsibilities and best practices, internal audit topics and internal control issues, and industry-
specific topics. Some CAEs also stated that training should be provided as part of the audit
committee meeting or in the form of supplementary materials.
Audit committee communications and implementation. Finally, survey participants were

asked to share leading practices for working and communicating with the audit committee and
recommendations for organizations that are creating an audit committee for the first time. Leading
practices for working and communicating with the audit committee include the use of telephone
calls and e-mails between meetings to discuss issues prior to regularly scheduled meetings, as
well as sending information packages prior to the meeting and distributing relevant articles and
materials on topics related to risk management and the organization’s industry and internal
controls.
For those organizations that are creating an audit committee for the first time, survey participants
recommend that those responsible refer to information posted on other company Web sites,
especially when drafting the audit committee charter. CAEs participating in the survey also
stressed the importance of providing new audit committee members with training on their
respective roles and responsibilities, in addition to ensuring the audit committee reports to the full
board of directors, the CAE reports directly to the audit committee, and audit committee members
are selected based on their skills and overall fit with the organization.
vi
vi
Table of Contents
About This Report ......................................................................................................................... ii
Executive Summary ..................................................................................................................... iii

Leading Practices From IIA Members ............................................................... iv
The Audit Committee Defined ....................................................................................................... 1
Role and Responsibilities .............................................................................................................. 2

Leading Practices .................................................................................................... 4
Relationship With the CAE ............................................................................................................ 5

Leading Practices .................................................................................................... 6
Committee Composition ................................................................................................................ 9

Leading Practices .................................................................................................. 11
Meetings ..................................................................................................................................... 12
Charter, Performance Evaluation, and Training ......................................................................... 18

Working and Communicating With the Audit Committee ............................................................ 22

Resources ................................................................................................................................... 26
Guidance and Regulatory Information .............................................................. 26
Reference Web sites and Online Resources ...................................................... 26
Sample Audit Committee Charters..................................................................... 27
Article, Books, and Reports ................................................................................ 27
vii
vii
The Audit Committee Defined
At a minimum, audit committees are tasked with overseeing the integrity of a company’s financial
reporting activities in addition to managing the organization’s risks and controls related to
financial data and internal and external audit processes. Their recommendations enable
organizations to convey the need for a strong ethical environment while ensuring the integrity of
financial information and reporting. According to The IIA’s International Professional Practices
Framework (IPPF), the audit committee is a standing committee of the board. 3 As such, the audit
committee’s responsibility and authority cannot exceed that of the board.
While audit committees date

back to the early 20th century,4 Summary of Audit Committee Milestones
their presence was not
1939. The New York Stock Exchange (NYSE) endorses the
documented until the late
audit committee concept.
1930s. However, the defining
1972. The SEC recommends publicly held companies establish
event that raised the importance
audit committees consisting of nonmanagement directors.
of the audit committee occurred
1977. The NYSE adopts a listing requirement stating that audit
in October 1987 when the
committees must consist of independent directors only.
Treadway Commission
1988. The AICPA issues Statement on Auditing Standard 61
published the Report of the
―Communication With Audit Committees,‖ which
National Commission on
addresses communication exchanges among the external
Fraudulent Financial Reporting
auditor, audit committee, and management in SEC-
(PDF, 1.38 MB), which
reporting companies.
emphasized the role of the audit
1999. The AICPA, AMEX, NASD, NYSE, and SEC finalize
committee in detecting and
major rule changes based on the Report and
preventing fraudulent financial
5 Recommendations of the Blue Ribbon Committee on
reports. Since 1987, other
Improving the Effectiveness of the Corporate Audit
organizations, such as the
Committee.
American Institute of Certified
2002. The Sarbanes-Oxley Act passes, including whistleblower and
Public Accountants (AICPA),
financial expert requirements for audit committees.
National Association of
Securities Dealers (NASD), Source: Wikipedia, http://en.wikipedia.org/wiki/Audit_committee.
Federal Deposit Insurance
Corp., and American Stock
Exchange (AMEX), started recommending or requiring the establishment of audit committees in
public companies.
Two additional turning points that helped increase the importance of audit committees were the
publication of the Blue Ribbon Committee’s Report and Recommendations of the Blue Ribbon
Committee on Improving the Effectiveness of Corporate Audit Committees (PDF, 344 KB) in 1999
and the enactment of the Sarbanes-Oxley Act in 2002. The Blue Ribbon Report states that the
basis for the development of audit committee guidelines is the acceptance of the committee’s role
in the organization’s governance process as it relates to the oversight of financial reporting. On
the other hand, the Sarbanes-Oxley Act helped to increase the responsibilities and authority of
audit committees by changing committee membership requirements to include more independent
directors and members with finance and accounting expertise.
3
The term board refers to an organization’s governing body, such as the board of directors, supervisory board, or board
of governors or trustees (www.theiia.org/guidance/standards-and-guidance/ippf/standards/full-standards/?i=8317).
4
According to Audit Committees: A Guide for Directors, Management, and Consultants, The Prudential Insurance
Company of America has had an audit committee for more than 75 years.
5
Audit Committees: A Guide for Directors, Management, and Consultants (2006), p. 3.01
1
1
Role and Responsibilities
According to Audit Committee
Effectiveness — What Works Best Top 10 Responsibilities for Audit Committees
rd
(3 Edition) one of the committee’s key
The December 2007 issue of The IIA’s Tone at the Top
responsibilities is to oversee the
(PDF, 210 KB) newsletter provides a list of 10 best
process of producing reliable and
practices for audit committees based on the book
credible financial statements while
Corporate Governance Best Practices:
ensuring the company has effective
internal controls. To this end, audit
committee members must be able to Establish effective internal auditing, such as
grasp all of the key information included hiring and compensating the CAE and
in a company’s financial report and maintaining control of internal audit activities
oversee risk management and dealing with the auditing of financial reporting.
compliance with the laws and Ensure organizational ethics by determining
regulations affecting the company. 6 whether senior managers behave in a way that
Because the overall role of the audit promotes openness and integrity.
committee is defined by the board of Conduct yearly interviews with the CEO, chief
directors, it may vary from company to financial officer (CFO), and external auditors,
company and on different industry among other business leaders, to gather the
needs, corporate governance rules, and information necessary to accomplish committee
stakeholder requirements. objectives.
Monitor use of internal information, including the
As the book’s authors explain, a crucial performance of more intensive and extensive
committee responsibility is reviewing audits before insider sales of significant amounts
and discussing annual financial of stock.
statements with management and Notice red flags that might signal the need for
external auditors and determining if the more intensive and extensive audits.
statements are complete and consistent Control conflicts of interest by having external
with information the committee already and internal auditors report results directly to the
knows.7 Additional financial reporting audit committee.
responsibilities include: Ask key questions to external auditors, such as
―how would you prepare the company’s financial
Understanding the process to statements?‖
develop financial statements. Ensure external auditor independence.
Reviewing significant Do not seek tax services advice from the external
accounting and reporting auditor.
developments and issues. Consider the impact of preferred accounting
Assessing the quality of treatments disclosed by the external auditors.
accounting principles and the
appropriateness of significant accounting policies.
Understanding and being comfortable with management’s assessment of materiality.
Understanding the process for developing significant estimates and their impact on
financial statements.
Discussing audit plans and results with internal and external auditors and addressing
significant risks.
Resolving disagreements between management and external auditors.
Recommending to the board whether financial statements should be incorporated into the
company’s regulatory filings.
6
Audit Committee Effectiveness — What Works Best, 3rd Edition (2005), p. xi
7
Audit Committee Effectiveness — What Works Best, 3rd Edition (2005), p. 1
2
2
Besides managing the financial reporting and disclosure process, the audit committee typically
oversees the hiring, performance, and independence of external auditors to ensure no conflicts of
interest exist that might interfere with the auditor’s ability to issue its opinion on financial
statements. Furthermore, the audit committee may have oversight of regulatory compliance,
ethics, and whistleblower hotlines, as well as discuss litigation or regulatory compliance risks with
management through briefings or reports from the organization’s top lawyer. The committee also
may be responsible for monitoring the internal control process,8 understanding the organization’s
risk management policies and procedures, and overseeing the effectiveness of internal controls
over financial reporting. Reports regarding the effectiveness and efficiency of the company’s
internal control process should be submitted to the audit committee from management and the
organization’s internal and external auditors.
Specifically related to internal auditing, audit committees should:
Oversee internal audit performance by ensuring the organization has an internal audit
charter.
Determine whether the reporting structure provides for internal audit’s organizational
independence and objectivity.
Be involved in the CAE’s selection and ensure his or her compensation is appropriate.
Make sure effective lines of communication exist with the internal audit activity.
Review risk assessment, audit plans, and audit results.
Determine if the internal audit activity has the necessary resources to perform its work.
According to The GAIN Annual Benchmarking Study, audit committee responsibilities are
somewhat constant regardless of the organization’s type (i.e., public versus private). For
instance, 81 percent of all respondents indicated that the audit committee selects the external
auditor and reviews audit fees and engagement letters, while 89 percent and 79 percent of
respondents in public and private companies, respectively, stated the same. Another IIA survey of
190 internal auditors (PDF, 95.1 KB) conducted in January 2008 found that audit committees are
the primary committee responsible for various compliance activities. These include oversight of
environmental regulatory compliance, operational regulatory compliance, compliance with IT
physical and logical security procedures, and compliance with operational safety procedures.
8
An internal control process refers to the policies and procedures used to control the organization’s operations,
accounting, and regulatory compliance.
3
3
Leading Practices
To obtain more up-to-date information on audit committee practices, The IIA performed an in-
depth Flash survey in March 2009. The survey asked participants for recommendations on key
areas to enhance the effectiveness of audit committee activities. A total of 100 active GAIN
members9 were invited to participate in the survey, of which 26 responded.
The first two questions asked GAIN members, who are mostly CAEs, to describe the main roles
of the audit committee as well as the top responsibilities of the committee. According to
respondents, the main role of the audit committee should be to ensure controls over financial
statement preparation are designed effectively and operating as planned (i.e., ensure financial
statements are accurate and assist the board in carrying out its financial duties) (refer to Table 1
for all responses). In addition, audit committees must oversee the internal control environment as
well as key areas of internal audit function.
Table 1: Main Responsibilities of the Audit Committee

Summary of Responses
Ensure controls over financial statement preparation are operating and designed effectively
(i.e., ensure financial statements are accurate and assist the board in carrying out its financial duties)
(12 responses)
Provide oversight of the internal control environment (i.e., reviewing assessments related to internal
auditing, external auditing, risk management and governance) (7 responses)
Provide oversight of key areas of internal audit function (7 responses)
Appoint and manage the relationship with external auditors, as well as ensure the audit process has the
appropriate integrity to provide assurance of the financial statements (4 responses)
Monitor management's adherence to corporate objectives (1 response)
Give overall financial, operations, and compliance guidance and support to the company (1 response)
9
All 100 invitees were CAEs or equivalent. The vast majority of participants (89 percent) indicated their organization
has an audit committee or equivalent. Nearly half of all participants (46 percent) work in publicly-listed companies,
31 percent work in private organizations, and 19 percent work in the nonprofit sector. The top five industries
represented in the survey include financial services/ banking/real estate (23 percent), insurance carriers/agents and
utilities (19 percent each), health services (12 percent), and manufacturing (8 percent). In terms of staff size, 27 percent
work in organizations with 5,001 to 20,000 employees and internal audit activities of 3 to 6 auditors.
4
4
Relationship With the CAE
As stated earlier, the audit committee also may be responsible for hiring the organization’s CAE.
A May 2008 Flash survey of 237 CAEs or heads of internal audit found that in 61 percent of the
organizations represented in the survey, the audit committee took part in the hiring of the CAE.
In addition, 82 percent of CAEs report directly to the audit committee, and 89 percent collaborate
with the audit committee chair in a way that demonstrates the chair’s support of their work.
Figure 1. Breakdown of Audit Committee Responsibilities
(Source: The IIA’s GAIN Annual Benchmarking Study)
The GAIN Annual Benchmarking Study also

discusses the relationship between the CAE The CAE and Audit Committee
and audit committee. In 86 percent of the
organizations represented in the study, the According to IIA Standard 2060: Reporting to the
audit committee directly communicates with Board and Senior Management and its related
the CAE who regularly attends and participates Practice Advisory 2060-1, the CAE ―should report
in meetings (for IIA guidance regarding the periodically to the board and senior management on
CAE and audit committee’s relationship read the internal audit activity’s purpose, authority,
―The CAE and Audit Committee‖ on this page). responsibility, and performance relative to its plan.‖
Furthermore, in 76 percent of organizations, As a standing committee of the board, reporting
CAEs report functionally to the audit committee should be extended to the audit committee as well.
or equivalent, compared to 82 percent in public
companies and 65 percent in private companies,
and administratively to the audit committee in 9 percent of organizations, compared to 8 percent
in public companies and 9 percent in private companies.
5
5
Leading Practices
The March 2009 IIA Flash survey of 23 CAEs also asked a series of questions regarding the
relationship between the CAE and audit committee and ways CAEs can work to improve this
relationship. As survey results indicate, an ideal relationship between the CAE and audit
committee is one where there is open dialogue and regular interaction between the two parties.
In addition, the CAE must have a direct reporting relationship to the audit committee, which
serves to enhance the committee’s support and oversight of the internal audit activity. (Table 2
provides a detailed summary of all responses.)
Table 2. Key Elements for an Ideal Relationship Between the Audit Committee and CAE
Engage in open dialogue and regular communications (e.g., the CAE should hold face-to-face meetings
with the committee chair and review audit results; the CAE should be a key resource for coordinating
committee meetings, developing the meeting’s agenda, and supporting the chair; the CAE should strive
to keep the committee informed on key risk areas and the status of deficient areas within the company;
the committee should be able to rely on the CAE to report on areas that might be problematic for the
company at a high level; the CAE serves as the eyes and ears of the committee on a daily basis to give a
different picture of what is going on inside the company that management is unable to; and the CAE and
committee should have candid discussions of key risks, especially those related to operational risks, which
should be facilitated via formal, scheduled meetings and ongoing interaction) (16 responses)
CAEs must have a direct reporting relationship to the audit committee (e.g., the audit committee
should have ultimate responsibility for hiring and dismissing the CAE and handling his or her
compensation) (8 responses)
The audit committee has oversight of and supports the audit activity ensuring its independence (e.g., the
committee should support the CAE in his or her efforts to improve the organization) (4 responses)
Realizing that having such a relationship is no easy task, respondents were asked to describe
how the CAE and audit committee can work collaboratively to establish this relationship. Again,
respondents indicated that open, proactive communication between the CAE and audit committee
is essential. This communication should take place during formal and informal meetings between
both parties. Furthermore, respondents stated that both the audit committee and internal audit
activity need to develop charters that outline the responsibilities of each party toward the other.
This way both the audit committee and internal audit activity can be evaluated at the end of the
reporting period based on their completion of charter elements. Finally, the CAE must add value
to the audit committee by framing key issues in a concise manner and arrange training
opportunities for the audit committee (refer to Table 3 for a summary of all responses).
6
6
Table 3. Key Elements to Establishing an Effective Relationship Between the Audit Committee and CAE
The CAE needs to proactively communicate with the audit committee (e.g., the CAE should engage the
audit committee in dialogue sessions concerning a variety of issues and hold periodic meetings outside
the formal audit committee meeting to get to know members; the CAE should initiate a “get-to-know-you”
meeting with the audit committee to open the lines of communication and gain an understanding of what
the audit committee is looking for in a CAE and his or her internal audit activity) (10 responses)
The CAE needs to meet with the audit committee and chair (via face-to-face meetings and telephone calls)
on a regular basis at least quarterly (e.g., the CAE and audit committee should hold frequent meetings,
informal lunches, and dinner meetings without the presence of senior management staff; and the CAE
should hold executive sessions with the audit committee chair regularly or as needed) (7 responses)
The audit committee and CAE should develop robust committee and audit charters outlining the
responsibilities of each function toward each other (3 responses)
The CAE and internal audit activity must add value to the audit committee (e.g., gain the confidence and
respect of the audit committee through demonstrated work and the CAE’s and audit activity’s ability to
frame key issues in a concise manner) (3 responses)
The CAE should arrange training opportunities for the audit committee (e.g., training should cover topics
specific to the audit committee and the company) (2 responses)
The CAE should coordinate the scope of internal audit work, annual work plans, and frequent reporting
to the audit committee (1 response)
Furthermore, survey participants were asked to list the main responsibilities of CAEs toward the
audit committee and vice versa. Knowing what these responsibilities are can help internal audit
activities add value to audit committee efforts and ensure the audit committee is fulfilling its
obligations toward their organization’s internal audit activity.
10
Main responsibilities of the CAE toward the audit committee, in order of importance, are:
To provide information to the audit committee as needed on a variety of topics (e.g.,

keep the audit committee up-to-date on the changing risk environment, strength of the
organization’s financial controls, internal audit results and areas of concern, ethics, and
the organization’s tone at the top).
To provide independent, objective assurance and consulting services designed to add
value and improve business operations (e.g., the CAE should provide assurance on the
effectiveness of the organization’s risk, control, and governance structures).
To provide training when needed.
To develop a risk-based internal audit plan that incorporates management’s and the audit
committee’s interests and obtain the committee’s approval of the plan.
To monitor audit committee activities to ensure responsibilities outlined in the audit
committee charter are accomplished.
To meet separately with the audit committee, at least once per year, to discuss key
issues and concerns.
To assist the audit committee in the investigation of significant and suspected fraudulent
activities and notify the committee of investigation results.
10
Additional information regarding the role of CAEs toward the audit committee is found in the Journal of
Accountancy’s ―A Strategic Player.‖ According to the article, ―to be effective, CAEs need to demonstrate a solid
understanding of the company’s business, core strategies, risk appetite and risk tolerance. CAEs must be willing to
raise difficult issues with senior management and the audit committee — even if such actions prove unpopular.‖
7
7
In terms of the audit committee’s main responsibilities toward the CAE, committee members
should, also in order of importance:
Support the CAE to ensure management sees the benefits of internal auditing and the
internal audit activity has full access to company information, as well as make sure the
CAE has the necessary resources to meet established goals and objectives.
Provide guidance to the CAE (e.g., provide direction, approve internal audit work, and
review audit assessments).
Review the CAE’s performance and approve his or her compensation.
Although not cited by survey respondents, a main area of audit committee responsibility is also to
oversee internal audit performance by ensuring that internal audit activities comply with the
International Standards for the Professional Practice of Internal Auditing (Standards). This, in
turn, can be done by reviewing reports on the quality of internal audit processes and receiving
reports from external quality assessments.
Finally, CAEs were asked two key questions to determine their overall level of involvement in
audit committee activities. First, CAEs were to identify whether they should be asked for input
regarding audit committee operations and, second, whether they should be involved in the
selection of audit committee members. Overall, the majority of survey respondents (65 percent)
believe CAEs should be asked for input regarding audit committee operations but should not be
involved in the selection of audit committee members (57 percent).
One main reason for this reversal is that while providing input on audit committee operations will
not hinder the committee’s ability to objectively assess the performance of the CAE and support
internal audit activities, helping to select audit committee members might introduce bias in favor
of the CAE when assessing his or her performance. Therefore, the audit committee member
might feel more inclined to assess positively the performance of a CAE who participated in his
or her committee nomination.
8
8
Committee Composition
As Audit Committee Effectiveness — What Works Best explains, an audit committee’s
composition is a main factor in determining its effectiveness. ―Leading practice suggests that
audit committee members be appointed by an independent nominating committee or by
independent directors from the board.
―Boards of directors may need to
select new audit committee members Who Is the Audit Committee Chair?
to replace a member whose term has
According to GAIN’s Annual Benchmarking Study, corporate
been completed, fill a vacancy for a
functions represented by the chair of the audit committee vary.
departing member, add a needed skill
Different executive-level positions often serve as chair of the
set, or expand the committee size.‖ 11
audit committee, including the CEO, CFO, and chairman of the
(Read ―Who Is the Audit Committee
board of directors, although in the majority of organizations
Chair?‖ on this page for information on
(80 percent) the chair of the audit committee is an independent
audit committee characteristics.)
member of the board of directors.
While the CEO should have limited In addition, the level of expertise present in the audit committee
involvement in selecting committee
is consistent in both public and private organizations. For
members due to the committee’s role
example, financial expertise was found in 27 percent of all
in overseeing management activities,
organizations represented in the study compared to 30 percent
the CEO and committee chair should
and 28 percent of public and private organizations,
be consulted during the selection
respectively. Other functions represented in the audit
process as both may be able to committee include:
provide insight into prospective
committee candidates and the skill
Business management (25 percent of all respondents,
sets needed to supplement the
28 percent in public organizations, and 27 percent in
committee’s existing strengths.12 As a
private organizations).
general practice, written qualifications
Legal (10 percent of all respondents, 11 percent in
for audit committee members should
public organizations, and 12 percent in private
be developed to help recruiters
organizations).
determine whether a candidate meets
the committee’s needs. In addition, an Industry-specific knowledge (19 percent of all
understanding of the organization is respondents, 21 percent in public organizations,
necessary to help the committee and 22 percent in private organizations).
assess the appropriateness of Operational (15 percent of all respondents, 16 percent
accounting policies and results. in public organizations, and 16 percent in private
organizations).
In terms of attributes, financial
knowledge and independence are
important for committee members, as the audit committee is tasked with overseeing financial
reporting and the company’s audit function.13 Furthermore, committee chairs should display
strong leadership qualities and objectivity, as well as promote effective working relationships
among committee members, management, and internal and external auditors. Individuals serving
in an audit committee also should have the time and make the commitment to perform this role.
(For a description of additional attributes, read ―List of Audit Committee Member Attributes‖ on
page 10.)
11
12
13
9
9
The number of audit committee
members is typically anywhere from List of Audit Committee Member Attributes
four to five members. The July 2008
IIA Flash survey on audit committee High-level of integrity.
activities found that 52 percent of Healthy skepticism.
organizations represented in the Inquisitiveness and independent judgment.
survey have audit committees with Recognition of the committee’s significant role.
four to five members, compared to Knowledge of the organization’s risks and controls.
one to three members (27 percent), A broad perspective on the organization extending beyond
six to eight members (17 percent), financial and technical knowledge.
and more than eight members Ability to offer new perspectives and constructive
(5 percent). In addition, 37 percent suggestions.
of survey participants indicated that
26 percent to 50 percent of Source: Audit Committee Effectiveness: What Works Best (3 rd Edition), p. 70
committee members have financial
expertise, while the average tenure of audit committee members was anywhere from four to five
years or more, according to
36 percent of respondents, compared to one to three years (34 percent). Refer to figures 2 and 3
for a complete breakdown of these statistics.
Figure 2. Number of Audit Committee Members
(Source: Audit Committee Activities, July 2008, The IIA)
Figure 3. Percent of Members With Financial Expertise
(Source: Audit Committee Activities, July 2008, The IIA)
10
10
Leading Practices
CAEs participating in the March 2009 survey were asked to provide information regarding key
audit committee characteristics and member attributes. One survey question asked participants
to describe the organizational characteristics that should be taken into consideration when
determining the ideal number of audit committee members. Respondents listed a total of seven
characteristics. These are, in order of importance:
1. The complexity of the organization (e.g., decentralized versus centralized, public versus
private) and industry.
2. The size of the organization.
3. The extent of responsibilities and expertise assigned to the audit committee.
4. The size of the board of directors and number of board committees.
5. The culture of the organization and its needs.
6. The assignment of members to other board committees and external commitments.
7. The roles and responsibilities of the audit committee as outlined in the charter.
Respondents also were asked to describe the areas of expertise that should be represented in
the audit committee. According to CAEs, at least one committee member should be
knowledgeable or have expertise in the following areas: finance and accounting, industry-specific
and overall business knowledge, internal and external auditing, risk management, regulatory
compliance, legal, and IT and information security. When asked to identify the area that should
always be represented in the audit committee, 83 percent of participants identified finance and
accounting (refer to Figure 4 for a summary of all responses).
Figure 4. Functions That Should Be Represented

in the Audit Committee
Regarding years of service, more than half of survey respondents (57 percent) believe audit
committee members should serve no less than five years on the audit committee, followed by
3–4 years (29 percent) and two years (10 percent). Key attributes all audit committee members
should have include inquisitiveness, outspokenness, and courage (i.e., the ability to challenge
accounting and management positions and investment decisions); a clear understanding of
financial results and operations; business and industry-specific experience; independence and
objectivity; honesty and a high-level of ethics; an ability to learn quickly; an understanding of the
organization’s internal control structure; a high-level of engagement in company activities; and
trustworthiness.
11
11
Meetings
Effective audit committee meetings require strong leadership, the right agenda items, and getting
materials in advance. Identifying how often meetings should be held is key to driving the
committee’s activities throughout the year. 14 According Audit Committee Effectiveness — What
Works Best, many audit committees plan their activities using a calendar in which committee
responsibilities are labeled down one side and expected meetings are labeled across the top.
Core responsibilities are then allocated to various meetings (refer to Table 4 for sample audit
committee planning calendar).
Table 4. Sample Audit Committee Planning Calendar

Meeting 5, Meeting 6,
Meeting 1, Meeting 2, Q2: Meeting 3, Q3: Meeting 4, Q4: Executive Executive
Q1: 3/31/08 6/30/08 9/30/08 12/31/08 Session with Session with
CAE: 4/30/08 CAE: 10/31/08
Select the
external auditor.
Review and
approve the
annual internal
audit plan.
Evaluate CAE
performance and
compensation.
Review
evaluation of risk
management
controls and
governance
processes.
Another important factor to

determine is how often PCAOB Recommendations
meetings should be held
In October 1998, the PCAOB appointed the Panel on Audit
throughout the year. In their
Effectiveness at the request of then SEC Chairman Arthur Levitt Jr. The
research, Frank Burke and Dan
panel made a number of recommendations on audit committee meeting
Guy found that most audit
and agenda effectiveness. For example, the audit committee should
committees meet six to eight
develop a formal calendar of activities, including a meeting plan; relate
times per year. This frequency
audit plan activities to its committee charter; and have the meeting plan
includes three meetings
reviewed and agreed to by the board of directors. Other
devoted to quarterly financial
recommendations include holding a minimum of two face-to-face
statements. The IIA’s GAIN
15
meetings during the year with the external auditor and at least one
Annual Benchmarking Study
executive session with the internal auditor and external auditor without
found that public organizations
management’s presence.
tend to meet an average of five
times per year or once every (Source: Audit Committees: A Guide for Directors, Management, and Consultants, pp.
quarter in private 15.03–04)
organizations. Furthermore, in
43 percent of all organizations
represented in the survey, private sessions with the audit committee are available on request or
as a regular agenda item. (For more recommendations on audit committee best practices read
―PCAOB Recommendations‖ on this page.)
14
15
12
12
For those organizations trying to establish an audit committee, it would be appropriate for the
committee to follow the practices exemplified in the Annual Benchmarking Study based on the
organization’s type (i.e., private or public) or meet a minimum of four times per year — once
every quarter — to ensure issues are thoroughly discussed in the most appropriate fiscal-year
quarter.
Prior to the meeting, briefing materials need to be supplied in advance. Catherine Bromilow and
Barbara Berlin found many committees insist on receiving materials 10 business days before the
meeting. These materials include special reports from the internal or external auditor and
materials prepared and distributed by management.16 Private meetings also can be held with the
CAE and the external auditors to discuss various issues, such as auditor and management
performance, future agendas, or committee performance improvement. According to a March
2006 IIA Flash survey (PDF, 286 KB) on audit committee communications, 79 percent of the 233
IIA members who participated in the survey indicated the status of internal audit plan activities
was the information most often requested from the CAE during a regularly scheduled audit
committee meeting (refer to Figure 5 for a complete breakdown of all responses).
Figure 5. Information Most Often Requested by the Audit Committee From CAEs
(Source: Audit Committee Communications, March 2006, The IIA)
Furthermore, meeting agendas need to encompass the committee’s activities and the type of
work the organization performs. ―At the early stages of the creation of an audit committee, it is
probably a good idea to have very broad agendas. As time progresses and the committee
assumes expanded responsibilities, the chairperson of the audit committee should prepare
detailed agendas to help keep the committee focused.‖17 Besides keeping minutes for each
meeting, the audit committee needs to report regularly to the board and discuss with other
company directors the issues addressed during each meeting and the session’s outcome.
16
17
13
13
Leading Practices
The March 2009 Flash survey asked CAEs to provide feedback on the overall purpose and
structure of audit committee meetings and the kinds of information that should be presented
during these meetings. According to survey participants, the main purpose of an audit committee
meeting should be to review and discuss internal and external audit issues and activities as well
as financial results, statements, and reports. CAEs also were asked to specify the percent of time
allocated for each topic. Figure 6 provides a summary of all responses.
Figure 6. Percent of Time Allocated to Meeting Discussion Topics
Because presentation of information is just as important as the topics discussed, respondents

were asked to specify how information should be presented to audit committee members. Overall,
CAEs stated information should be distributed several days (anywhere from one to two weeks)
prior to the meeting (refer to Figure 7 for a breakdown of responses by percentages). Doing so
will enable audit committee members to review all the information prior to the meeting and focus
the meeting’s agenda on those topics of highest importance, thus maximizing meeting time.
Information distributed prior to the meeting should include:
The meeting’s agenda and prior meeting minutes.

Executive summaries of each audit report issued since the last meeting with detailed
appendices and key audit performance metrics.
A timeline of planned audits and those in progress.
Copies of financial statements and reports.
Educational materials of interest to audit committee members.
Materials required to meet the committee’s charter requirements.
Handouts of ethics hotline material.
Copies of PowerPoint slides, tables, and charts that will be discussed during
the meeting.
14
14
Figure 7. Timeframe for Distributing Materials Prior to Audit Committee Meetings
Similarly, CAEs identified the overall format of the information that should be presented during the
actual meeting. As stated by survey participants, during the meetings CAEs should provide
summarized and concise information included in the previously distributed meeting report. This
enables audit committee members to review the information in a short period of time and allow
ample time for discussion of the information presented during the meeting as well as other issues
not listed on the agenda. The number one method cited for presenting information during the
meeting is through the use of PowerPoint slides.
In terms of duration, most CAEs (39 percent) stated meetings should last more than two hours,
with the average timeframe cited being 3–4 hours, followed by 91 minutes to two hours
(26 percent), 46 to 60 minutes (17 percent), 61 to 90 minutes (13 percent), and 31 to 45 minutes
(4 percent). Overall, each timeframe was chosen based on:
The discussion needs of the audit committee and CAE (e.g., time availability and
attention span).
The kinds of information to be discussed during the meeting (e.g., pressing issues versus
a review of audit results).
The frequency of meetings (e.g., quarterly meetings usually require anywhere from 91
minutes to more than two hours to allow all parties to discuss agenda items without
feeling rushed).
The presence of an executive session with the audit committee (e.g., some respondents
stated other senior managers are invited to participate during the audit committee
meeting and provide information on their respective business units).
CAEs also were asked to identify how often they should hold executive or private sessions with
the audit committee. More than half of all respondents (57 percent) stated these sessions should
be held at least quarterly, followed by monthly (9 percent), as needed (9 percent), and semi-
annually (4 percent). Reasons why executive sessions should be held include to discuss items of
importance in between regularly scheduled meetings and to keep audit committee members
apprised of issues as they occur. In addition, some CAEs felt that executive sessions should be
held during every regularly scheduled meeting to allow for an open discussion of management
issues without the presence of other senior managers.
15
15
In terms of their duration, executive
sessions do not last as long as the Leading Recommendations From
audit committee meeting. These Fortune 100 and 250 Companies
meetings can last anywhere from
less than 10 minutes to no more In March 2009, The IIA held a roundtable comprised of 28
than 45 minutes depending on the CAEs working in Fortune 100 and 250 companies, service
issues to be discussed and their providers, and regulators from the PCAOB and SEC to discuss
frequency (refer to Figure 8 for a key themes for refocusing internal audit strategy during the
summary of responses). Survey current economic crisis. Among the key topics for discussion
participants also were asked to was how CAEs can ramp up communication with the audit
identify leading practices to committee on ERM issues. To ensure auditors provide value-
maximize the use of executive added services to audit committee members during committee
sessions between the CAE and meetings in which ERM is a major topic of discussion,
audit committee. Respondents many CAEs:
provided a total of four practices
that can help CAEs enhance the Offer audit committee members risk management
effectiveness of their executive education during regular meetings or special sessions.
sessions with the audit committee: Expand ERM discussions with the board, including an
assessment of strategic risks.
1. Suggest topics for Include a list of the organization’s top 10 risks in
discussion to prompt the every audit committee package and show they relate to
audit committee’s the audit plan.
involvement in the session. Increase information communication through phone
2. Hold private sessions with calls and e-mail outside of regular face-to-face
the committee chair before meetings.
the executive session to Identify and report pervasive recessionary issues, such
give a ―heads up‖ on any as risks related to liquidity, staffing reductions, and
sensitive or problem areas fraud.
to be discussed.
3. Keep the duration of private (Source: “A World in Economic Crisis: Key Themes for Refocusing Audit
sessions short. Strategy.” p. 4)
4. Hold additional executive
sessions among the
organization’s general counsel, CEO, CFO, controller, information security officer, and
CAE to build trust.
16
16
Figure 8. Duration of Executive Sessions With the Audit Committee
Finally, survey participants were asked to identify whether the number of audit committee
meetings in their organization has increased, decreased, or remained the same during the last
12 months and whether the time allocated for each meeting has changed as well. The majority
of CAEs indicated that both the number of meetings and time allocated for each meeting has
remained the same (96 percent and 87 percent, respectively). Only 4 percent of respondents
indicated the number of meetings has increased and 13 percent stated the time allocated for
each meeting has increased. No respondents indicated the number of meetings and time
allocated for each meeting has decreased.
17
17
Charter, Performance Evaluation, and Training
To fulfill its role successfully, the audit committee
must understand its responsibilities and how it
will accomplish them as specified in the charter
Charter Facts
(read ―Charter Facts‖ on this page for statistics According to the GAIN Annual Benchmarking
on audit committee charter presence). More Study, 94 percent of respondents stated their
specifically, the audit committee charter should audit committees have a charter compared to
clearly define the committee’s purpose and only 4 percent of organizations that do not.
scope of responsibilities in addition to guiding the In terms of public or private organizations,
agenda-setting process for committee meetings, 97 percent and 89 percent or respondents,
providing checkpoints that allow the committee to respectively, indicated their audit committee
track activities against the charter, and outlining has a charter, whereas 2 percent and 8 percent
orientation information for new members.18 of public and private organizations, respectively,
do not have an audit committee charter.
According to The IIA July 2008 Flash survey on
audit committee activities, respondents identified
the following topics as being part of the audit committee’s charter or scope of work:
1. Internal audit activities (99 percent). 10. ERM (70 percent).

2. Appointment of external auditor (91 percent). 11. Review proposed regulations (65 percent).
3. Significant audit adjustments (90 percent). 12. Finance risk assessment (63 percent).
4. Evaluation of external auditors (90 percent). 13. Standard Statement on Auditing Standard
5. Audit fee review/approval (89 percent). 114 disclosure (57 percent).
6. Regulatory compliance (83 percent). 14. Sarbanes-Oxley (55 percent).
7. Anti-fraud consideration (82 percent). 15. Refinancing/debt restructuring (38 percent)
8. Evaluation of internal auditors (81 percent). 16. Debt covenants (35 percent).
9. Compliance hotline (74 percent). 17. Swamp/hedging activities (31 percent).
Having a clearly defined charter will help the audit committee accomplish and evaluate its work.
Performance evaluations should be conducted regularly to determine if the committee is meeting
the expectations of its members, the board, and regulators. In public companies listed on the New
York and London Stock Exchanges, for example, annual assessments of audit committee
performance are required.19 In Audit Committee Effectiveness — What Works Best, the authors
identify two ways to evaluate audit committee performance: comparing committee activities
against its charter and comparing committee activities against leading practices, such as
published reports and benchmarking studies. Figure 9 provides information on the different types
of audit committee and charter evaluations from GAIN’s Annual Benchmarking Study, including
conducting self-assessments or audits on audit committee performance and charter effectiveness
on a periodic basis.
18
19
18
18
The PCAOB’s Auditing Standard (AS) No. 2 (PDF, 552 KB) also lists factors for assessing audit
committee effectiveness:
1. The audit committee’s independence from management.

2. Whether audit committee responsibilities are articulated clearly, and how well the
committee and management understand those responsibilities.
3. The audit committee’s interaction with external and internal auditors and key personnel
from the organization’s financial management team.
4. The audit committee’s responsiveness to issues raised by internal and external auditors.
5. Whether the committee raises the right questions and addresses them with management
and the organization’s internal and external audit activity.
Figure 9. Kinds of Audit Committee Evaluations
Finally, the audit committee needs to receive the necessary training to understand and
accomplish its goals. Training should be ongoing to keep audit committee members informed on
current regulatory standards, company activities and changes, and other relevant information to
help them accomplish their work. According to the GAIN Annual Benchmarking Study, 30 percent
of organizations provided professional development opportunities to audit committee members
(see Figure 3). These numbers remain pretty constant when examined by company type —
29 percent of public organizations and 30 percent of private companies provide training
opportunities to audit committee members. Rather than indicating a need for training, these
percentages could be indicative of a lack of internal resources to provide much needed training
to audit committee members.
19
19
Figure 10. Percent of Organizations Providing Training to Audit Committee Members
Leading Practices
To obtain leading practices in the area of audit committee charter implementation, CAEs
participating in the March 2009 Flash survey were asked to provide additional information
regarding the kinds of information that should be included in the audit committee charter.
Nearly half of all respondents (48 percent) identified the committee’s roles and responsibilities
as the number one item that should be included in the audit committee’s charter. Other
responses, in order of importance, are:
The committee’s purpose, mission, and overall objectives of the audit committee
(i.e., operating principles).
The composition of the audit committee and qualifications of committee members
(e.g., independence of audit committee members and areas of expertise).
The level of authority of the audit committee.
The number of meetings to be held throughout the year.
The term of committee members.
The committee’s code of conduct review and communication methods.
All the information necessary to comply with regulatory requirements.
Similarly, CAEs were asked to describe the best way to measure audit committee performance as
this is an important aspect of the committee’s operations. According to survey results, 43 percent
of respondents identified the use of self-assessments as the number one performance method.
Other responses, in order of importance, include:
20
20
The use of a checklist of items listed in the committee’s charter to ensure everything
is addressed as necessary.
Benchmarks of audit committee performance against that of peers.
Discussions with management, the board of directors, external auditors, and the CAE
regarding audit committee performance, attitude (i.e., tone at the top), and actions.
Improvement measurements of the organization’s control landscape, risk, and
governance structures.
Independent surveys of audit committee members with specific performance questions.
If a committee member answers ―no‖ or ―don’t know‖ to a question it shows the audit
committee has issues left to cover.
Finally, when asked about training, all respondents agree training should be provided on specific
topics of interest to all audit committee members either internally (e.g., internal audit team and in-
house subject-matter experts) or externally (e.g., conferences, seminars, and webinars). Training
also should discuss subjects that can help the audit committee accomplish its goals and
objectives and include:
Audit committee responsibilities and best practices.

Topics dealing with issues or those based on the skills represented by audit committee
members.
Internal audit topics and internal control issues.
Industry-specific topics.
Accounting and finance issues.
Orientation to the organization.
Risk management.
Changes in standards and regulations.
Emerging issues and industry trends.
Besides providing training internally and externally, some CAEs stated training should be
provided as part of the audit committee meeting (e.g., during a question and answer session) or
in the form of supplementary materials).
21
21
Working With the Audit Committee
As described earlier, auditors need
to provide the audit committee with 20 Questions to Ask the Audit Committee
the information needed to fulfill its
responsibilities. As author Curtis When evaluating the future or current relationship with an
Verschoor describes in Audit organization’s internal audit activity, every audit committee
Committee Essentials (2008), the should be able to answer the following 20 questions:
relationship between the audit
committee and internal auditors 1. Should we have an internal audit activity?
needs to be ―bilateral and 2. What should our internal audit activity do?
symbiotic. The mission of internal 3. What should be the mandate of our internal audit
auditing … should be based on IIA activity?
professional standards and tailor- 4. What is the relationship between the internal auditors
made to the circumstances of the and the audit committee?
culture, management, style, and 5. To whom should the internal auditors report
operational focus of the administratively?
organization it serves.‖20 6. How is the internal audit activity staffed?
7. How do the internal auditors get and maintain the
According to an April 2000 article expertise they need to conduct their assignments?
in Internal Auditor magazine, 8. Are the activities of our internal auditors appropriately
internal auditors can assist audit coordinated with those of the external auditors?
committees in their oversight of 9. How is the internal audit plan developed?
reporting and risk management 10. What does the internal audit plan not cover?
and control. For instance, audit 11. How are internal audit findings reported?
committees can look to internal 12. How are our corporate managers required to respond to
auditors to provide independent, internal audit findings and recommendations?
objective assurance, and 13. What services do our internal auditors provide
consulting activities that add value regarding fraud?
to and improve the organization’s 14. How are we assured of internal audit effectiveness and
operations. Auditors also can offer quality?
assistance by: 15. Does our internal audit activity have sufficient
resources?
Facilitating information 16. Does our internal audit activity have appropriate
flow to the audit support from the CEO and senior management team?
committee. 17. Are we satisfied that this organization has adequate
Performing special internal controls over its major risks?
projects or investigations 18. Are there any other matters that should be brought to
as requested. our attention?
Helping audit committees 19. Are there other ways in which we and our internal
evaluate whether the auditors might support each other?
company has satisfied its 20. Are we satisfied with our internal audit activity?
internal and external (Source: Adapted from 20 Questions Directors Should Ask About Internal
reporting objectives. Audit (PDF, 392 KB) by the Canadian Institute of Chartered Accountants.)
Helping audit committees
assess the quality of the organization’s financial reporting activities.
Providing information on the strength of controls over the quarterly reporting process.
Assuring the audit committee receives relevant reports and timely business performance
measures.
20
Audit Committee Essentials (2008) p. 117
22
22
Supporting the audit committee in its evaluation of the company’s compliance with
control objectives.
Providing information to help the audit committee monitor the company’s control
environment and key financial and business risks.21
In addition to the tasks described above, it is important for internal auditors and audit committees
to work together in the area of risk management and internal control. As Spencer Pickett in The
Internal Auditing Handbook (2003) describes:
―The developing significance of the audit committee has gone hand-in-hand with more
reliance on internal auditing as a key aspect of the corporate governance solution. One
key area that internal audit has a dominating expertise is in applying control models to
an organization, and it is here that the CAE may help the audit committee understand the
use and design of control models through which to base any view of internal controls that
they might recommend to the main board.‖22
Similarly, The IIA’s The Audit Committee: A Holistic View of Risk (PDF, 381 KB) advises internal
auditors to report significant risk exposures and control issues, corporate governance issues, and
other requested information to the audit committee. To this end, CAEs and audit committees
should meet regularly without management and the presence of external auditors.23 This will
enable audit committee members to:
Know the extent to which management has established effective ERM.

Be aware of and concur with the organization’s risk appetite.
Learn who is responsible for risk identification, assessment, and management throughout
the organization, and meet periodically with those individuals.
Understand the role of internal auditors and areas of planned coverage, and meet
periodically with the CAE to discuss risk management.
Review financial reporting risks, weigh them against the organization’s risk appetite, and
discuss with management how effective the controls in place are in mitigating those risks.
Ensure audit committee members are receiving the information needed in the appropriate
format so an effective evaluation of the risk management process can be made. 24
Besides IIA Standard 2060 and Practice Advisory 2060-1 (see ―The CAE and Audit Committee‖
on page 5), The IIA standards in Table 5 will provide auditors with additional guidance on their
audit committee responsibilities. Finally, additional guidance regarding the relationship of internal
auditors and the audit committee can be found in the AICPA’s Audit Committee Toolkit, Moodys’
Best Practices in Audit Committee Oversight of Internal Audit (PDF, 117 KB), and the PCAOB’s
AS No. 5 (PDF, 220 KB).
21
Internal Auditor (2000), ―The Year of the Audit Committee,‖ pp. 50–51
22
The Internal Auditing Handbook (2003) p. 104
23
The Audit Committee: A Holistic View of Risk (p. 8)
24
Audit Committee Effectiveness — What Works Best, 3rd Edition (2005)
23
23
Table 5. List of IIA Standards
IIA Standard Summary of Description
External assessments must be conducted at least once every five years by a
qualified, independent reviewer or review team from outside the
organization. The CAE must discuss with the board:
The need for more frequent external assessments.
IIA Standard 1312: External Assessments The qualifications and independence of the external reviewer or
review team, including any potential conflict of interest.
(In this standard, the word board is meant to signify the actual board or
audit committee.)
The CAE must communicate the results of the quality assurance and
IIA Standard 1320: Reporting on the
improvement program to senior management and the board. (In this
Quality Assurance and Improvement
standard, the word board is meant to signify the actual board or audit
Program
committee.)
The internal audit activity's plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The input of
IIA Standard 2010.A1: Planning
senior management and the board must be considered in this process. (In
(Assurance Engagements)
this standard, the word board is meant to signify the actual board and the
audit committee.)
The CAE must communicate internal audit plans and resource requirements
IIA Standard 2020: Communication and to senior management and the board for review and approval. (In this
Approval standard, the word board is meant to signify the actual board or audit
committee.)
During consulting engagements, governance, risk management, and control
issues may be identified. Whenever these issues are significant to the
IIA Standard 2440.C2: Disseminating
organization, they must be communicated to senior management and the
Results (Consulting Engagements)
board. (In this standard, the word board is meant to signify the actual board
and the audit committee.)
When the CAE believes that senior management has accepted a level of
residual risk that may be unacceptable to the organization, the CAE must
IIA Standard 2600: Resolution of discuss the matter with senior management. If the decision regarding
Management’s Acceptance of Risks residual risk is not resolved, the CAE must report the matter to the board for
resolution. (In this standard, the word board is meant to signify the actual
board or audit committee.)
Leading Practices
The last survey questions asked participants to share leading practices for working and
communicating with the audit committee as well as recommendations for organizations that are
putting together an audit committee for the first time. In terms of leading practices for working and
communicating with the audit committee, CAEs responding to the survey indicated the use of
telephone calls and e-mails in between meetings to discuss issues prior to regularly scheduled
audit committee meetings. Other leading practices cited include:
Sending information packages prior to the meetings (e.g., send a monthly status report to
the audit committee chair on issues that should have been completed or addressed since
the previous meetings).
Distributing relevant articles and materials on topics such as internal auditing and
accounting.
Bringing subject-matter experts to each meeting who can explain their areas of the
organization to committee members.
Holding regularly scheduled face-to-face meetings as specified by the committee’s
charter.
24
24
Holding regular informal lunches between the CAE and audit committee chair to discuss
issues of importance throughout the year and without the presence of other management
personnel.
Increasing the number of senior managers discussing areas of interest directly with the
audit committee (e.g., when the company experiences a significant deficiency in a
control, the executive from that area may be invited to report on the situation and what
they are doing to address the situation).
Finally, for those organizations that are putting together an audit committee for the first time,
survey participants recommend that those responsible refer to information posted on other
company Web sites (e.g., audit committee charters of publicly listed companies that are available
on the Internet), especially when drafting the audit committee’s charter. In addition, CAEs
recommend that the role of the audit committee should be to provide oversight and guidance to,
and not manage, the internal audit activity, without the interference of the organization’s senior
management team.
As stated previously, CAEs stressed the importance of providing new audit committee members
with training on their respective roles and responsibilities, as well as ensuring that the audit
committee reports to the full board of directors, the CAE reports directly to the audit committee,
and audit committee members are selected based on their skills and their overall fit with the
organization.
25
25
Resources
The presence of an audit committee can signal an organization’s commitment toward financial
reporting accuracy and sound corporate governance. However, to ensure audit committee
activities enhance the organization’s financial, regulatory, legal, and security stance, its role and
responsibilities need to be clearly defined and understood by committee members and the
organization’s management team. In addition, a good working relationship between the CAE and
audit committee can help the committee in fulfilling its responsibility to the board, shareholders,
and other parties.
For additional information on audit committees, internal auditors and CAEs can visit the following
Web sites:
Guidance and Regulatory Information
The Australian National Audit Office, Better Practice Guides and Audit Reports on audit
committees, www.anao.gov.au.
The IIA’s Standards and Practice Advisories, www.theiia.org/guidance/standards-and-
guidance/ippf/:
IIA Standard 1312: External Assessments.
IIA Standard 1320: Reporting on the Quality Assurance and Improvement Program.
IIA Standard 2010.A1: Planning (Assurance Engagements).
IIA Standard 2020: Communication and Approval.
IIA Standard 2060: Reporting to the Board and Senior Management:
o IIA Practice Advisory 2060-1: Reporting to the Board and Senior
Management.
IIA Standard 2440.C2: Disseminating Results (Consulting Engagements).
IIA Standard 2600: Resolution of Management’s Acceptance of Risks.
The PCAOB’s Auditing Standard No. 2,
www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_2.pdf (PDF, 552 KB).
The PCAOB’s Auditing Standard No. 5,
www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_5.pdf (PDF, 220 KB).
Reference Web sites and Online Resources
Answers.com Audit Committee Web page, www.answers.com/topic/audit-committee?

cat=biz-fin.
Association of Fundraising Professionals’ Audit Committee Web page, www.afpnet.org/
ka/ka-3.cfm?content_item_id=18590&folder_id=900.
BNET.com’s Audit Committees Resources Web page,
http://search.bnet.com/index.php?q=audit+committees.
Deloitte’s Center for Corporate Governance Audit Committee Web page,
www.corpgov.deloitte.com/site/us/menuitem.610f1af0ae10615a8f220ce36cdf8a0c/.
KPMG’s Audit Committee Institute Web site, www.kpmg.com/aci/.
The AICPA’s Audit Committee Effectiveness Center Web site,
www.aicpa.org/audcommctr/homepage.htm.
26
26
The IIA’s Audit Committees and Board of Directors Web page,
www.theiia.org/guidance/standards-and-practices/additional-resources/audit-committees-
board-of-directors/. (This Web page includes some of the information already presented on
this page in addition to other audit committee resources.)
The IIA’s GAIN Annual Benchmarking Study, www.theiia.org/gain.
The IIA’s GAIN Flash surveys, www.theiia.org/gain:
o July 2008: Audit Committee Activities.
o May 2008: Audit Committee Communications.
o May 2008: CAE & Interactions With the Audit Committee.
o April 2008: Audit Management: Various Topics.
o April 2008: Duplicate Reporting to Various Committees.
o March 2008: Questionnaires to Management and Audit Committee on Audit
Planning.
o January 2008: Committee Oversight of Regulations and Other Matters.
o November 2007: CAE Audit Committee Support.
o August 2007: Audit Committee Executive Sessions.
o March 2006: Audit Committee Communications.
Wikipedia’s Audit Committee Web page, http://en.wikipedia.org/wiki/Audit_committee.
Sample Audit Committee Charters
Atlantic Canada Opportunities Agency,

www.acoa.ca/e/library/ACOA%20Audit%20Committee%20Charter.pdf (PDF, 87.4 KB).
Audit Committee Charter Matrix available on the AICPA Web site,
www.aicpa.org/audcommctr/toolkitsgovt/Audit_Committee_Charter_Matrix.htm.
Dell, www.dell.com/content/topics/global.aspx/corp/governance/en/audit?c=us&l=en&s=corp.
The Canadian Institute of Chartered Accountants’ (CICA’s) Audit Committee Charter,
www.cica.ca/multimedia/Download_Library/About_the_Profession/CICA/Board_of_Directors/
Charter_AuditCom.pdf (PDF, 27.2 KB).
The Dow Chemical Company, www.dow.com/corpgov/board/audit.htm (PDF, 28 KB).
Article, Books, and Reports
Audit Committees: A Guide for Directors, Management, and Consultants (2006),

http://onlinestore.cch.com/productdetail.asp?productid=4187.
rd
Audit Committee Effectiveness — What Works Best, 3 Edition (2005),
www.theiia.org/bookstore/product/audit-committee-effectiveness-what-works-best-3rd-
edition-1157.cfm.
Audit Committee Essentials (2008), www.theiia.org/bookstore/product/audit-committee-
essentials-1329.cfm.
27
27
Internal Auditor magazine, www.theiia.org/index.cfm?act=iia.internalauditor&site=iia:
o ―The Year of the Audit Committee‖ (April 2000).
o ―Getting a Leg Up‖ (June 2005).
o ―Stepping Up‖ (December 2005).
o ―A Symbiotic Relationship‖ (April 2007).
Moodys Investor Service’s Best Practices in Audit Committee Oversight of Internal Audit
(October 2006), www.moodys.com/moodys/cust/research/MDCdocs/09/2006000000426210.
pdf?search=5&searchQuery=Best+Practices+in+Audit+Committee+Oversight+of+Internal+A
udit&click=1 (PDF, 117 KB).
PricewaterhouseCoopers’ Audit Committee Publications Web page,
www.pwc.com/extweb/pwcpublications.nsf/docid/253e1c17db806b13802569a10036c92d.
Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness
of Corporate Audit Committees (1999), www.nasdaq.com/about/Blue_Ribbon_Panel.pdf
(PDF, 344 KB).
Report of the National Commission on Fraudulent Financial Reporting (October 1987),
www.coso.org/Publications/NCFFR.pdf (PDF, 1.38 MB).
The Canadian Institute of Chartered Accountants’ (CICA’s) 20 Questions Directors Should
Ask About Internal Audit, www.cica.ca/download.cfm?ci_id=44498&la_id=1&re_id=0
(PDF, 675 KB).
The IIA’s Audit Committee: Purpose, Process, Professionalism (2006),
www.theiia.org/download.cfm?file=19104, (PDF, 392 KB).
The IIA’s The Audit Committee: A Holistic View of Risk
www.theiia.org/download.cfm?file=49987 (PDF, 381 KB).
The IIA’s Tone at the Top newsletter, available online at
www.theiia.org/periodicals/newsletters/tone-at-the-top/archives-by-topic/:
o ―Audit Committees: Are You in Compliance?‖ (March 2003),
www.theiia.org/periodicals/newsletters/tone-at-the-top/archives-by-
topic/index.cfm?c=578.
o ―Meeting New Audit Committee Challenges‖ (September 2005),
www.theiia.org/periodicals/newsletters/tone-at-the-top/archives-by-
topic/index.cfm?c=578.
o ―The Audit Committee’s Top 10‖ (December 2007),
www.theiia.org/periodicals/newsletters/tone-at-the-top/.
The IIA Research Foundation Bookstore, www.theiia.org/bookstore/department/audit-
committees-and-governance-10001.cfm.
The Internal Auditing Handbook (2003), www.wiley.com/WileyCDA/WileyTitle/productCd-
0470848634.html.
28
28
29
29

Audit Committee Trends and Activities

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit Committee Trends and Activities

Uploaded by

Copyright:

Available Formats

Knowledge Report

Audit Committee Trends and Activities

About This Report

The committee’s purpose, mission, and objectives.

Because presentation of information is just as important as the topics discussed, respondents

Audit committee performance and training. Measuring audit committee performance is an

Audit committee communications and implementation. Finally, survey participants were

About This Report ......................................................................................................................... ii

Executive Summary ..................................................................................................................... iii

The Audit Committee Defined ....................................................................................................... 1

Role and Responsibilities .............................................................................................................. 2

Relationship With the CAE ............................................................................................................ 5

Committee Composition ................................................................................................................ 9

Charter, Performance Evaluation, and Training ......................................................................... 18

Working and Communicating With the Audit Committee ............................................................ 22

While audit committees date

Specifically related to internal auditing, audit committees should:

Table 1: Main Responsibilities of the Audit Committee

Figure 1. Breakdown of Audit Committee Responsibilities

(Source: The IIA’s GAIN Annual Benchmarking Study)

The GAIN Annual Benchmarking Study also

To provide information to the audit committee as needed on a variety of topics (e.g.,

Figure 2. Number of Audit Committee Members

(Source: Audit Committee Activities, July 2008, The IIA)

Figure 3. Percent of Members With Financial Expertise

(Source: Audit Committee Activities, July 2008, The IIA)

Figure 4. Functions That Should Be Represented

Table 4. Sample Audit Committee Planning Calendar

Another important factor to

(Source: Audit Committee Communications, March 2006, The IIA)

Figure 6. Percent of Time Allocated to Meeting Discussion Topics

Because presentation of information is just as important as the topics discussed, respondents

The meeting’s agenda and prior meeting minutes.

1. Internal audit activities (99 percent). 10. ERM (70 percent).

1. The audit committee’s independence from management.

Figure 9. Kinds of Audit Committee Evaluations

(Source: The IIA’s GAIN Annual Benchmarking Study)

(Source: The IIA’s GAIN Annual Benchmarking Study)

Audit committee responsibilities and best practices.

Know the extent to which management has established effective ERM.

Guidance and Regulatory Information

Reference Web sites and Online Resources

Answers.com Audit Committee Web page, www.answers.com/topic/audit-committee?

Sample Audit Committee Charters

Atlantic Canada Opportunities Agency,

Article, Books, and Reports

Audit Committees: A Guide for Directors, Management, and Consultants (2006),

You might also like