5.1
According to the Treadway Commission:

The mere existence of an audit committee is not enough. The audit committee must be vigilant, informed, diligent and probing in fulfilling its oversight responsibilities.¹

5.2
To add value by strengthening governance processes, the audit committee needs to effectively involve its stakeholders. The stakeholders are:

• the governing body;
• the chief executive;
• other governance committees;
• management;
• internal auditors; and
• external auditors.

5.3
The chairperson of the audit committee is responsible for ensuring that stakeholders are openly and effectively involved. However, all stakeholders share responsibility for ensuring that the audit committee operates effectively.

5.4
From time to time, there are also questions about the work of an audit committee and the extent to which its considerations are subject to public transparency provisions, such as the Official Information Act 1982 and the Local Government Official Information and Meetings Act 1987 (see paragraphs 5.46-5.53 for further discussion).

5.5
This section of the guide identifies good practice for the relationship between the audit committee and its stakeholders.

Relationship with the governing body or departmental chief executive

5.6
The governing body or departmental chief executive has an important role in determining the effectiveness of the audit committee by setting an appropriate “tone at the top” and providing demonstrable support for the work of the audit committee.

5.7
For public entities with an elected or appointed board, the audit committee usually has enough inherent authority to expect management to respond to its requests. However, in a government department, the audit committee needs the full support of the chief executive to ensure that it can effectively execute its work programme.

5.8
The relationship between the chief executive and the chairperson of the audit committee should be one of mutual respect for each other’s skills and experience. The two should share a common understanding of the role of the audit committee and its ability to help the department improve its performance and compliance.

5.9
The audit committee chairperson and chief executive should meet regularly, outside normal audit committee meetings. This sharing of information on current issues and areas of potential concern should occur in a timely manner.

5.10
The audit committee should also seek a briefing at least annually on the strategic developments affecting the public entity, including emerging risks, significant projects or programmes, legislative changes, and major policy developments.

5.11
If the audit committee includes a member of the management, the chairperson and chief executive should not expect that person to be the conduit for communication between them. Nor should the audit committee necessarily look to that person to provide administrative support for the audit committee. Again, those arrangements should be agreed between the chairperson and the chief executive.

Reporting

5.12
The minutes of the audit committee would usually be presented at the meetings of the governing body, which may mean it is not necessary for the audit committee to separately report on its activities.

5.13
If the chief executive does not attend the audit committee meetings, we would normally expect the chairperson of the audit committee to discuss with the chief executive the audit committee’s work, and any specific and significant insights, risks, issues, and recommendations.

5.14
It is good practice for the audit committee to provide the chief executive or governing body with an annual report of their work and recommendations, and of any outstanding issues and concerns.

Expectations

5.15
In summary, the audit committee should expect the governing body or chief executive to:

• keep it fully informed on strategic and risk issues facing the organisation; and
• fully support the execution of its mandate.

5.16
The governing body or chief executive should expect:

• to be kept fully apprised of the activities of the audit committee;
• sound and well-informed debate on the areas within the audit committee’s mandate; and
• to be informed promptly of any significant concerns the audit committee has in areas within its mandate.

Relationship with other governance committees

5.17
If a public entity has an audit committee and one or more other governance committees, such as a risk or fraud committee, it should have clear reporting protocols in place to ensure that there is a common understanding of the respective objectives and responsibilities of each committee. The audit committee and the other governance committees also need to be able to share current and relevant information, and operate in a co-operative and complementary manner.

Distinguishing between governance and management

5.18
It is important that audit committee members understand the difference between the governance function of the audit committee and the decision-making functions of management. The audit committee needs to always keep its purpose in mind and ensure that it focuses on areas of highest risk to the organisation. The most common complaints from management about the operations of audit committees involve audit committee requests that are perceived to add to the compliance burden without adding value.

5.19
The audit committee needs to demonstrate a positive culture of continuous improvement to help free and frank discussion with management on organisational risks and opportunities. If the audit committee has a punitive culture, management will become defensive and less likely to “tell it like it is”.

5.20
The more informed management is about the activities of the audit committee, the more likely it is to see the benefits that accrue from the audit committee’s interactions.

Expectations

5.21
The audit committee should expect management to:

• have a positive attitude to challenge and debate of management plans of action;
• have a constructive approach to interacting with the audit committee;
• be forthcoming in identifying potential areas of risk and improvement;
• provide clear unambiguous reports;
• be responsive to requests; and
• inform the committee of any investigations, reviews, and/or fraud.

5.22
Management should expect the audit committee to:

• communicate about its activities (potentially by distributing minutes);
• provide opportunities for managers to attend audit committee meetings when their area of responsibility is being discussed (for example, when relevant internal audit reports are being presented);
• foster a culture of continuous improvement;
• consider the compliance cost associated with audit committee requests;
• maintain a focus on the main areas of risk and opportunity; and
• maintain the distinction between governance roles and management roles.

Relationship with the internal audit or risk manager

5.23
The relationship between the audit committee and the internal auditor is central to enabling the audit committee to fulfil its mandate. The audit committee receives much of its information on the adequacy of the control environment and assurance over the public entity’s management of risk from the internal auditor.

5.24
In turn, the independence and effectiveness of the internal auditor is greatly strengthened by the support of the audit committee.

5.25
To have an effective relationship between the audit committee and the internal auditor, there needs to be an unrestricted, frank, and confidential exchange of information between the two throughout the year.

Interaction

5.26
We would expect the chairperson of the audit committee and the internal auditor to meet regularly outside normal audit committee meetings. The internal auditor should be comfortable in requesting meetings with the chairperson of the audit committee whenever required.

5.27
There should also be time set aside at the audit committee meeting for a committee-only session with the internal auditor. This reinforces the independent role played by the internal auditor.

Approval of plan

5.28
One of the main functions of the audit committee is to consider the internal audit work programme and recommend that it be approved. The audit committee ensures that the proposed programme meets the needs of the public entity by considering whether the plan:

• is prioritised, showing a clear link to the public entity’s risk management framework;
• incorporates the objectives of each of the proposed internal audit reviews;
• includes an estimate of the resources needed and the planned timetable;
• is flexible enough to accommodate extra work that may arise during the year; and
• identifies areas of risk not covered by the plan because of resource constraints.

5.29
During the year, the audit committee should review the internal auditor’s progress in carrying out the approved work programme.

Internal audit reports

5.30
The audit committee should receive regular reports in an agreed format from the internal auditor on the results of their work. The reports should include management’s response to internal audit recommendations. Responses from management should be clear and concise, and should:

• set out whether management agrees or disagrees with the finding and recommendation, and, if it disagrees, identify the reasons why; and
• identify the person or position responsible, and the time frame, for implementing the recommendation.

Consideration of resources

5.31
The audit committee should consider whether the internal auditor has the skills, or access to the skills, to carry out a programme of work that will meet the needs of the organisation. This consideration should include a periodic review of the model of internal audit used by the public entity. The factors that will influence the size and expertise requirements of an internal audit function include the:

• nature of the public entity’s risk and control environment;
• size, scale, location, and diversity of the public entity’s operations;
• complexity, nature, and scale of information technology systems; and
• reliance placed on the transparency of management controls as well as internal and external assurance.

Encouraging continuous improvement

5.32
The Institute of Internal Auditors’ professional standards require the internal audit function to be subject to an independent quality assessment at least once every five years.² The audit committee should ensure that this assessment takes place and provide support for the internal auditor to implement any recommendations from the assessment. The audit committee should also ensure that enough resources are available to carry out these assessments.

Reviewing performance of the internal auditor

5.33
The audit committee should have input into the annual performance assessment of the internal auditor. The internal auditor’s performance assessment should communicate positive feedback from the audit committee and areas identified for improvement.

5.34
In addition, in order to safeguard the independence of the internal audit function, the audit committee should satisfy itself that any dismissal (or departure) of the internal auditor is based on proper and appropriate reasons.

Expectations

5.35
The audit committee should expect the internal auditor to:

• prepare an annual internal audit plan that is clearly aligned with the risk management framework and that includes testing significant mitigating controls;
• provide the audit committee with the annual internal audit plan for review;
• report on progress against the audit plan for the year;
• report issues and communicate concerns freely and frankly;
• allocate suitably skilled individuals to internal audit assignments; and
• continually improve the internal audit function, which includes underpinning the internal auditor’s quality improvement plans with independent quality reviews.

5.36
The internal auditor should expect the audit committee to:

• provide direct access to the chairperson to strengthen communication;
• provide them with the opportunity to meet with the audit committee without management present;
• clearly communicate the audit committee’s expectations of the internal auditor;
• provide support for adequate resources given the public entity’s assurance requirements and risk profile; and
• provide timely feedback on performance.

Relationship with the external auditor

5.37
To have an effective relationship between the audit committee and external auditor, there needs to be an unrestricted, frank, and respectful exchange of information.

Interaction

5.38
It is essential to have open and effective dialogue, particularly about sensitive issues and emerging risks to the organisation. The audit committee should meet with the external auditor two to three times during the audit period to formally discuss the audit plan, interim audit findings, and results of the final audit. The audit committee should also invite the external auditor to attend audit committee meetings at the external auditor’s discretion.

5.39
The audit committee needs to fully understand the role and responsibilities of the external auditor in their capacity as an agent of the Auditor-General. Timely communication of significant issues between the audit committee and the auditor is therefore critical to the auditor discharging their responsibility to the Auditor-General.

5.40
We view good practice to be for the external auditor to have unrestricted access to the audit committee chairperson and the audit committee’s agenda papers and minutes. This ensures that the external auditor is fully informed in a timely way of issues affecting the public entity that may have audit risk or audit timing implications. It also endorses the concept of independence and unlimited scope, which are fundamental to the external audit.

Audit planning

5.41
The external auditor should inform the audit committee of their planned audit approach and areas of focus before any fieldwork starts. They should also inform the audit committee of particular areas of focus arising from the Auditor-General’s annual audit process and any planned performance audits or inquiry work to be conducted by the Auditor-General.

5.42
The audit committee should be made aware of any other services proposed to be carried out by the external auditor’s firm and ensure that potential conflicts of interest are appropriately managed.³

Reporting

5.43
The audit committee should obtain a comprehensive briefing from the external auditor on the results of their audit. As part of this process, the audit committee should meet with the external auditor without management present to enable the audit committee to raise issues, ask questions, and seek feedback from the auditors.

Summary of expectations

5.44
The audit committee should expect the external auditor to:

• communicate the annual audit plan and areas of emphasis and risk;
• communicate areas of focus identified by the Auditor-General for the annual audit;
• communicate any planned performance audits to be conducted by the Auditor-General;
• communicate any other services proposed to be carried out by the external auditor’s firm;
• bring to the attention of the audit committee any difficulties during the audit;
• report any areas of apparently questionable accounting or performance reporting identified during the audit; and
• report any deficiencies in the internal control framework identified during the audit.

5.45
The external auditor should expect the audit committee to:

• provide unfettered access to the audit committee chairperson and the audit committee’s agenda papers;
• meet with the external auditor two to three times during the year and invite the external auditor to attend all audit committee meetings at the external auditor’s discretion;
• provide access to the minutes of the audit committee;
• promptly communicate issues and risks that may affect the audit;
• communicate the audit committee’s expectations of the external auditor;
• promptly advise the external auditor of any fraud or fraud investigations the audit committee is aware of; and
• provide an opportunity to meet without management and the internal auditor present at least twice a year.

Public accountability requirements

5.46
An audit committee by its nature often considers information that is sensitive. The effective operation of an audit committee requires a free and frank flow of information and advice about these sensitive issues. For example, internal audit reports can draw attention to defects in controls and procedures, and cases of suspected fraud. Defects and suspected fraud often relate to particular business units and individual employees.

5.47
Some people we spoke to expressed concern that public accountability requirements (such as the Official Information Act 1982 and the Local Government Official Information and Meetings Act 1989) could mean that those advising the audit committee (internal or external auditors or staff) may be reluctant to raise or thoroughly discuss issues. They may be concerned about treating individuals unfairly or negatively affecting the public’s confidence in the public entity and its staff.

5.48
People raising this concern told us that this situation is not conducive to a climate of continuous improvement and can work against the principles of free and frank advice. As a result, there is a risk that the audit committee will not be able to function effectively because it may not receive all the information it should.

5.49
Audit committees need to receive full information to operate effectively, and it is also important that the Official Information Act and the Local Government Official Information and Meetings Act are complied with. Audit committees, if managed properly, should be able to discharge their functions without acting inconsistently with the intentions of these Acts. Information remains subject to the Acts whether presented to the audit committee or not.

Public attendance at audit committee meetings

5.50
Local government meetings are usually required to be open to the public, for reasons of democracy and public accountability. Under sections 2, 46, and 47 of the Local Government Official Information and Meetings Act, an audit committee is a committee of the council. Therefore, it is required to publicly notify its meetings and be open to the public. School boards of trustees and other public entities covered by the Local Government Official Information and Meetings Act are in the same position.

5.51
Section 48 of the Local Government Official Information and Meetings Act states that the public can be excluded from a meeting when particular items are discussed only where one of the specified grounds for exclusion exists (and after passing a resolution to exclude the public on that basis). Sections 6, 7, and 48 of the Local Government Official Information and Meetings Act set out the general grounds for exclusion.

5.52
From time to time, particular items for discussion may warrant excluding the public, but each such item will need to be considered carefully. This need for case-by-case consideration places an important duty on the chairperson of the audit committee to manage the meeting so that free and frank conversation can occur. The council should follow its normal procedures and criteria for assessing and deciding on public exclusion. The chief executive and other officers supporting the audit committee will be experienced in doing so.

Providing information to the public

5.53
Any public entity subject to the provisions of the Official Information Act or the Local Government Official Information and Meetings Act may need to disclose information about, or held by, its audit committee in response to a request for that information (unless any of the grounds for withholding the information apply). Each such request needs to be considered carefully, having regard to the intentions of the Acts and the specific reasons for which information may be withheld.

1: National Commission on Fraudulent Financial Reporting (1987), Report of the National Commission on Fraudulent Financial Reporting, United States of America.

2: See http://www.theiia.org/guidance/quality/.

3: The Auditor-General’s audit service providers must apply the independence principles outlined in the Auditor- General’s Statement AG – Code of Ethics: Independence in Assurance Engagements, and consult with the Office of the Auditor-General in circumstances where conflicts of interest may be perceived to arise.