An audit committee is responsible for working with independent auditors who review corporate financial reporting systems. Independent auditors also review internal controls used throughout the organization to ensure compliance with regulations and laws. Additionally, boards rely on the audit committee to oversee the auditing process and approve the company’s books as a part of corporate governance.
As businesses need to adapt and change rapidly, the role of the audit committee is evolving. According to Deloitte’s most recent Audit Committee Practices Report, outside of financial controls, the top three focus areas for audit committees will be cybersecurity (69%), enterprise risk management (48%), and finance and internal audit talent (37%).
Audit Committee and Board Procedures
Audit committees can cover several topics, and they generally meet once per quarter (although additional meetings can occur as needed). They are typically attended by the following individuals:
- Audit committee members
- The CEO and CFO, as well as other C-suite executives as needed
- The head of internal audit
- External auditors
- General council
To schedule the meetings, the audit committee can create a yearly calendar containing all required items that need to be discussed, such as:
- Earnings releases and SEC filings
- Audited financial statements
- Internal controls over financial reporting
While certain items will be discussed at every meeting during the year, agendas should include critical risks and priority areas and be flexible enough to allow time for critical discussion.
According to Protiviti, audit committee agendas in 2025 will likely include these three items:
- Confirm that the committee is receiving adequate independent assurance regarding cybersecurity vulnerabilities.
- Determine whether the organization is evaluating and capitalizing on generative artificial intelligence (GenAI) investments and opportunities responsibly.
- Consider the maturity of the organization's governance over third-party relationships.
With this ever-increasing task list, it is vital to make the best use of time. Set the agenda several weeks in advance, and distribute all meeting materials to those attending well in advance to provide adequate review time.
Executive Sessions
Even in the most transparent organizations where committee members and meeting attendees are expected to be engaged, certain topics and sensitive matters may not make it to the agenda. For these topics, executive sessions may be a better place to ensure that communication is kept open, with the right people in the room. These sessions can also serve as a “one-on-one" for external auditors looking to engage directly with senior executives.
Consider holding an executive session at every meeting so it is routine. This way, those not invited to attend the session will not speculate or be concerned.
Post-Meeting
While multiple activities take place in between meetings, two standard items are publishing the meeting minutes and undergoing a formal evaluation.
- Meeting Minutes — Publishing, reviewing and approving meeting minutes are essential aspects of ensuring that the audit committee is providing proper oversight. While the level of detail will vary from company to company, seeking advice from counsel as to what is appropriate is usually recommended. To ensure transparency, make sure that drafted minutes are distributed and approved before the next audit committee meeting.
- Evaluation — All audit committees should assess their performance regularly to ensure that they remain effective. While some committees perform a self-evaluation, others find it helpful to engage a third party. Topics may include independence, ensuring that responsibilities are understood, and reviewing interactions between committee members and auditors.
Audit Committee and Board Standards
Audit committees are subject to several regulatory standards that ensure independence, proper oversight and reporting. Regulations come from several different governing bodies, including the SEC, the New York Stock Exchange (NYSE) and the Nasdaq stock market (Nasdaq).
SEC
In 2003, the SEC issued final rules to implement the Sarbanes-Oxley Act of 2002. These rules prohibit the listing of any security of a company that does not comply with the audit committee requirements of the Sarbanes-Oxley Act. These rules include:
- Audit committee members must be independent and accept no payments from the company (other than board or committee fees).
- Independent auditors must directly report to the audit committee, who are responsible for hiring and compensation.
- The audit committee must ensure that complaints regarding accounting, internal controls and auditing matters must be retained.
- The audit committee has the authority to retain outside counsel.
- Companies must provide adequate funding for their audit committee.
- Lastly, several changes were made regarding audit committee disclosures.
New York Stock Exchange (NYSE)
The New York Stock Exchange (NYSE) rules pertain only to those companies listed on the NYSE. These rules include:
- The audit committee must have a minimum of three members who are both independent and financially literate.
- All members must comply with the financial literacy requirements of the NYSE.
- If a committee member serves on more than three audit committees at the same time, the board must determine if this member is serving effectively.
NASDAQ
Similar to the NYSE rules, the Nasdaq rules apply only to companies listed on the Nasdaq. Nasdaq rules include applying the SEC and NYSE independence rules for committee members. Likewise, similar to the NYSE, all members must comply with the Nasdaq's financial literacy requirements.
In addition to the rules above, if a committee member serves on more than three audit committees simultaneously, the board must determine whether this member is serving effectively.
Audit Committee and Board Templates
There are several audit committee and board tools that any audit committee will want to have in their toolkit. Consider including the following:
Charter
Public companies are required to maintain and disclose a charter for their audit committee under SEC rules (to comply with the Sarbanes-Oxley Act) and under rules established by the New York Stock Exchange and the Nasdaq.
The audit committee charter details why the committee exists, its responsibilities and how it will fulfill its responsibilities. Generally speaking, the charter also includes the following:
- Who must serve on the board, and what expertise they provide
- Who can serve as the committee chair and how they are chosen
- All committee duties and responsibilities
- The yearly meeting schedule, including executive sessions
- The process for communication and disclosure
In addition to these aspects, consider noting responsibilities that are outside of the SEC, NYSE or Nasdaq rules.
Committee Evaluation
Although there is no specific SEC or Nasdaq requirement for evaluating the effectiveness of the audit committee (it is a NYSE listing standard), in practice, a collaborative self-assessment with board members, legal counsel and independent auditors is an opportunity to continuously shape and fine-tune the committee’s role and work.
Consider evaluating the following factors:
- The composition and structure of the committee, including qualifications, skills and independence from executive management
- Each committee member’s understanding of the business and risks that may impact the company
- The audit committee’s oversight of the financial reporting process
- The audit committee’s oversight of internal controls, the audit function, organization risk and compliance
- The communication and disclosure process
Presentations
Creating effective presentations to the audit committee is essential for the committee to perform its duties. Committee members are busy, results-orientated and proactive. It is important not to inundate committee members with too much data, as supplementary materials should be provided in advance — giving members ample opportunity to respond.
Consider including the following topics in every audit committee meeting:
- Risks — Include the current corporate risk heat map and profile, emphasizing the most recent updates in potential exposure and any remediation efforts.
- Audit Results — Provide the organization's status based on audit findings. Frame the discussion in terms of how the audit findings increase or decrease risk based on the risk areas in the current presentation.
- Effectiveness of Controls — Include the effectiveness of financial controls, corporate governance and the risk management program. Highlight any recent changes that will impact controls and how changes will be implemented and audited.
Audit Committee and Board Best Practices
Given the continuing importance and growing role of the audit committee and board within corporations, there are always ways to improve oversight practices, independence and effectiveness. Consider the following best practices:
Risk Management
Investors and regulators have become more focused on how the audit committee and board members are overseeing risk management at the enterprise level. This requires a deep understanding of how the company identifies, assesses, mitigates and manages risks. In some cases, insights and expertise will be required in specific risk areas such as cybersecurity. When tasked with risk oversight, consider asking the following questions:
- Are there controls in place right now to properly mitigate risks?
- Is there a process or program in place to continuously assess risk levels?
- Does internal audit assess the adequacy of risk management systems?
Audit Committee Culture
The audit committee's effectiveness is driven by its culture and leadership. Encourage open discussion and healthy debate. Encourage committee members to ask questions to management at all levels. Seek out members who speak their minds and listen fully.
Lastly, although the NYSE requires an annual self-assessment, corporations should engage people who seek continuous evaluation to work through any issues or bottlenecks in real time.
Learn more about the audit committee and board by exploring these related resources on KnowledgeLeader: