Audit Committee Handbook

8/14/2019 Audit Committee Handbook

1/87

ABC COMPANY

AUDIT COMMITTEE HANDBOOK

1


2/87

Table of Contents

Introduction ............................................................................................................................ 4

Good practice principles for Audit Committees ..................................................................... 5

Role of the Audit Committee ................................................................................................. 6

Terms of Reference ............................................................................................................ 6

Membership, Independence, Objectivity and Understanding ................................................ 6

Independence ...................................................................................................................... 7

Relationship with the Executive ......................................................................................... 7

Conflicts of Interest ............................................................................................................ 7

Terms of Appointment ........................................................................................................ 8

Skills ................................................................................................................................... 8

Additional Skills ................................................................................................................. 8

Training and Development ................................................................................................. 9

Scope of work ......................................................................................................................... 9

Overall Assurance .............................................................................................................. 9

Internal and External Audit ................................................................................................ 9

Financial Reporting .......................................................................................................... 10

Communication .................................................................................................................... 10

Co-ordination between the Audit Committee and the Board of Directors ....................... 10Annual Reports ................................................................................................................. 11

Bilateral Communications ................................................................................................ 11

Appendix A. Model Audit Committee Charter ..................................................................... 11

Appendix B. The Role of the Chairperson ........................................................................... 16

Appendix C. Committee Support ......................................................................................... 18

Appendix D. Model Letter of Appointment to the Audit Committee .................................. 20

Audit Committee Handbook Page 2


3/87

Appendix E. Model of Work Programme ............................................................................. 22

Appendix F. Fraud and the Responsibilities of the Audit Committee .................................. 24

Appendix G. Internal Control: A Tool for the Audit Committee .......................................... 27

Appendix H. Key Questions for the Audit Committee to Ask ............................................. 38

Appendix I. Audit Committee Competency Framework .................................................... 41

Appendix J. Audit Committee Self Assessment Checklist ................................................... 42

............................................................................................................................................. 46

Appendix K. Model of Corporate Governance Questionnaire ............................................. 46

Appendix L. Model of Audit Committee Annual Report ..................................................... 50

Appendix M. Model of a Whistle-blowing Policy ............................................................... 53

Appendix N. Model Policy on Using External Auditor for Non-audit Services .................. 55

Appendix O. Model Policy on Employing Former Employees of the External Auditor .. .. . 57

Appendix P. Evaluation of the External Auditor .................................................................. 58

Appendix Q. External Audit: Model of the Terms of Reference ......................................... 61

Appendix R. Guidelines for Hiring the Chief Audit Executive (CAE) ................................ 65

Appendix S. Internal Audit: Model of the Terms of Reference .......................................... 68

Appendix T. Engaging Independent Counsel and Other Advisers ....................................... 71

Appendix U. Model of an Internal Audit Plan ..................................................................... 72

Appendix V. Model of an Internal Audit Report .................................................................. 74

Appendix W. Evaluation of Internal Audit ........................................................................... 76Appendix X. Self-Assessment of the Audit Committee ....................................................... 82



4/87

Introduction

In today's complex world, the Audit Committee can contribute tremendously to a 'no surprise'environment. An effective Audit Committee should be a key feature in a strong, effectivegovernance culture and bring significant benefits to the Company. Carefully designed

practices can also help the Audit Committee to maximise its contribution to the ABCCompany.

Developing practices which are based on robust principles - whether terms of reference,recruiting the right members, or focused agendas and rigorous processes - is fundamental infulfilling the Audit Committee's responsibilities.

This handbook articulates the principles underlying the role of the Audit Committee. It provides guidance to help Audit Committee members to gain a better understanding of the processes and issues that drive effective oversight of risk management, control andgovernance, and of economy, efficiency and effectiveness.

The main focus of the Audit Committees work is related to internal control matters, such asthe safeguarding of assets, the maintenance of proper accounting records and the reliability of financial information.



5/87

Today, the Audit Committees primary role is to conclude upon the adequacy and effectiveoperation of the ABC Companys overall internal control system.

In performing that role the Audit Committees work will predominantly focus upon theframework of risks, controls and related assurances that underpin the delivery of theCompanys objectives (the Assurance Framework).

As a result, the Audit Committee has a pivotal role to play in reviewing the disclosurestatements that flow from the Companys assurance processes. In particular these cover theStatement on Internal Control, included in the Annual Financial Statements.

Both of these documents should come to the Audit Committee before being submitted for approval to the Board.

It is the responsibility of the Board of Directors to establish and maintain processes for governance. The Audit Committee independently monitors, reviews and reports to the Boardof Directors on the processes of governance and, where appropriate, facilitates and supports,through its independence, the attainment of effective processes.

We hope that this handbook will help Audit Committee members to identify and achieve their objectives and add value to governing bodies, their organisations and other stakeholders

Good practice principles for Audit Committees

1. Role of the Audit Committee

The Audit Committee shall support the Board of Directors and the Managing Director byreviewing the comprehensiveness of assurances in meeting the Board of Directors andManaging Directors assurance needs, and reviewing the reliability and integrity of theseassurances.

2. Membership, Independence, Objectivity and Understanding

The Audit Committee shall be independent and objective; in addition each member shall havea good understanding of the objectives and priorities of the organisation and of their role asthe Audit Committee member.

3. Skills

The Audit Committee shall corporately own appropriate skills to allow it to carry out itsoverall function.

4. Scope of Work

The scope of the Audit Committees work shall be defined in its Terms of Reference, andencompass all the assurance needs of the Board of Directors and the Managing Director.Within this, the Audit Committee shall have particular engagement with the work of InternalAudit, the work of the External Auditor, and Financial Reporting issues.



6/87

5. Communication

The Audit Committee shall ensure it has effective communication with the Board of Directors, the Chief Audit Executive, the External Auditor, and other stakeholders.

In addition, the role of the Chairperson and provision of appropriate secretariat support areimportant elements in achieving Audit Committee effectiveness.

The Chairperson of the Audit Committee has particular responsibility for ensuring that thework of the Audit Committee is effective, that the Audit Committee is appropriatelyresourced, and is maintaining effective communication with stakeholders.

The Audit Committee shall be provided with appropriate secretariat support to enable it to beeffective. This is more than a minute taking function - it involves providing pro-activesupport for the work of the Audit Committee and helping its members to be effective in their role.

Role of the Audit Committee

Terms of Reference

The Audit Committee shall be given formal Terms of Reference by the Board of Directors.These shall be reviewed regularly and in turn shall require the Audit Committee to regularlyreview its own effectiveness.

The Audit Committee shall have appropriate authority to require any member of theorganisation either to:

Attend the Audit Committee meeting; or

Provide written report(s) to the Audit Committee for the purpose of providinginformation to assist the Audit Committee in fulfilling its role of advising the Board of Directors.

The Audit Committee will require access to funding to cover the costs incurred in fulfillingits role. The funding shall be sufficient to:

Adequately meet the remuneration and working expenses of its members;

Adequately meet the relevant training needs of its members;

Provide specialist (external) advice or opinions when required; and

(If agreed as appropriate in the organisation) provide external review of theeffectiveness of the Audit Committee.

Membership, Independence, Objectivity and Understanding



7/87

Independence

An effective Audit Committee must have members who are both independent and objective.It is good practice, so far as possible, for Audit Committee members to be independent non-executive Board members.

However, many organisations will not have sufficient independent non-executive Boardmembers who are also willing to serve as Audit Committee members to provide sufficientnumbers or skills for the Audit Committee.

When there are insufficient non-executive Board members to form the Audit Committee,independent external members need to be appointed. These members will be appointed to theAudit Committee but not to the Board of Directors.

They will often be chosen because of particular skills or experience that they hold which will be beneficial to the Audit Committee. They may be remunerated at appropriate rate for thetime and effort they are expected to contribute.

As Audit Committee membership will be the only contact they have with the organisation,such members will have to make particular efforts to obtain and maintain appropriateunderstanding of the organisation, which is vital if they are to make a meaningfulcontribution to the Audit Committees considerations. In this respect, appropriate inductiontraining is critical, as is an ongoing programme of activity to ensure the member maintainssufficient appropriate contact with the organisation.

Relationship with the Executive

Executive members of the organisation shall not be appointed to the Audit Committee. Therole of the Executive is to attend, to provide information, and to participate in discussions,either for the whole duration of a meeting or for particular agenda items.

The Managing Director and the Chief Financial Officer shall routinely attend the AuditCommittee. It is also normal for the Chief Audit Executive and a representative of theExternal Auditor to attend. However, the Terms of Reference should provide for the AuditCommittee to sit privately without any non-members present for all or part of a meeting if they so decide.

Conflicts of Interest

Normally the process for recording declarations of conflicts of interests in the AuditCommittee shall mirror the processes used at Board level. Each member of the AuditCommittee shall take personal responsibility to pro-actively declare any potential conflict of interest arising out of business arising on the Audit Committees agenda or from changes inthe members personal circumstances. The Chairperson of the Audit Committee shall thendetermine an appropriate course of action with the member. For example, the member mightsimply be asked to leave while a particular item of business is taken; or in more extremecases the member could be asked to leave the Audit Committee.



8/87

If it is the Chairperson who has a conflict of interest, the Board of Directors shall ask another member of the Audit Committee to lead in determining the appropriate course of action. Akey factor in determining the course of action will be the likely duration of the conflict of interest: a conflict likely to endure for a long time is more likely to suggest that the member should leave.

Terms of Appointment

All members of Audit Committees shall have a clear understanding of: What is expected of them in their role, including time commitments;

How their individual performance will be appraised, including a clear understandingof what would be regarded as unsatisfactory performance and the criteria whichwould indicate the termination of Audit Committee membership shall be considered;

and The duration of their appointment and how often it may be renewed.

The terms of appointment of the Audit Committee member shall be clearly set out at the timeof appointment in a Letter of Appointment. The letter shall also specify what other activitiesthe individual may or may not undertake in relation to the organisation. The impact onindependence of further remuneration from other activities shall be given carefulconsideration.

Skills

The Audit Committee is charged with ensuring that the Board of Directors and ManagingDirector of the organisation gain the assurance they need on risk management, governanceand internal control. So, it needs a range of skills and experience relevant to various aspectsof risk, governance and control.

Because of the importance of financial management and financial reporting to everyorganisation, at least one member of the Audit Committee shall have recent and relevantfinancial experience. This experience shall be sufficient to allow them to competently engagewith financial management and reporting in the organisation, and associated assurances.

The Audit Committee shall identify, and agree with the Board of Directors, the other skillsrequired for Committee effectiveness. These identified skills shall inform the choice of members of the Audit Committee. The required skills set shall be periodically reviewed.

Additional Skills

The Audit Committee shall be empowered to either: Co-opt members for a period of time (not exceeding a year, and with the approval of

the Board of Directors) to provide specialist skills, knowledge and experience whichthe Audit Committee needs at a particular time; or



9/87

Procure specialist advice at the expense of the organisation on an ad-hoc basis tosupport them in relation to particular pieces of Committee business. Budgets for such

procurement shall be approved by the Board of Directors.

Training and Development

All Audit Committee members, whatever their status or background, will have training anddevelopment needs. Those who have recently joined the Audit Committee will need inductiontraining, either to help them understand their role; or if they have Audit Committeeexperience elsewhere, to help them understand the organisation.

Scope of work

Overall Assurance

In most organisations there are a number of sources of assurance, both internal and external,sometimes primarily intended for the benefit of the organisation and sometimes primarilyintended for the benefit of other stakeholders.

The Board of Directors and Managing Directors assurance needs are largely met byevaluating the various sources of assurance (or gaps in sources of assurance), testing anddetermining their reliability, and then forming an overall view on the state of risk management, governance and internal control (which is especially important in supportingthe Statement on Internal Control).

Overall assurance of this kind is unlikely to be capable of expression in a single phrase,sentence or indicator because it is highly unlikely that all risk will be equally managed.Rather, the overall view may draw attention to areas where:

Risk is being appropriately managed (no action is needed);

Risk is inadequately controlled (action is needed to improve control);

Risk is over controlled (resource is wasted which could be diverted to other use);

There is lack of evidence to support a conclusion - and if this concerns areas materialto the operations of the organisation more audit and/or assurance work will need to bedone.

Internal and External Audit

The work of Internal Audit is carried out primarily for the benefit of the Board of Directorsand Managing Director of the organisation. Although the work of the External Auditor isnormally primarily conducted for the benefit of shareholders, it is still of significant benefit tothe organisation as well.

The work of Internal Audit is likely to be the single most significant resource used by theAudit Committee in discharging its responsibilities. This is because the Chief AuditExecutive, in accordance with Generally Accepted Auditing Standards, has a responsibility to



10/87

submit an annual opinion on the overall adequacy and effectiveness of the organisations risk management, control and governance processes. There is consequently a major synergy

between the purpose of the Chief Audit Executive and the role of the Audit Committee.

The role of the Audit Committee in relation to Internal Audit shall include advising the Boardof Directors and Managing Director on:

The Audit Strategy and periodic Audit Plans, forming a view on how well theysupport the Chief Audit Executives responsibility to provide an annual opinion on theoverall adequacy and effectiveness of the Companys risk management, control andgovernance processes.

The results of Internal Audit work, and management response to issues raised by thatwork.

The resourcing of Internal Audit.

The Terms of Reference (or equivalent) for Internal Audit.

Whilst the work of the External Auditor is not primarily conducted for the benefit of theCompany or its Audit Committee, the Audit Committee shall nevertheless engage with theactivity of the External Auditor. As well as considering the results of external audit work,they shall enquire about and consider the External Auditors planned approach and the way inwhich the External Auditor is co-operating with Internal Audit to maximise overall auditefficiency, capture opportunities to derive a greater level of assurance and minimiseunnecessary duplication of work.

Financial Reporting

The Audit Committee will not itself be able to review the accounts in detail in order to advisethe Managing Director whether they are true and fair. In reaching a view on the accounts, theAudit Committee shall consider:

Key accounting policies and disclosures; Assurances about the financial systems which provide the figures for the accounts; The quality of the control arrangements over the preparation of the accounts by the

Chief Financial Officer; Key judgements made in preparing the accounts; Any disputes arising between those responsible for preparing the accounts and the

Auditor.

Communication

Co-ordination between the Audit Committee and the Board of Directors

The work of the Audit Committee needs to be effectively communicated if it is to beeffective.

After each meeting of the Audit Committee a report shall be prepared for the Board of Directors and Managing Director to:



11/87

Summarise the business taken by the Audit Committee, explaining if necessary whythat business was regarded as important; and

Offer the views and advice from the Audit Committee on issues which they consider

the Board of Directors or Managing Director should be taking action.

If the minutes of the Audit Committee meeting are used as the report, care shall be taken intheir presentation to highlight the advice being provided. These reports shall normally becopied to the Chief Audit Executive and to the External Auditor (especially if the reportcontains advice about or to the Auditor).

Annual Reports

The Audit Committee shall also provide an Annual Report, timed to support preparation of the Statement on Internal Control. This internal report needs to be open and honest in

presenting the Audit Committees views if it is to be of real benefit to the Board of Directorsand Managing Director.

The Annual Report shall summarise the Audit Committees work for the year past, and present the Audit Committees opinion about:

The comprehensiveness of assurances in meeting the Board of Directors andManaging Directors needs;

The reliability and integrity of these assurances; Whether the assurances available are sufficient to support the Board of Directors and

the Managing Director in their decision-taking and their accountability obligations; The implication of these assurances for the overall management of risk; Any issues that the Audit Committee considers pertinent to the Statement on Internal

Control and any long term issues that the Audit Committee thinks the Board of Directors and/or Managing Director should give attention to;

Financial reporting for the year; The quality of both Internal and External Audit and their approach to their

responsibilities; and The Audit Committees view of its own effectiveness, including advice on ways in

which it considers it needs to be strengthened or developed.

Bilateral Communications

There shall be mutual rights of access among each of the Chairperson of the AuditCommittee, the Managing Director, the Chief Audit Executive, and the External Auditor.Whether or not that right of access is exercised, there shall be an annual bilateral meeting

between the Chairperson of the Audit Committee and each of these parties to ensure thatthere is clear understanding of expectations and mutual understanding of current issues.

Appendix A. Model Audit Committee Charter

Purpose



12/87

To assist the Board of Directors in fulfilling its oversight responsibilities for the financialreporting process, the system of internal control, the audit process, and the company's processfor monitoring compliance with laws and regulations and the Code of Conduct.

Authority

The Audit Committee has authority to conduct or authorise investigations into any matterswithin its scope of responsibility. It is empowered to:

Appoint, compensate, and oversee the work of any registered public accounting firmemployed by the organisation.

Resolve any disagreements between management and the Auditor regarding financialreporting.

Pre-approve all auditing and non-audit services. Retain outside counsel, accountants, or others to advise the Audit Committee or assist

in the conduct of an investigation. Seek any information it requires from employees - all of whom are directed to

cooperate with the Audit Committee's requests - or external parties. Meet with company officers, External Auditor, or outside counsel, as necessary.

Composition

The Audit Committee shall consist of at least three and no more than six members. The Boardof Directors or its nominating Committee shall appoint Committee members and theChairperson of the Audit Committeeperson.

Each Committee member shall be both independent and financially literate. At least onemember shall be designated as the "financial expert," as defined by applicable legislation andregulation.

Meetings

The Audit Committee will meet at least four times a year, with authority to convene

additional meetings, as circumstances require. All Committee members are expected to attendeach meeting. The Audit Committee will invite members of management, Auditor or others toattend meetings and provide pertinent information, as necessary. It will hold private meetingswith Auditor (see below) and executive sessions.Meeting agendas will be prepared and provided in advance to members, along withappropriate briefing materials. Minutes will be prepared.

Responsibilities

The Audit Committee will carry out the following responsibilities:

Financial Statements



13/87

Review significant accounting and reporting issues, including complex or unusualtransactions and highly judgmental areas, and recent professional and regulatory

pronouncements, and understand their impact on the financial statements.

Review with management and the External Auditor the results of the audit, includingany difficulties encountered. Review the annual financial statements, and consider whether they are complete,

consistent with information known to Committee members, and reflect appropriateaccounting principles.

Review other sections of the annual report and related regulatory filings before releaseand consider the accuracy and completeness of the information.

Review with management and the External Auditor all matters required to becommunicated to the Audit Committee under Generally Accepted Auditing Standards.

Understand how management develops interim financial information, and the natureand extent of internal and External Auditor involvement.

Review interim financial reports with management and the External Auditor beforefiling with regulators, and consider whether they are complete and consistent with theinformation known to Committee members.

Internal Control

Consider the effectiveness of the company's internal control system, includinginformation technology security and control.

Understand the scope of Internal and External Auditors review of internal controlover financial reporting, and obtain reports on significant findings andrecommendations, together with management's responses.

Internal Audit

Review with management and the Chief Audit Executive the charter, activities,staffing, and organisational structure of the Internal Audit function.

Have final authority to review and approve the annual audit plan and all major changes to the plan.

Ensure there are no unjustified restrictions or limitations, and review and concur inthe appointment, replacement, or dismissal of the Chief Audit Executive.

At least once per year, review the performance of the CAE and concur with the annualcompensation and salary adjustment.

Review the effectiveness of the Internal Audit function, including compliance withGenerally Accepted Auditing Standards .

On a regular basis, meet separately with the Chief Audit Executive to discuss anymatters that the Audit Committee or Internal Audit believe should be discussed

privately.



14/87

External Audit

Review the External Auditors proposed audit scope and approach, includingcoordination of audit effort with Internal Audit.

Review the performance of the External Auditor, and exercise final approval on theappointment or discharge of the Auditor.

Review and confirm the independence of the External Auditor by obtainingstatements from the Auditor on relationships between the Auditor and the company,including non-audit services, and discussing the relationships with the Auditor.

On a regular basis, meet separately with the External Auditor to discuss any mattersthat the Audit Committee or the Auditor believe should be discussed privately.

Compliance

Review the effectiveness of the system for monitoring compliance with laws andregulations and the results of management's investigation and follow-up (includingdisciplinary action) of any instances of non-compliance.

Review the findings of any examinations by regulatory agencies, and any Auditor observations.

Review the process for communicating the Code of Conduct to company personnel,and for monitoring compliance therewith.

Obtain regular updates from management and company legal counsel regarding

compliance matters.

Reporting Responsibilities

Regularly report to the Board of Directors about Committee activities, issues, andrelated recommendations.

Provide an open avenue of communication between Internal Audit, the ExternalAuditor, and the Board of Directors.

Report annually to the shareholders, describing the Audit Committee's composition,responsibilities and how they were discharged, and any other information required by

rule, including approval of non-audit services. Review any other reports the Company issues that relate to Committee

responsibilities.

Other Responsibilities

Perform other activities related to this charter as requested by the Board of Directors. Institute and oversee special investigations as needed.



15/87

Review and assess the adequacy of the Audit Committee charter annually, requestingBoard approval for proposed changes, and ensure appropriate disclosure as may berequired by law or regulation.

Confirm annually that all responsibilities outlined in this charter have been carriedout. Evaluate the Audit Committee's and individual members' performance on a regular

basis.



16/87

Appendix B. The Role of the Chairperson

The role of the Chairperson of the Audit Committee goes a good deal beyond chairingmeetings.

Indeed it is the key to achieving Committee effectiveness. The additional workload should betaken into account when appointing the Chairperson.

Exactly how a particular Chairperson manages the Audit Committee will vary depending onthe character of the individual and the needs of the specific organisation.

Key activities beyond Committee meetings shall include the following:

Agenda Setting

Before each meeting the Chairperson and the Audit Committee Secretary shall meet todiscuss and agree the business for the meeting. The Chairperson shall take ownershipof, and have final say in, the decisions about what business will be pursued at any

particular meeting.

Communication

The Chairperson shall ensure that after each meeting appropriate reports are prepared

from the Audit Committee to the Board of Directors and to the Managing Director. The Chairperson shall ensure that the Audit Committee provides a suitable Annual

Report to the Board of Directors. The Chairperson shall have bilateral meetings at least annually with the Managing

Director, the Chief Audit Executive and the External Auditor, and with theChairperson of the Board of Directors. In addition, the Chairperson shall meet any

people newly appointed to these positions as soon as practicable after their appointment.

The Chairperson shall also ensure that all Committee members have an appropriate

programme of interface with the organisation and its activities to help themunderstand the organisation, its objectives, business needs and priorities.

Monitoring actions

The Chairperson shall ensure that there is an appropriate process between meetingsfor action points arising from Committee business to be appropriately pursued.

The Chairperson shall also ensure that members who have missed a meeting areappropriately briefed on the business conducted in their absence. The Chairpersonmay choose to rely on the Secretariat to take these actions.



17/87

Appraisal

The Chairperson shall take the lead in ensuring that Committee members are provided

with appropriate appraisal of their performance as a Committee member and thattraining needs are identified and addressed. The Chairperson shall themselves seek appraisal of their performance from the Managing Director (or Chairperson of theBoard of Directors), as appropriate

The Chairperson shall ensure that there is a periodic review of the overalleffectiveness of the Audit Committee and of its Terms of Reference.

Appointments

The Chairperson shall be involved in the appointment of new Committee members,

including providing advice on the skills and experience being sought by the AuditCommittee when a new member is appointed.



18/87

Appendix C. Committee Support

The secretariat shall be able to support the Chairperson of the Audit Committee in identifying business to be taken, and the relevant priorities of the business. For this reason, and as theAudit Committee is a committee of the Board of Directors, the Audit Committee Secretariatfunction shall be supervised by the Board of Directors secretariat. The Chairperson of theAudit Committee and the secretariat shall agree procedures for commissioning briefing toaccompany business items on the Audit Committees agenda and timetables for the issue of meeting notices, agendas, and minutes.

The Chairperson of the Audit Committee shall always review and approve minutes of meetings before they are circulated.

The specific responsibilities of the Audit Committee Secretariat shall include: Meeting with the Chairperson of the Audit Committee to prepare agendas for

meetings; Commissioning papers as necessary to support agenda items;

Circulating meeting documents in good time before each meeting;

Arranging for executives to be available as necessary to discuss specific agenda itemswith the Audit Committee during meetings;

Keeping a record of meetings and providing draft minutes for the Chairpersons

approval; Ensuring action points are being taken forward between meetings;

Supporting the Chairperson in the preparation of Audit Committee reports to theBoard of Directors;

Arranging the Chairpersons bilateral meetings with the Managing Director, the Chief Audit Executive and the External Auditor, and with the Chairperson of the Board of Directors;

Keeping the Chairperson and Committee members in touch with developments andrelevant background information about developments in the organisation;

Maintaining a record of when members terms of appointment are due for renewal or termination;

Ensuring that appropriate appointment processes are initiated when required;

Ensuring that new members receive appropriate induction training, and that allmembers are supported in identifying and participating in ongoing training;

Managing budgets allocated to the Audit Committee.

Careful consideration shall be given to ensuring that the Audit Committee Secretariat

function is not biased. If the function is provided by Internal Audit there may be a risk of bias



19/87

towards Internal Audit interests. On the other hand, there is merit in ensuring the secretariat isindependent of pressure from senior management, as could happen if the Board of DirectorsSecretariat also supports the Audit Committee.

When the Audit Committee decides to meet privately, the Chairperson shall decide whether the secretariat members should also withdraw. If so, the Chairperson shall ensure that anadequate note of proceedings is kept to support the Audit Committees conclusions andadvice.



20/87

Appendix D. Model Letter of Appointment to the Audit Committee

( Date )Dear ( Name of Committee Member )

You are hereby appointed by the Board of Directors as a member of the Audit Committee of (organisation ). As a member of the Audit Committee you are accountable to the Board of Directors through the Chairperson of the Audit Committee. Your appointment is for ( number )years from ( date ). This appointment may be renewed ( number ) times (by mutual agreement)after the duration of this appointment.

The Audit Committee is a Committee of the Board of Directors of (organisation) and the

purpose of the Audit Committee is to: Review the comprehensiveness of assurances in meeting the Board of Directors and

Managing Directors assurance needs; Review the reliability and integrity of these assurances; Advise the Board of Directors and the Managing Director about how well assurances

consequently support them in decision taking and in discharging their accountabilityobligations.

A copy of the Audit Committees Terms of Reference is enclosed.

The Audit Committee is chaired by ( name ) and the other members are ( names ). ( It isrecommended that the new member be provided with a list of their contact details)

Support and Training

The Secretary of the Audit Committee is ( name / contact details ) and they will shortly be intouch with you to discuss and arrange appropriate induction training.

To help you understand the governance arrangements and the role of Audit Committees, acopy of the Audit Committee Handbook is enclosed with this letter of appointment.

Commitment and Remuneration

Your duties as the Audit Committee member are expected to typically take ( number ) days per annum, including time to read papers in preparation for meetings and a programme of activityto keep you in touch with the organisations activities and priorities. The Audit Committeenormally meets ( number ) times each year, but additional meetings may be required from timeto time. Your remuneration will be (include details of amount and means by which it will be

paid) .

Conflicts of Interest



21/87

If during your period of appointment to the Audit Committee your personal circumstanceschange in any way that may provide a conflict of interest for you in your Audit Committeerole, you must declare the circumstances to the Chairperson of the Audit Committee.

Appraisal

As a member of the Audit Committee you will be subject to appraisal by the Chairperson of the Audit Committeeperson ( include brief details of the appraisal process ).

Termination

If you choose to resign from this appointment you will be expected to give ( number ) monthsnotice, unless your circumstances have changed in a way that makes it appropriate for you toresign immediately. If your performance as the Audit Committee member is decided to beunacceptable (see appraisal) or if your conduct (including conflicts of interests) isunacceptable your appointment may be terminated by the Board of Directors.



22/87

Appendix E. Model of Work Programme

Spring Meeting

Comment on the accounts for the year just finished prior to their finalisation andsubmission for audit;

Advise on the content of the Statement on Internal Control for the year just finished,to be presented alongside the finalised accounts;

Review Internal Audits finalised periodic work plan for the financial year just begun.

Agree the Audit Committees annual report to the Board of Directors and ManagingDirector.

Summer Meeting

Review and consider the accounts;

Consider (emerging) External Auditors opinion for the financial year just finishedand advise the Managing Director on signing the accounts and the Statement onInternal Control (SIC);

Consider Internal Audit opinion for the financial year just finished;

Discuss the implications of the result of the Managing Directors review of effectiveness of the system of internal control in relation to the Statement on InternalControl;

Some Audit Committees choose to have an additional meeting timed to deal with no business other than the pre-recess finalisation of the accounts.

Autumn Meeting

Consider mid-year report on emerging findings from Internal Audit;

Consider the External Auditors management letter for the previous year, anyemerging findings from the current interim / in-year work of the External Auditor, andExternal Auditors approach to their work;

Consider the External Auditors strategy proposed in respect of the current yearsaccounts;

Consider any residual actions arising from the previous years work of both internaland external audit.

Winter Meeting

Advise on the Internal Audit strategy and the periodic work plan for the beginning of the new financial year;



23/87

Consider areas in which the Audit Committee will particularly promote cooperation between External Auditor and other review bodies in the coming year;

Re-visit emerging findings from the External Auditor and review actions in response

to the External Auditors management letter; Consider the Audit Committees own effectiveness in its work.



24/87

Appendix F. Fraud and the Responsibilities of the Audit Committee

The Audit Committee shall take an active role in the prevention and deterrence of fraud, aswell as an effective ethics and compliance program. The Audit Committee shall constantlychallenge management and the External Auditor to ensure that the organisation hasappropriate antifraud programs and controls in place to identify potential fraud and ensuringthat investigations are undertaken if fraud is detected. The Audit Committee shall take aninterest in ensuring that appropriate action is taken against known perpetrators of fraud.

This document is intended to make Audit Committee members aware of their responsibilitiesas they undertake this important role. It highlights areas of corporate activity that may requireadditional scrutiny by the Audit Committee.

Definition and Categories of Fraud

An understanding of fraud is essential for the Audit Committee to carry out itsresponsibilities.

The term fraud may be defined as:

An intentional perversion of truth for the purpose of inducing another in relianceupon it to part with some valuable thing belonging to him or to surrender a legal right. A false representation of a matter of fact, whether by words or by conduct, by

false or misleading allegations, or by concealment of that which should have been

disclosed, which deceives and is intended to deceive another so that he shall act uponit to his legal injury. . . A generic term, embracing all multifarious means whichhuman ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or by suppression of truth, and includesall surprise, trick, cunning, dissembling, and any unfair way by which another ischeated.

The Audit Committee also needs to be aware that fraud affecting the organisation often fallswithin one of three categories:

Management fraud , which involves senior managements intentional

misrepresentation of financial statements, or theft or improper use of companyresources.

Employee fraud , which involves non-senior employee theft or improper use of company resources.

External fraud , which involves theft or improper use of resources by people who areneither management nor employees of the firm.



25/87

This categorisation of fraud is useful, but not absolute. Middle management employees mayintentionally misrepresent financial statement transactions, for example, to improve their apparent performance, or outside individuals may collude with company management or employees.

Role of the Audit Committee in the Prevention, Deterrence, Investigation, and Discovery orDetection of Fraud

The members of the Audit Committee should understand their role of ensuring that theorganisation has antifraud programs and controls in place to help prevent fraud, and aid in itsdiscovery if it does occur, to properly fulfil their fiduciary duties of:

Monitoring the financial reporting process

Overseeing the internal control system

Overseeing the Internal Audit and the External Auditor, and

Reporting findings to the Board of Directors.

The Audit Committee should ensure that the organisation has implemented an effective ethicsand compliance program, and that it is periodically tested. Since the occurrence of significantfrauds can frequently be attributed to an override of internal controls, the Audit Committee

plays an important role to ensure that internal controls address the appropriate risk areas andare functioning as designed.

Internal Audit and the External Auditor can serve a vital role in aiding in fraud prevention anddeterrence. Internal Audit staff and External Auditor staff who are experienced and trained in

fraud prevention and deterrence can help to provide assurance that: Risks are effectively identified and monitored;

Organisational processes are effectively controlled and tested periodically; and

Appropriate follow-up action is taken to address control weaknesses.

The Audit Committee needs to ensure that Internal Audit and the External Auditor arecarrying out their responsibilities in connection with potential fraud.

When Fraud Is Discovered

Fraud can be discovered through many sources, namely, Internal Audit or the ExternalAuditor, accounting consultants, employees, suppliers, and others. Establishing a confidentialhotline can also be an important source of information leading to fraud discovery, as part of anorganisations overall ethics, compliance, and fraud prevention program.

If fraud or improprieties are asserted or discovered, the Audit Committee - through theExternal Auditor, Internal Audit, or accounting consultants, as appropriate - shouldinvestigate, and, if necessary, retain legal counsel to assert claims on the organisations behalf.

If fraud is discovered, or there is a reasonable basis to believe that fraud may have occurred,

the Audit Committee is responsible for ensuring that an investigation is undertaken. Criteria



26/87

should be in place describing the Audit Committees level of involvement, based on theseverity of the offense. Most Audit Committee members will also want to obtain informationabout all violations of the law and the organisations policies.

Conclusion

Audit Committees are required to play a pivotal role in the prevention and deterrence of fraud,and to take appropriate action in the discovery of fraud. Independent accountants, hired by theAudit Committee and Internal Audit will continue to play an important part in the process.



27/87

Appendix G. Internal Control: A Tool for the Audit Committee

Internal control over financial reporting has always been a major area in the governance of anorganisation, and this importance has been magnified in recent years. This document isintended to give Audit Committee members basic information about internal control tounderstand what it is, what it is not, how it can be used most effectively in the organisation,and the requirements of management with respect to the system of internal control over financial reporting. Note that the primary responsibility of the Audit Committee with respectto internal control is the system of internal control over financial reporting.

Basics of Internal Control

In 1992, the Audit Committee of Sponsoring Organisations (COSO) 1 of the NationalCommission on Fraudulent Financial Reporting (also known as the Treadway Commission)

published a document called: Internal Control Integrated Framework, 2 which definedinternal control as a process, effected by an entitys Board of Directors, management andother personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories:

1. Effectiveness and efficiency of operations

2. Reliability of financial reporting, and

3. Compliance with applicable laws and regulations

Internal control can be judged as effective in each of these categories if the Board of Directorsand management have reasonable assurance that:

1. They understand the extent to which the entitys operations objectives are beingachieved.

2. Published financial statements are being prepared reliably.

3. Applicable laws and regulations are being complied with.

The COSO Framework went on to say that internal control consists of five interrelatedcomponents as follows:

1. Control environment . Sometimes referred to as the tone at the top of theorganisation, meaning the integrity, ethical values and competence of the entitys

people, managements philosophy and operating style, the way management assignsauthority and responsibility, organises and develops its people, and the attention anddirection provided by the Board of Directors. It is the foundation for all other components of internal control, providing discipline and structure.

1 The Audit Committee of Sponsoring Organisations consists of the American Institute of CPAs(AICPA), the Institute of Management Accountants (IMA), the Institute of Internal Auditor (IIA),Financial Executives International (FEI), and the American Accounting Association (AAA).2

The COSO publication Internal ControlIntegrated Framework (Product Code Number 990012), maybe purchased through the AICPA store.



28/87

2. Risk assessment . The identification and analysis of relevant risks to achieve theobjectives which form the basis to determine how risks should be managed. Thiscomponent should address the risks, both internal and external, that must be assessed.Before conducting a risk assessment, objectives must be set and linked at differentlevels.

3. Control activities. Policies and procedures that help ensure that managementdirectives are carried out. Control activities occur throughout the organisation at alllevels in all functions. These include activities like approvals, authorisations,verifications, reconciliations, reviews of operating performance, security of assets andsegregation of duties.

4. Information and communication. Addresses the need in the organisation to identify,capture and communicate information to the right people to enable them to carry outtheir responsibilities. Information systems within the organisation are key to thiselement of internal control. Internal information, as well as external events, activitiesand conditions must be communicated to enable management to make informed

business decisions and for external reporting purposes.

5. Monitoring. The internal control system must be monitored by management andothers in the organisation. This is the framework element that is associated with theInternal Audit function in the company, as well as other means of monitoring such asgeneral management activities and supervisory activities. It is important that internalcontrol deficiencies be reported upstream, and that serious deficiencies are reported totop management and the Board of Directors.

These five components are linked together and form an integrated system that should reactdynamically to changing conditions. The internal control system is intertwined with theorganisations operating activities, and is most effective when controls are built into theorganisations infrastructure becoming part of the very essence of the organisation.

An effective internal control structure can actually be part of the competitive advantage of theorganisation.

Key Terms in Internal Control

There are a few terms that you will hear frequently when discussing internal control, and

these are identified and described as follows:

Reportable condition . Has the same meaning as the term significant deficiency. These twoterms are used to define a significant deficiency in the design or operation of internal controlthat could adversely affect a companys ability to record, process, summarise and reportfinancial data consistent with the assertions of management in the organisations financialstatements. An aggregation of significant deficiencies could constitute a material weakness.

Material weakness . Defined in the auditing literature as a reportable condition in which thedesign or operation of one or more of the internal control components does not reduce to arelatively low level the risk that misstatements caused by errors or fraud in amounts that

would be material in relation to the financial statements being audited may occur and not be



29/87

detected within a timely period by employees in the normal course of performing their assigned duties.

Compensating controls . Some organisations, by virtue of their size, are not able to implement basic controls such as segregation of duties. This apparent lack of control should be overcome

through other controls, which should be expected to be more rigorous in this situation than ina situation where the basic control exists. This compensating control could be a permanent

part of the control system, or just temporary if a basic control is not able to function for some period of time.

What Internal Control Cannot Do

As important as an internal control structure is to an organisation, an effective system is not aguarantee that the organisation will be successful. An effective internal control structure willkeep the right people informed about the organisations progress (or lack of progress) inachieving its objectives, but it cannot turn a poor manager into a good one. Internal controlcannot ensure success, or even survival.

Internal control is not an absolute assurance to management and to the Board of Directorsabout the organisations achievement of its objectives. It can only provide reasonableassurance, due to limitations inherent in all internal control systems. For example,

breakdowns in the internal control structure can occur due to simple error or mistake, as wellas faulty judgments that could be made at any level of management. In addition, controls can

be circumvented by collusion or by management override. Finally, the design of the internalcontrol system is a function of the resources available, meaning that there must be a cost-

benefit analysis in the design of the system.

Roles and Responsibilities

Everyone in the organisation has some role to play in the organisations internal controlsystem.

In a public company, the CFO and CEO are required to certify that they (among other things):

Are responsible for establishing and maintaining internal controls;

Have designed such internal controls to ensure that material information relating to thecompany and its consolidated subsidiaries is made known to the CFO and CEO byothers within those entities, particularly during the period in which the periodic reportsare being prepared;

Have evaluated the effectiveness of the companys internal controls as of a date within90 days prior to the report; and

Have presented in the report their conclusions about the effectiveness of their internalcontrols based on their evaluation as of that date;

Have disclosed to the companys External Auditor and the Audit Committee (a) allsignificant deficiencies in the design or operation of internal control which couldadversely affect the companys ability to record, process, summarise, and reportfinancial data and have identified for the companys External Auditor any material



30/87

weaknesses in internal control; and (b) any fraud, whether or not material, thatinvolves management or other employees who have a significant role in thecompanys internal controls; and

Have indicated in their report whether or not there were significant changes in internalcontrols or in other factors that could significantly affect internal controls subsequentto the date of evaluation, including any corrective actions with regard to significantdeficiencies and material weaknesses.

CEO . The CEO has ultimate responsibility and ownership of the internal control system.The individual in this role sets the tone at the top that affects the integrity and ethics and other factors that create the positive control environment needed for the internal control system tothrive. Aside from setting the tone at the top, much of the day-to-day operation of the controlsystem is delegated to other senior managers in the company, under the leadership of theCEO.

CFO . Much of the internal control structure flows through the accounting and finance area of the organisation under the leadership of the CFO. In particular, controls over financialreporting fall within the domain of the Chief Financial Officer. The Audit Committee shoulduse interactions with the CFO, and others, as a basis for their comfort level on the internalcontrol over financial reporting.

This is not intended to suggest that the CFO must provide the Audit Committee with a level of assurance regarding the system of internal control over financial reporting. Rather, throughinteractions with the CFO and others, the Audit Committee should get a gut feeling aboutthe completeness, accuracy, validity and maintenance of the system of internal control over financial reporting.

Controller . Much of the basics of the control system come under the domain of this position.It is key that the Controller understand the need for the internal control system, is committedto the system, and communicates the importance of the system to all people in the accountingorganisation. Further, the Controller must demonstrate respect for the system though his or her actions.

Internal Audit . A main role for the Internal Audit team is to evaluate the effectiveness of theinternal control system and contribute to its ongoing effectiveness. With Internal Auditreporting directly to the Audit Committee of the Board of Directors and/or the most senior levels of management, it is often this function that plays a significant role in monitoring theinternal control system.

Board of Directors/Audit Committee . A strong, active Board is necessary. This is particularlyimportant when the organisation is controlled by an executive or management team with tightreins over the organisation and the people within the organisation. The Board shouldrecognise that its scope of oversight of the internal control system applies to all three major areas of control: over operations, over compliance with laws and regulations, and over financial reporting. The Audit Committee is the Boards first line of defence with respect tothe system of internal control over financial reporting.

All Other Personnel . The internal control system is only as effective as the employeesthroughout the organisation that must comply with it. Employees throughout the organisation



31/87

should understand their role in internal control and the importance of supporting the systemthrough their own actions and encouraging respect for the system by their colleaguesthroughout the organisation.

Compensating Controls

It is important to realise that both the design and compliance with the internal control systemis important. The Audit Committee should be tuned-in to the tone-at-the-top of theorganisation as a first indicator of the functioning of the internal control system.

In addition, the Audit Committee should realise that the system of internal control should bescaled to the organisation. Some organisations will be so small, for example, that they willnot be able to have appropriate segregation of duties. The message here is that the lack of segregation of duties is not automatically a material weakness, or even a reportable condition,depending on the compensating controls that are in place.

For example, suppose a companys accounting department is so small that it is not possible tosegregate duties between the person that does the accounts payable, and the person thatreconciles the bank statements. In this case, it is one and the same person, so the implicationis that there are no checks and balances on the accounts payable person, who could be writingcheques to a personal account, then passing on them during the bank reconciliation process(that is, there is no one to raise the red flag that personal cheques are being written on thecompany account).

Compensating controls could make up for this apparent breech in the internal control system.

Here are some examples of compensating controls in this situation:

All cheques are hand signed by officers of the company, rather than using a signature plate that is in the control of the person that prepared the cheques.

The bank reconciliation may be reviewed by the persons manager.

A periodic report of all cheques that are cleared at the bank could be prepared by the bank and forwarded to an officer of the company for review.

The Audit Committee should be aware of situations like this, and be prepared to ask questionsand evaluate the answers when an obvious breach in internal control surfaces.

Management Override of Controls

Another area that the Audit Committee needs to focus on is the ability of management tooverride internal controls over financial reporting to perpetrate a fraud. Examples of techniques used by management in overriding internal controls over the financial reportingfunction include:

Back dating sales documents to a prior period;

Making adjusting entries during the financial reporting closing process; or

Reclassifying items improperly between the income statement and the balance sheet.



32/87

Some of these override techniques were used in some accounting scandals and have gainedsubstantial notoriety.

The Audit Committee has the responsibility to help prevent or deter a management override of

controls. It is important for the Audit Committee to understand that there is a system touncover an override, as well as follow-up to determine its appropriateness. Questions aboutmanagement override, and the controls over management override, as well as audit steps todetect if a management override has occurred, should be addressed to the CEO, CFO, CAE,and External Auditor during the respective executive sessions with the Audit Committee.

Conclusion

This document should have given you a sense of what people mean when they refer tointernal control . The concepts are not complex, but sometimes the application of internalcontrol can be a challenge in an organisation, depending on its size and the corporate culture.

However, it is vitally important to design the system of internal control to achieve theobjectives of:

Effectiveness and efficiency of operations;

Reliability of financial reporting; and

Compliance with applicable laws and regulations.

Internal Control Questionnaire

This questionnaire focuses on the five interrelated components of an internal control system,as described in the COSO Internal Control Integrated Framework 3 publication.

The Audit Committees role in the internal control structure of the Company focuses oninternal controls over financial reporting and the various systems (human resources,computing, and other) available to support that process, and this document is created tofacilitate that role. The Audit Committee needs to be assured that the controls are in place andoperating effectively.

This can be achieved through the Audit Committees interaction with senior management,External Auditor, Internal Audit, and other key members of the financial management team.

Instructions for Using this Document

This questionnaire is created around the five interrelated components of an internal controlstructure. Within each component is a series of questions that the Audit Committee shouldfocus on to assure itself that controls are in place and functioning. These questions should bediscussed in an open forum with the individuals that have a basis for responding to thequestions.

3 The questions in this questionnaire are adapted from Evaluation Tools, Volume 2 of the COSO Internal Control Integrated Framework , published September 1992, by the Audit Committee of

Sponsoring Organisations.



33/87

The Audit Committee should ask for detailed answers and examples from the managementteam, including key members of the financial management team, Internal Audit and ExternalAuditor to assure itself that the system is operating as management represents.

Evaluation of the internal control structure is not a one-time, but rather a continuous event for

the Audit Committee. The Audit Committee members should always have their eyes and earsopen for potential weaknesses in internal control, and should continually probe theresponsible parties regarding the operation of the system.

These questions are written in such a manner that a No response indicates a weakness thatmust be addressed.

Control Environment Integrity and Ethical Values

1. Does the organisation have a comprehensive Code of Conduct or other policiesaddressing acceptable business practice, conflicts of interest, and expected standardsof ethical and moral behaviour?

2. Is the code distributed to all employees?

3. Are all employees required to periodically acknowledge that they have read,understood, and complied with the code?

4. Does management demonstrate through actions its own commitment to the Code of Conduct?

5. Are dealings with customers, suppliers, employees, and other parties based on honestyand fair business practices?

6. Does management take appropriate action in response to violations of the Code of

Conduct?7. Is management explicitly prohibited from overriding established controls? What

controls are in place to provide reasonable assurance that controls are not overridden by management? Are deviations from this policy investigated and documented? Areviolations (if any) and the results of investigations brought to the attention of the AuditCommittee?

8. Is the organisation proactive in reducing fraud opportunities by (1) identifying andmeasuring fraud risks, (2) taking steps to mitigate identified risks, (3) identifying a

position within the organisation to own the fraud prevention program, and (4)implementing and monitoring appropriate preventative and detective internal controls

and other deterrent measures?9. Does the company use an anonymous ethics and fraud hotline, and, if so, are

procedures in place to investigate and report results to the Audit Committee?

Control Environment Commitment to Competence

1. Is the level of competence, and the requisite knowledge and skills defined for each jobin the accounting and Internal Audit organisations?

2. Does management make an effort to determine whether the accounting and Internal

Audit organisations have adequate knowledge and skills to do their jobs?



34/87

Control Environment Board of Directors and Audit Committee

1. Are the Audit Committees responsibilities defined in a charter? If so, is the charter updated annually and approved by the Board of Directors?

2. Are Audit Committee members independent of the company and of management? DoAudit Committee members have the knowledge, industry experience, and financialexpertise to serve effectively in their role?

3. Are a sufficient number of meetings held, and are the meetings of sufficient length anddepth to cover the agenda, and provide healthy discussion of issues?

4. Does the Audit Committee constructively challenge managements planned decisions, particularly in the area of financial reporting, and probe the evaluation of past results?

5. Are regular meetings held between the Audit Committee and the Chief FinancialOfficer, the Chief Audit Executive, other key members of the financial managementand reporting team, and the External Auditor? Are executive sessions conducted on a

regular basis?6. Does the Audit Committee approve Internal Audits annual audit plan?

7. Does the Audit Committee receive key information from management in sufficienttime in advance of meetings to prepare for discussions at the meetings?

8. Does a process exist for informing Audit Committee members about significant issueson a timely basis and in a manner conducive to the Audit Committee having a fullunderstanding of the issues and their implications?

9. Is the Audit Committee informed about personnel turnover in key functions includingthe audit team, senior executives, and key personnel in the financial accounting and

reporting teams? Are unusual employee turnover situations observed for patterns or other indicators of problems?

Control Environment Managements Philosophy and Operating Style

1. Is the accounting function viewed as a team of competent professionals bringinginformation, order, and controls to decision-making?

2. Is the selection of accounting principles made in the long-term best interest of theorganisation (as opposed to short-term maximisation of income)?

3. Are valuable assets, including intellectual assets, protected from unauthorised access

and use?4. Do managers respond appropriately to unfavourable signals and reports?

5. Are estimates and budgets reasonable and achievable?

Control Environment Organisational Structure

1. Is the organisational structure within the accounting function and the Internal Auditfunction appropriate for the size of the organisation?

2. Are key managers in the accounting and Internal Audit functions given adequate

definition of their responsibilities?



35/87

3. Do sufficient numbers of employees exist, particularly at the management levels in theaccounting and Internal Audit functions to allow those individuals to effectively carryout their responsibilities?

Control Environment Assignment of Authority and Responsibility

1. Is the authority delegated appropriate for the responsibilities assigned?

2. Are job descriptions in place for management and supervisory personnel in theaccounting and Internal Audit functions?

3. Do senior managers get involved as needed to provide direction, address issues,correct problems and/or implement improvements?

Control Environment Human Resources Policies and Practices

1. Are policies and procedures in place for hiring, training, promoting, and compensating

employees in the accounting and Internal Audit functions?2. Do employees understand that sub-standard performance will result in remedial

action?

3. Is remedial or corrective action taken in response to departures from approved policies?

4. Do employees understand the performance criteria necessary for promotions andsalary increases?

Risk Assessment

1. Does the organisation consider risks from external sources such as creditor demands,economic conditions, regulation, labour relations (e.g. unions), etc.?

2. Does the organisation consider risks from internal sources such as key employees(retention and succession planning), financing and the availability of funding for key

programs, competitive compensation and benefits, information systems security and backup systems?

3. Is the risk of a misstatement in the financial statements considered and are steps takento mitigate that risk?

4. If applicable, are the risks associated with foreign/off-shore operations considered,including their impact on the financial reporting process?

Control Activities

1. Does the organisation have a process in place to ensure that controls as described in its policy and procedures manuals are applied as they are meant to be applied?

2. Do the policy and procedures manuals document all important policies and procedures? Are these policies and procedures reviewed and updated on a regular basis? If so, by whom?



36/87

3. Do supervisory personnel review the functioning of controls? If so, how is that reviewconducted and what happens to the results? Is appropriate and timely follow-up actiontaken on exceptions?

Information and Communication

1. Is a process in place to collect information from external sources, such as industry,economic, and regulatory information that could have an impact on the business or thefinancial reporting process?

2. Are milestones to achieve financial reporting objectives monitored to ensure thattiming deadlines are met?

3. Is necessary operational and financial information communicated to the right people inthe organisation on a timely basis and in a format that facilitates its use, including newor changed policies and procedures?

4. Is a process in place to respond to new information needs in the organisation on atimely basis?

5. Is there a process in place to collect and document errors or complaints to analyse,determine the cause, and eliminate a problem from recurring in the future?

6. Is a process established and communicated to officers, employees and others, abouthow to communicate suspected instances of wrongdoing by the company or employees of the company? Furthermore, does a process exist to ensure that anyonemaking such a report is protected from retaliation?

Monitoring

1. Do officers and employees understand their obligation to communicate observedweaknesses in design or compliance with the internal control structure of theorganisation to the appropriate supervisory or management personnel?

2. Are interactions with external stakeholders periodically evaluated to determine if theyare indicative of a weakness in the internal control structure? (For example, consider the frequency of customer complaints about incorrect bills.)

3. Is there follow-up on recommendations from Internal Audit and the External Auditor for improvements to the internal control system?

4. Are personnel asked to periodically state whether they understand and comply withthe organisations Code of Conduct?

5. Are personnel required to sign off, indicating their performance of critical controlactivities such as performing reconciliations?

6. Does Internal Audit have the right number of competent and experienced staff?

7. Do they have access to the Board of Directors and Audit Committee?

8. Is the reporting structure in place to ensure their objectivity and independence?

9. Is the work of Internal Audit appropriate to the organisations needs, and prioritisedwith the Audit Committees direction?



37/87



38/87

Appendix H. Key Questions for the Audit Committee to Ask

On the strategic processes for risk, control and governance, how do we know:

1. That the risk management culture is appropriate?2. That there is a comprehensive process for identifying and evaluating risk, and for

deciding what levels of risk are tolerable?

3. That the Risk Register is an appropriate reflection of the risks facing the organisation?

4. That appropriate ownership of risk is in place?

5. That management has an appropriate view of how effective internal control is?

6. That risk management is carried out in a way that really benefits the organisation or isit treated as a box ticking exercise?

7. That the organisation as a whole is aware of the importance of risk management and of the organisations risk priorities?

8. That the system of internal control will provide indicators of things going wrong?

9. That the Statement on Internal Control is meaningful, and what evidence underpins it?

10. That the Statement on Internal Control appropriately discloses action to deal withmaterial problems?

11. That the Board of Directors is appropriately considering the results of theeffectiveness review underpinning the Statement on Internal Control?

On risk management processes, how do we know:

1. How senior management supports and promote risk management?

2. How well people are equipped and supported to manage risk?

3. That there is a clear risk strategy and policies?

4. That there are effective arrangements for managing risks with partners?

5. That the organisations processes incorporate effective risk management?

6. If risks are handled well?

7. If risk management contributes to achieving outcomes?

On the planned activity and results of both internal and external audit, how do weknow:

1. That the Internal Audit strategy is appropriate for delivery of a positive reasonableassurance on the whole of risk, control and governance?

2. That the periodic audit plan will achieve the objectives of the Internal Audit strategy,and in particular is it adequate to facilitate a positive, reasonable assurance?

3. That Internal Audit has appropriate resources, including skills, to deliver itsobjectives?

4. That Internal Audit recommendations agreed by management are actuallyimplemented?



39/87

5. That any issues arising from line management not accepting Internal Auditrecommendations are appropriately escalated for consideration?

6. That the quality of Internal Audit work is adequate? / What does application of theInternal Audit Quality Assessment Framework tell us about the quality of the InternalAudit Department?

7. That there is appropriate co-operation between Internal Audit and the ExternalAuditor?

On the accounting policies, the accounts, and the annual report of the organisation, howdo we know:

1. That the accounting policies in place comply with relevant requirements, particularlythe Financial Reporting Manual?

2. That there has been due process in preparing the accounts and annual report and is that process robust?

3. That the accounts and annual report have been subjected to sufficient review bymanagement and by the Managing Director and the Board of Directors?

4. That when new accounting issues arise, appropriate advice on accounting treatment isobtained?

5. That there is an appropriate anti-fraud policy in place and that losses are suitablyrecorded?

6. That suitable processes are in place to ensure accurate financial records are kept? Thatsuitable processes are in place to ensure fraud is guarded against and regularity and

propriety is achieved?

7. That financial control, including the structure of delegations, enables the organisationto achieve its objectives with good value for money?

8. If there are any issues likely to lead to qualification of the accounts?

9. If the accounts have been qualified, that appropriate action is being taken to deal withthe reason for qualification?

10. That issues raised by the External Auditor are given appropriate attention?

On the adequacy of management response to issues identified by audit activity, how dowe know:

1. That the implementation of recommendations is monitored and followed up?

2. That there are suitable resolution procedures in place for cases when managementreject audit recommendations which the External Auditor stands by as beingimportant?

On assurances relating to the corporate governance requirements for the organisation,how do we know:

1. That the range of assurances available is sufficient to facilitate the drafting of ameaningful Statement on Internal Control?



40/87

2. That those producing the assurances understand fully the scope of the assurances theyare being asked to provide, and the purpose to which they will be put?

3. That mechanisms are in place to ensure that assurances are reliable?

4. That assurances are positively stated (i.e. premised on sufficient relevant evidence to

support them)?5. That the assurances draw appropriate attention to material weaknesses or losses which

shall be addressed?

6. That the Statement on Internal Control realistically reflects the assurances on which itis premised?

On the work of the Audit Committee itself, how do we know:

1. That we are being effective in achieving our terms of reference and adding value tocorporate governance and control systems of the organisation?

2. That we have the appropriate skills mix?3. That we have an appropriate level of understanding of the purpose and work of the

organisation?

4. That we have sufficient time to give proper consideration to our business?

5. That our individual members are avoiding any conflict of interest?

6. What impact we are having on an organisation?



41/87

Appendix I. Audit Committee Competency Framework

All members of the Audit Committee shall have, or acquire as soon as possible afterappointment:

Understanding of the objectives of the organisation and current significant issues for the organisation;

Understanding of the organisations structure, including key relationships;

Understanding of the organisations culture;

Understanding of any relevant law or other rules governing the organisation;

Broad understanding of the organisations environment, particularly accountabilitystructures and current major initiatives.

The Audit Committee shall corporately possess: Knowledge / skills / experience (as appropriate and required) in:

o Accounting;

o Risk management;

o Audit ;

o Technical or specialist issues pertinent to the organisations business.

Experience of managing similar sized organisations;

Understanding of the wider relevant environments in which the organisation operates.



42/87

Appendix J. Audit Committee Self Assessment Checklist

Composition, Establishment and Duties

1. Does the Audit Committee have written terms of reference that adequately andrealistically define the Audit Committees role?

2. Have the terms of reference been adopted by the Board of Directors?

3. Are the terms of reference reviewed annually to take into account governancedevelopments (including integrated governance principles) and the remit of other Committees within the organisation?

4. Has the Audit Committee established a plan for the conduct of its own work across theyear?

5. Has the Audit Committee been provided with sufficient membership, authority andresources to perform its role effectively and independently?

6. Are changes to the Audit Committees current and future workload discussed andapproved at Board of Directors level?

7. Are Audit Committee members independent of the management team?

8. Does the Audit Committee report regularly to the Board of Directors?

9. Are members, particularly those new to the Audit Committee, provided with training?

10. Does the Board ensure that members have sufficient knowledge of the organisation toidentify key risk areas and to challenge both line management and the External

Auditor on critical and sensitive matters?11. Does at least one Committee member have a financial background?

12. Does the Audit Committee prepare an annual report on its work and performance inthe preceding year for consideration by the Board of Directors?

Compliance with Laws and Regulations

1. Does the Audit Committee have a mechanism to keep it aware of topical, legal andregulatory issues?

Internal Control and Risk Management

1. Has the Audit Committee formally considered how it integrates with other Committees that are reviewing risk e.g. risk management?

2. Has the Audit Committee formally considered how its work integrates with wider performance management and standards compliance?

3. Has the Audit Committee been briefed on its assurance responsibilities with regard tointernal control and risk management, particularly with regard to the Statement onInternal Control, the Assurance Framework and the Chief Audit Executives opinion?



43/87

4. Has the Audit Committee reviewed whether the reports it receives are timely and havethe right fo

Audit Committee Handbook

Documents

Transcript of Audit Committee Handbook