Such critiques provide learning opportunities for all audit committees – bank and non-banks, listed and non-listed, private and public – to enable them to be an effective link between and board and external and internal auditors.
An audit committee is a fundamental component of good governance. They typically focus on issues relevant to the integrity of an entity’s financial reporting, oversee external audit, internal audit, risk management, internal control and compliance and liaise with the board, management and the auditors. The existence of an audit committee can ease the pressure on a busy board because it can take time to address corporate reporting, internal controls and the effectiveness of the risk management framework (some boards have a separate committee addressing the oversight and implementation of the risk management framework). Involvement in an audit committee also allows directors to deepen their knowledge of an organisation, become more actively engaged and utilise their experience.
While the audit committee makes recommendations to the full board, it is important to remember that the full board retains the ultimate responsibility for financial statements and other matters that fall within the core responsibilities of the board. Subject to board delegations and relevant committee charters, BACs may have some limited decision-making powers (such as approving annual plans for the internal audit function and their budget, or approving annual plans for the external auditor).
The Hayne Report makes clear that boards and their committees (such as the BAC) must:
- Sufficiently challenge management;
- Do all they can to satisfy themselves that they are receiving the right information and inputs from management to make complex decisions;
- Monitor, measure and assess corporate culture and governance; and
- Provide rigorous oversight of risk, including non-financial risks.
Many of these themes were also echoed in the earlier APRA Report. The areas for improvement, highlighted by APRA’s Inquiry included:
- More rigour and urgency in holding management to account
- Improved reporting to the BAC
- Reliance on key individuals
- Interaction with other committees and the Board
Rigour and urgency in holding management to account
The BAC needs to apply rigour and urgency in holding management to account in addressing and closing out audit issues. The APRA Report also recommended that the BAC increase direct engagement with the business unit and support function owners of significant issues and hold them accountable for timely and effective closure of these issues.
In the case of the CBA, issues were identified through ‘Red audit reports’ in 2013, and then again in 2015 noting that the issues raised two years earlier “have not progressed due to a lack of ownership”. A third Red audit report was noted in September 2016 which stated unequivocally that CBA “has been slow to address many of the previously identified issues and associated root causes”. This led the APRA Report to describe the operation of the BAC as “passive” and a “light hand of the tiller”. It noted that a lack of urgency imparted a tone of inaction to the rest of the organisation.
Good practice involves audit committees following up on how the internal audit function’s recommendations have been dealt with by management. This provides them with an insight into the role and effectiveness of the internal audit function and also provides some understanding of management’s attitude to internal audit. This should include an indication in the audit reports as to whether management has agreed with the findings and ensuring management’s proposed resolution dates are appropriate.
If such information is not clearly indicated in the audit reports, the internal auditor should be challenged appropriately in this regard.
Improved reporting to the BAC
In order to effectively challenge senior management, the BAC must seek and be provided with clear and concise reporting, highlighting the matters requiring the attention of the Directors.
In the case of the CBA, BAC members were not being routinely provided with or requested full copies of Red audit reports. They relied on summaries and did not call the owners of issues raised in Red audit reports to appear directly before the BAC. In addition, the BAC was criticised for not policing closure of material control weaknesses reported to the BAC.
Good practice involves the audit committee tracking the progress on internal audit recommendations through formal metrics and reporting - detailing the number of audit reports, the owners, the remediation timetables, extensions granted and whether the findings were repeat issues. Those areas that are overdue or extended should be highlighted. While summaries are provided, detailed audit reports should also be made available.
Where matters are not addressed by management to the point of delaying remediation to customers and/or the banks relationship with regulators, Hayne indicates in his report that it would be appropriate for the Board, to say “Enough is enough. Fix this, and fix it now.”
Reliance on key individuals
To promote healthy challenge of management, the composition of the BAC should be diverse and bring differing perspectives to BAC processes.
In the case of CBA, the BAC was heavily reliant on information filtered through a single Director (the Chair) and the internal auditor, both experts in their field, which of itself is a strength but also led to the stifling of management challenge.
Good practice requires individuals on the BAC with appropriate qualifications, knowledge, skills or experience to enable the committee to perform its functions (which include effective challenge of management). They must also have sufficient capacity, independence and objectivity as well as the capacity to understand the business and operating context of the entity, noting the breadth of responsibilities that BAC’s assume.
The ASX Corporate Governance Principles and Recommendations (Principles) commentary to Recommendation 4.1 states that the BAC “should be of sufficient size and independence, and its members between them should have the accounting and financial expertise and a sufficient understanding of the industry in which the entity operates, to be able to discharge the committee’s mandate effectively”. This expertise would include analytical skills, tenacity and judgement. The personality of the members and the tone of the BAC are very important factors in having an effective BAC.
Good practice would generally require at least one member of the BAC to have financial expertise. The role of the financial expert should be to help the other members understand and assess the information and does not negate the need for other members to understand financial reporting. This is recommended in the AICD’s Audit Committee Guide (referred to below) as well as the IOSCO Report on Good Practices for Audit Committees in Supporting Audit Quality. However, this does not mean that undue reliance should be placed on the skills of this financial expert.
Interaction with other committees and the Board
Effective co-ordination between Audit, Risk and Remuneration Committees is required to address gaps in communication between Committees. Appropriate reporting to the board is also required.
In the case of CBA, APRA found that there was a lack of clarity and delineation between the Board Risk Committee (BRC), the BAC and the Remuneration Committee, resulting in gaps in the flow of information. The issues identified by internal audit to the BAC in the ‘red audit reports’ of 2015 (the second time the issue had been raised) did not result in a formal request of notification to the BRC to consider the implications of the identified control weaknesses for CBA’s risk profile. The Board subsequently directed the BRC to receive a further update on the specific matter later in the year, however the seriousness of the matter was not reflected in BRC reporting until November 2016 (over three years after the first internal audit report). Further, APRA noted that reports to the CBA board from its committees were often the final item on the agenda, with the time allotted often being insufficient due to overruns in prior areas.
Good practice in this area is to have overlapping Committee memberships (which CBA had) as well as ensuring seamless communication between Board committees. The identification of a critical control gap affecting risk management should be formally communicated to the BRC by the BAC, and the BAC may continue to monitor this matter. According to APRA in their report, some institutions hold joint and overlapping meetings of their BAC and BRC where relevant audit findings can be discussed.
Appropriate time should be provided in the Board meetings for the reports from committee meetings and a formal report should be issued by the BAC which covers, amongst other things, the results of the work completed by the auditors along with audit recommendations for corrective action and status reports.
The AICD has a practical guide on the roles and responsibilities of the audit committee, explaining the context in which it operates and outlines good practice. It is available from our bookshop. Specific guides for the Commonwealth public sector are available from the Commonwealth Department of Finance.