Common Mistakes in the Work of Audit Committees


By: Alaa Abdul Aziz Abu Nab’aa* / CPA, CIA, CRMA, CICP, MACC

The presence of an Audit Committee (of the Board of Directors) is a key indicator of sound corporate governance. This committee establishes a culture of commitment to accountability within any organization regardless of its nature, activities, or size.  The Audit Committee provides reasonable assurance ( ) on the effectiveness and efficiency of the organization’s internal control system and risk management processes in addition to ensuring the independence and integrity of the external auditor. In line with best corporate governance practices, the general assemblies of shareholders or the boards form audit committees that are tailored to the nature of the organization's activities in terms of number of members and their capabilities ( ). Indeed, many global corporate governance guidelines recognize the significance of Audit Committees and require the maximization of their effectiveness. The Audit Committee is considered the most important committee of the board. 

Audit Committees must play a critical role in corporate governance as they help ensure the effectiveness and efficiency of internal control systems, risk management, and overall governance. The functions and responsibilities of Audit Committees are paramount in achieving the organization's objectives and maximizing the benefits for all stakeholders, thus ensuring the long-term sustainability of the organization. Despite their critical role, Audit Committees are not immune to making mistakes that can adversely affect their effectiveness. The following mistakes are the most common in this regard. They are derived from my extensive firsthand experience working with numerous Audit Committees in various Arab countries and engaging in direct conversations with colleagues in the profession. 

I: Mistakes in the formation of the Audit Committee and its relationship with the rest of the board’s committees:
The proper formation of the Audit Committee is the most significant factor in determining its effectiveness. The common mistakes in the formation of the committee include the following:
1) The absence of clear standards for the membership of the committee.
2) The absence of the role of the Remuneration and Nomination Committee in recommending the acceptance of nominations and re-nominations of members, as well as verifying the independence of all independent members.
3) Including an executive board member, or any other executive personnel, such as the chairperson of the board, in the Audit Committee. ( )
4) Not considering that the independent member/s complement the capabilities of the rest of the committee ( ). Obtaining comprehensive knowledge of the organization's corporate governance, risk management, and internal control is imperative for every member of the committee. However, at least one Audit Committee member should possess a comprehensive understanding of the accounting practices relevant to the organization's activities. To address this matter, some central banks have implemented regulations mandating financial institutions to appoint Audit Committee members who possess knowledge and experience specifically relevant to the financial sector. Furthermore, many capital markets commissions around the world enforce regulations that require publicly traded companies to include a member on their Audit Committee who possesses specific knowledge and experience in accounting, internal auditing, and external auditing. 
5) Assuming that holders of post-graduate degrees in accounting are suitable for the Audit Committee’s membership, even if they lack practical experience. In my view, there is a distinction between the practical experience gained from professional roles in internal auditing, external auditing, and accounting, and the theoretical knowledge obtained through formal education. 
6) Lack of coordination between the Audit Committee and other committees of the board, such as Risk Management, Compliance, Governance, and others.
7) The board or general assembly of shareholders does not approve the committee's charter and fails to regularly update it. 
8) The Director of the Internal Audit Department also serves as the Audit Committee’s secretary. I often receive inquiries from colleagues on this matter, and my response is that the International Professional Practices Framework (IPPF) does not explicitly prohibit it. However, in my opinion, the role of the secretary is primarily administrative and requires specific capabilities that are often outlined in various corporate governance systems worldwide. As a result, the Director of the Internal Audit Department may not possess these specific capabilities. Moreover, it is anticipated that the Audit Committee members will convene meetings excluding the presence of the Internal Audit Director. The purpose of these meetings is to address specific matters with executive management or the external auditor, as well as to discuss issues about the internal audit activities. For instance, it is inappropriate for the Internal Audit Director to be present during an appraisal meeting concerning his/her performance.

II: Mistakes in relationship with the executive management: 
A good relationship between the Audit Committee and the executive management is crucial for both parties. Failure to hold the executive management accountable for unaddressed internal audit findings and recommendations may negatively impact the relationship between the two parties. Moreover, not objectively addresse the feedback from executive management regarding the internal auditing activities ( ) and adopting a "this is not our concern" attitude towards executive management can lead to shirking responsibilities.

III: Mistakes in the relationship between the Audit Committee and the Director of the Internal Audit Department: 
The common mistakes in this regard include:
1) The Committee members lack awareness of their accountability for ensuring the effectiveness and efficiency of internal auditing.
2) Failing to ensure alignment between internal audit plans and the organization's strategy, as well as overlooking the coverage of the most significant risks faced by the organization.
3) Lack of effective coordination between the internal audit function and other internal control departments within the organization (such as Risk Management, Compliance, Safety, and Security). 
4) Lack of awareness of the internal audit function's methodology.
5) Not adequately holding the Director of the Internal Audit Department accountable for the accomplishments of the internal audit function.
6) The board and executive management do not adequately emphasize the significance of having an independent internal audit function in the organization. 
7) Failure to obtain approval for the internal audit charter and neglecting regular updates to the charter.
8) Not holding meetings with the Director of the Internal Audit Department if a representative of the executive management is not present. 
9) Not reviewing and approving a strategic plan specifically designed for internal auditing, rather than an annual plan.
10) Enabling executive management to influence the appointment and compensation of the head of the internal audit department. ( ).  
11) Failing to conduct a review and approval of the internal audit activity's annual budget and delegating this responsibility to the executive management.
12) Failing to directly ask the head of the internal audit department about the personal assessment of his/her independence of the executive management and the level of cooperation with that management. 
13) Failure to hold regular assessments of the internal audit activity by the Audit Committee at least once a year, and by an external party at least once every five years.
14) Relying excessively on the Head of the Internal Audit Department to fulfill the obligations and functions of the committee, combined with significant confusion and a lack of clarity regarding the respective roles of both the Head of the Internal Audit Department and the Secretary of the Audit Committee.
15) The Audit Committee's limited engagement with internal audit reports or failure to take necessary action against parties who do not respond to internal audit reports despite continuous follow-ups can result in internal audit teams feeling frustrated and undermine the effectiveness of the internal audit function within the organization. 
16) Disregarding the value of the internal audit function and solely focusing on cost reduction, making the organizations at risk of hindering the audit committee's ability to fulfill its responsibilities to the board, general assembly, and stakeholders. It is crucial to recognize that the internal audit function plays a vital role in supporting the Audit Committee's effectiveness. The Audit Committee is ultimately responsible for any failure in the internal audit function.
17) Grant permission for the Internal Audit Department members to participate in investigation committees dealing with occupational fraud. ( )
18) Preventing staff members of the Internal Audit Department from serving as supervisor members on other operational committees claiming that their involvement in such committees may compromise the independence of internal auditing.
19) Direct intervention in the appointment, compensation, and performance assessment of internal auditors. These responsibilities should not rest solely with the Director of the Internal Audit Department 

IV: Mistakes in relationship with the external auditor: 
Common mistakes in the Audit Committee’s relationship with the external auditor include the following:
1) Neglecting to schedule regular meetings with the independent auditor and failing to discuss the work plan with them, and ensure their independence and objectivity. Also, not engaging in meetings with the independent auditor unless a representative of the executive management is present, and not proactively asking critical questions or providing constructive feedback. It is uncommon to come across an Audit Committee that engages in substantial discussions concerning the external auditor's opinion and methodology related to auditing significant elements like investments, debt allocations, and the execution of essential tests. It is important to recognize that engaging the independent auditor in advisory services or allowing executive management to handle the selection process and fee negotiations with auditors may impact the independence of the external auditor. 
2) Not requesting the external auditor to provide management letter points. It is important for the committee to review the auditor's notes on the organization's financial statements and internal control failures, and to follow up on the actions taken to address these issues.
3) Not being familiar with the International Financial Reporting Standards (IFRS) and the different tax requirements and completely relying on executive management and external auditors to handle these matters.

V: Mistakes in the Meetings of the Audit Committee:
The common mistakes in this regard include:
1) Conducting a minimal number of meetings, having brief meetings, inadequate preparation by committee members for the meetings, or not reviewing the information relevant to the meeting's agenda.
2) Failure to document all discussions and objections within the committee's meetings and only focusing on noting decisions and recommendations. It is incorrect to assume that documenting sensitive discussions may harm the organization.
3) Failing to submit regular reports on the committee's activities to the board or the general assembly of shareholders.
4) When there is a delay in preparing the minutes of the committee's meetings, it can result in members of the committee forgetting the discussions that took place during the meeting. Additionally, it may cause delays in reviewing the draft minutes or postponing their approval until the next meeting, which could be months away.

VI: Other mistakes: 
1) The responsibility for attracting offers and negotiating outsourcing fees for some or all of the internal audit tasks is left to the executive management.
2) Failing to stay informed on the latest updates in laws and regulations pertinent to the organization's activities.
3) Neglecting information security and disregarding the risks associated with information technology.
4) Failing to implement a whistleblowing mechanism for staff and stakeholders to report organizational or ethical concerns, and neglecting to independently investigate and monitor such reports in proportion to the severity of the misconduct or violation. 
5) The committee fails to fully utilize its authority to access the organization’s records and documents, seek clarification from board members and executive management, and request a general assembly meeting in cases where the board obstructs the committee's work.
6) The absence of adequate oversight over the financial reporting processes, including monitoring the policies, estimates, and accounting judgments made by the executive management, and the lack of clarity regarding the actions taken by the executive management in accounting decisions, particularly those that have a significant negative impact on the financial reports.
7) Failure to monitor the resolution of notes and implementation of recommendations mentioned in regulators' reports.
8) Failing to review contracts and transactions involving related parties and not communicating this information to the board.

The role of Audit Committees continually evolves to adapt to the changing risk management landscape and the increasing volume of responsibilities entrusted to the board. The traditional focus on historical elements alone is no longer sufficient. Hence, Audit Committees should prioritize their attention towards monitoring organizational changes that can impact comprehensive supervision, risk management processes, and compliance with laws and regulations. They play a crucial role in supporting the board's oversight and supervisory responsibilities over executive management. Additionally, Audit Committees aid in preserving the independence of the external auditor and enhancing the effectiveness of internal audit functions and internal control systems.