The existence of an audit committee is one of the main characteristics of implementing the rules of good governance, as this committee establishes a culture of commitment and accountability within any organization, regardless of the nature of its activity or size, by providing reasonable assurance about the efficiency and effectiveness of internal control systems and risk management applied in organization, in addition, to ensure the independence and integrity of external auditor.
In this sense, the general assemblies of shareholders or boards of directors of organizations (according to the best governance practices) form audit committees, emanating from within, that are consistent with the nature of organization activities, in terms of number of members or expertise and skills, to be provided by their members. Therefore, many corporate governance codes around the world have sought to regulate the role of audit committee to improve its effectiveness as it is considered the most important control committee emanating from the board of directors or from the general assembly of shareholders.
Audit committees should play a preventive role in the control system and risk management and ensure that attention is paid toward control mechanisms and policies that prevent financial and operational disasters. However, there are some mistakes made by these committees, which adversely affect their ability to complete this important role.
Thus, the following are some of the most common mistakes that I have compiled through my direct contact with many audit committees in a number of Arab countries and through talking with several colleagues in the profession:
First: Mistakes in the committee formation and its relationship with other committees of the board:
The right formation of audit committee is the most important factor in determining its effectiveness. One of the most common mistakes in forming a committee is having an executive board member or other executive or even chairman of board of directors in the committee, or not to consider the independent member as complementary to the non-executive members of the committee in terms of expertise, knowledge and skills.
It is important that all members have good knowledge of governance, its regulations and requirements, and adequate understanding of the nature of organization activity, provided that at least one member is fully aware of accounting requirements related to organization activity and impact of such nature on financial statements. To address this issue, some central banks have imposed, on financial institutions, having a member of audit committee with knowledge and experience in financial sector. Moreover, financial markets around the world have imposed on joint stock companies to have one of their members to be knowledgeable and expert in accounting and auditing, both the internal and/or external ones.
It is also a common mistake to think that post graduates in accounting are suitable for committee membership, even if they do not have any practical experience. In my view, professional experience and its resulting knowledge in internal, external auditing and accounting is different from theoretical knowledge.
In addition, there is a lack of coordination between the audit committee work and the rest of control committees under board of directors or general assembly of shareholders, such as risk management committee, compliance and governance committee, and others, and not approving committee charter by the board or general assembly of shareholders, or not reviewing and updating it periodically.
Second: Mistakes in the relationship between the committee and executive management:
A good relationship between audit committee and executive management is important for both parties. One of the mistakes that may affect the organizational relationship between them is that the committee never ask executive management about internal audit observations that have not been resolved or about implementing its accompanying recommendations. Moreover, the committee does not deal objectively with executive management comments on internal audit activity, by following attitude of “that’s out of our scope” and shirking responsibilities.
Third: Mistakes in the committee relationship with internal audit activity and with internal audit director:
Common mistakes in this context include:
- Lack of awareness among the members of the committee that they are responsible for the effectiveness and efficiency of internal audit activity.
- Lack of assuring that the internal audit plans are in line with organization strategies and covering the most important risks encountered, and lack of assuring effective coordination between the internal audit activities and the rest of internal control departments within organization (risk management, compliance management, security management and safety management, etc.).
- Lack of knowledge about the methodology followed by the internal audit activity and not asking the director of internal audit department in a critical manner about achievements of internal audit activity.
- Failure to promote importance of having an independent audit activity in organization, for both board of directors and executive management.
- Non-approval of a charter, policies and procedures of internal audit department.
- Failure to have a meeting with director of internal audit department without having a representative of executive management.
- Failure to look at and approve a strategic plan (not annual plan) of internal audit activity.
- Allow executive management to intervene in appointing the director of internal audit, determining his remuneration, not to review and approve annual budget of internal audit activity and leave it to executive management and not to ask the director of internal audit department frankly about his personal assessment of the level of his independence from executive management and its level of cooperation with him.
- Failure to carry out a periodic assessment for internal audit activity by the committee (at least once a year) and by an external party (at least once 3-5 years).
- Rely, mainly, on director of internal audit to perform duties and responsibilities of the committee.
- Weak interaction of the committee with the results of internal audit reports, or failure to take appropriate action against those who do not respond to internal audit reports despite ongoing follow-ups from internal audit department; which may lead to frustration among internal audit team and weakening the role of internal audit activity in organization.
Fourth: Mistakes in the relationship of audit committee with external auditor:
Common mistakes in the relationship of audit committee with external auditor:
- Failure to have a meeting with independent auditor, periodically, to discuss a proposed work plan, and ensure his/her independence and objectivity. Or not meeting with him/her unless there is a representative of executive management in presence, and not auditing financial statements critically. We rarely find an audit committee that seriously discusses auditor’s opinion, work followed in covering some important audit elements such as investments, debt allocations and performing some important tests. It is worthwhile noting here that the independence of auditor may be affected if he/she has submitted consulting work to organization and/or if executive management has solicited offers and negotiated fees with the auditors.
- Not asking external auditor to submit to management (Management Letter Points) and study his/her notes about corporation financial statements and on the adequacy of internal control systems and on follow up actions.
- Lack of knowledge about the requirements of adopting international standards, and with possible weaknesses and manipulation and leaving the matter entirely to executive management and the auditor.
Fifth: Mistakes in committee meetings:
Some common mistakes in relation to committee meetings include low number of meetings, , short duration, poor pre-preparation by its members, failure to read internal audit reports presented to them, lack of documenting all the matters that were discussed in committee minutes of meetings, but, documenting only the decisions and recommendations, and delays in preparing the minutes or approving it. In addition, it is wrong to believe that documenting some sensitive issues may harm organization reputation, and also not reporting, periodically, on committee work to board of directors or general assembly of shareholders.
Sixth: Other mistakes:
- Leaving the process of request for proposals and fees negotiation in relation to outsourcing some or whole of internal audit activities to executive management .
- Failure to follow up the latest laws and legislations issued concerning organization activities.
- Failure to follow up and carry out periodic review on effectiveness and efficiency of managing the most important risks facing organization, whether strategic, operational, financial or compliance.
- Lack of focus on information security and IT risks.
- Failure to adopt any mechanism that allows all organization employees to provide their comments secretly about any violation of regulations, and not to verify effectiveness of implementing such mechanism, by conducting an independent investigation commensurate with the size of error or override and not adopting appropriate follow-up procedures.
- The committee never exploits its authority to review organization records and documents, to ask for clarification or statement from members of board or members of executive management, and to ask board to call general assembly of shareholders for a meeting if board obstructs its duty.
The role of audit committees is of continuous development and their focus on old means considering the developments in the risk environment and the enormous size of task on shoulder of board of directors is no longer sufficient. Therefore, they should focus more on organizational changes that may affect overall control, risk management processes, compliance with regulations and laws, and on helping the board to play its supervisory and control role over executive management performance, thereby supporting independence of external auditor and increasing effectiveness of internal audit activity and internal control systems.