The audit committee is a crucial element of the governance structure and operates under the delegated authority of the board. The committee’s roles and responsibilities will be documented within its terms of reference which it should review annually and propose to the board for approval.

The chief audit executive (CAE) should have direct, unrestricted access to the audit committee and chief executive as and when required.

The audit committee’s remit will typically include the following:

  • internal controls and risk management systems
  • the internal audit process including appointment and resourcing
  • financial statements including governance statements
  • the external audit process
  • compliance reports
  • regulatory inspection reports
  • key performance data
  • whistleblowing
  • communications with shareholders regarding its activities

As can be seen from the list above, the audit committee concerns itself with much more than just financial control and the external audit process.  

Whilst financial controls are important, the statistics show that the greatest sources of loss arise from the mismanagement of strategic risks. Internal audit’s remit therefor extends across the internal control framework and embraces strategic, governance, financial and operational aspects.

Limitations of assurance

Assurance can never be absolute - effective assurance seeks to conclude whether the audit evidence obtained is sufficient to reasonably conclude on the efficiency and effectiveness of an organisation's risk, governance and internal control processes.

It is important to manage the expectation gap, which sometimes exists due to a lack of understanding of the role of audit, making it clear and emphasising the actual role, function, and limitations of internal audit.

For example in respect of external audit, a clean audit opinion does not mean a 100% guarantee that the accounts will be correct - it is a statement that they are ‘materially’ correct. The level of materiality is a decision for the external auditor based upon what they believe would influence the decision of users of the financial statements.

From an internal audit perspective it is important to recognise that the organisation generally aims to control risk to within its risk appetite. Internal audit needs to recognise that risk exists and it may not always be possible, cost effective or necessary to remove or reduce it as far as possible. Internal audit’s assurance should generally be based around whether the controls can be reasonably reliable upon to manage risks within appetite, which will vary by risk type.

As internal auditors, we have a professional responsibility to challenge the acceptance of residual risk which may be unacceptable to the organisation and which appears to be beyond its risk appetite.  

It is important that all auditors make clear the risks and limitations of the work done, so that core stakeholders can engage in a debate about areas for greater focus based upon their needs.


The key UK codes of most interest to audit committees are both issued by the Financial Reporting Council (FRC), namely:

  • the UK corporate governance code
  • guidance on audit committees

Some sectors of the economy have their own annotated versions of the above codes to place them in the context of the environment in which they operate - for example charities, social housing and mutual financial services.

An effective audit committee isn’t simply one which checks that it is compliant with relevant codes and regulations - it is one which is focused upon organisational risk, ensuring assurance meets organisational need, and challenging both the reports of management and auditors to ensure that assurance is robust.

These codes require a ‘comply or explain’ approach, which is intended to allow for a degree of flexibility in committee arrangements depending on the organisation and its context.

Specific areas to pay attention to when considering the effectiveness of the committee include:

  • appointments to the committee
  • the skills, experience and training of the committee members
  • participation of members at meetings
  • the frequency and attendance of meetings
  • the resources and support available to assist the committee in fulfilling its role
  • the relationship between the committee and its assurance providers
  • the relationship between the committee and senior management
  • the reporting relationship between the audit committee and the board