Minimum standard for Audit Committees in relation to external audit - what do Heads of Internal Audit need to know?

The case for improving Audit Committee standards

In 2019, the UK Government accepted the proposal put forward by the Competitions & Markets Authority (“CMA”) that Audit Committees should come under greater regulatory scrutiny. Particular emphasis was placed upon increasing the accountability of Audit Committees, enhancing their focus on the appointment and oversight of external auditors. A key action agreed was that the regulator - the Financial Reporting Council ("FRC") - should be able to mandate and oversee minimum standards for Audit Committees.

In May 2023, the FRC published the final standard - Audit Committees and the external audit: Minimum Standard. This applies to Audit Committees of premium listed companies and those companies included within the FTSE 350 index. It will become mandatory for these companies once the necessary legislation has been passed to establish the new regulator - the Audit, Reporting and Governance Authority ("ARGA"). This is currently expected to be before April 2024.

The standard should be read in conjunction with the relevant sections of the UK Corporate Governance Code 2018 (currently subject to a revision consultation) and the FRC paper - Guidance on Audit Committees April 2016. The FRC is recommending that companies within scope to begin to apply the standard as soon as they are able. Other companies that are smaller in size, or not premium listed, are encouraged to adopt it as best practice.

Key areas of focus

The standard focuses on three main areas of the Audit Committee remit:

The tender process for external audit
Oversight of the external audit process
Reporting on the work performed by the Audit Committee to meet its responsibilities.

Many aspects of the standard were already recommended practice in the FRC’s Guidance on Audit Committees. The main point to note is that these will now be mandatory requirements for some companies.

What do Audit Committees need to do?

Tendering

The standard sets out specific considerations for Audit Committees when conducting the process for appointing external auditors. It is emphasised that the tendering process should be run by the Audit Committee and not by management. A new requirement is that the participation of firms beyond the 'Big Four' should not be precluded without good reason and that steps should be taken to ensure that the company has enough potential auditors that are independent (or capable of becoming independent) to allow for adequate competition and choice. It is expected that the tender process should commence far enough in advance to allow for any firms to exit relationships that may cause a conflict of interest.

In addition to this, the tender process should be conducted in a way that all firms have sufficient access to information and individuals during the tender process, and that tenders are evaluated based on quality, including independence, challenge and technical competence - not price or cultural fit. Hence why price-blind tenders should be considered. Public reports on audit quality published by the FRC or other regulators and each firm’s audit quality indicators should be scrutinised as part of the process.

All Audit Committee members should be involved in the tender process and ideally between 3-4 firms should be considered. The Committee should ensure that it has not excluded any firms without good reason to believe that they would not be able to perform a high quality audit. As a minimum, two options should be put forward for consideration by the Board, together with a justified preference for one of them. Where some firms have declined to participate in the tender process, the Committee should communicate with them to understand their reasoning and whether anything can be done to change their view.

These aspects of the standard are also emphasised in the proposed revisions to the UK Corporate Governance Code, which is currently subject to consultation. Specifically, the main roles and responsibilities of Audit Committees include promoting effective competition during the tendering for an external auditor, to support audit market diversity.

Oversight of the external audit process

The Audit Committee is responsible for overseeing and assessing the company's external audit and the auditors. Key to this is an assessment of the effectiveness of the audit process. The standard specifies that the Committee should:

Require the external auditors to provide details of the risks to audit quality that they identified, how these have been addressed and the key audit firm and network quality controls that they relied upon to address audit quality risks
Request details of any internal and external inspections related to audit quality
Review whether the external auditor has met the agreed audit plan and any commitments made during the tender process and understand whether there have been any changes to the plan, including changes to audit risk and the work performed by the auditors in respect of such risks. This should also involve considering whether the volume and type of resource envisaged in the plan (in terms of seniority and specialism) has been deployed.
Review the audit management letter and any other communications to determine whether this is based on a good understanding of the business.

Moreover, the Committee should satisfy itself that the quality of the audit is of a sufficiently high standard supported by evidence. Examples of this include:

Evidence of challenge of management
The firm’s self-assessments of audit quality
Audit quality indicators agreed with the Audit Committee
Stakeholder surveys/feedback
Action taken by the audit firm in response to previous quality assessments.

Finally, the standard requires that the FRC’s annual report on that audit firm should be formally reviewed by the Audit Committee and the findings discussed with the auditor.

Audit Committee reporting

The standard now requires the following to be included in the annual report relating to the work of the Audit Committee:

The significant issues that the Audit Committee considered relating to the financial statements, and how these issues were addressed.
An explanation of the application of the entity's accounting policies.
Where shareholders have requested that certain matters be covered in an audit and that request has been rejected, an explanation of the reasons why.
An explanation of how it has assessed the firm whence and effectiveness of the external audit process and the approach taken to the appointment or reappointment of the external auditor, information on the length of tenure of the current audit firm, when a tender was last conducted and advance notice of retendering plans. If a tender process has taken place within the year, the Audit Committee should explain the criteria used to make the selection and the process followed.
Where a regulatory inspection of the quality of the company’s audit has taken place, information about the findings of that review, together with any remedial action the auditor is taking in the light of these findings.
In the case of the Board not accepting the Audit Committee’s recommendation on the external auditor appointment, reappointment or removal, a statement from the Audit Committee explaining its recommendation and that of the Board, and the reasons why the Board has taken its different position.
An explanation of how auditor independence and objectivity are safeguarded if the external auditor provides non-audit services.

In addition to this, the work that the Audit Committee has undertaken to meet the specific requirements of the standard must now also be reported.

These aspects of the standard are re-emphasised in the proposed revisions to the UK Corporate Governance Code, which is currently subject to consultation. Specifically, the main roles and responsibilities of the Audit Committee include following the Audit Committees and the External Audit: Minimum Standard.

Why is this of interest to Heads of Internal Audit?

This is one of two important documents published in May 2023 by the FRC in response to the UK Government's corporate governance reform agenda. It will no doubt be followed on by further publications when ARGA comes into being in 2024. Heads of Internal Audit need to make sure that Audit Committees of premium-listed and FTSE 350 companies are aware of, and now begin to adopt, the requirements of the standard - if they have not done so already.

More notable for Heads of Internal Audit, is the absence at this stage of mandatory guidance for Audit Committees in respect of internal audit. At present, Audit Committees are still only required to consider whether there is a need for an internal audit function and to provide an explanation if one has not been established. The Audit Committee role and responsibilities for overseeing internal audit activity is set out in the FRC’s Guidance on Audit Committees - but this is not mandatory and is only relevant where an internal audit function has been established.

However, the FRC's proposed revisions to the UK Corporate Governance Code include some important changes that will impact Heads of Internal Audit since these will bring Audit Committee scrutiny of internal audit into much sharper focus. The new responsibility for Audit Committees to develop, implement and maintain an Audit and Assurance Policy - including internal auditing and assurance arrangements, together with the requirement to review all the company’s risk management and internal control systems (no longer just financial control systems) will mean that internal audit activity will be looked at ever more closely.

Heads of Internal Audit therefore need to keep up to date with developments in this area so that they can ensure that the assurance they provide continues to support the Audit Committee as it responds to the corporate governance reforms as they are implemented.