The Audit Committee's Roadmap

Is your company's audit committee charter up to snuff? Compare it with this model.


  • FINANCIAL FRAUD HAS BEEN GETTING a lot of attention lately from investors, the press and the SEC.

  • AUDIT COMMITTEE MEMBERS NEED A REFERENCE guide to perform their duties well. A good audit committee charter organizes committee members' responsibilities, providing a systematic structure for discussions between the committee and management, the public accountant and others.

  • SIX REPORTS BY FOUR GROUPS have prompted upgrades to audit committee charters over the past decade. These documents include the Treadway report, the COSO report on internal controls, the MacDonald report, two reports from the POB and the FDIC Improvement Act.

  • AUDIT COMMITTEES PLAY A CRITICAL ROLE in preventing fraudulent reporting. Accordingly,
    • Only independent directors should serve on the audit committee.
    • The committee should meet at least quarterly.
    • The committee should make regular inquiries to ensure that the public accountant remains independent.
    • The committee should actively solicit information about the appropriateness of the internal controls in place.
    • The committee should report to the shareholders on its activities and findings.
    • Management and the public accountant should fully inform the committee about any financial irregularities, regulatory investigations, potential liabilities or other sensitive information.
    • The committee should have the resources and authority to conduct investigations.
JAMES W. BEAN, JR., CPA, was senior vice-president and chief auditor at Glendale Federal Bank in Glendale, California. Subsequent to that bank's recent merger with California Federal Bank, he has become first vice-president and director of corporate accounting policy at California Federal Bank in San Francisco. He is a member of the AICPA banking and savings institutions committee and of the California Society of CPAs depository institutions committee. His e-mail address is

Source: Directorship (, a consulting, research, publishing and corporate governance firm in Greenwich, CT.

Financial reporting frauds and earnings manipulation have attracted high-profile attention recently, witness SEC Chairman Arthur Levitt's comments last September, provoked by widespread irregularities at big companies such as Cendant and Sunbeam. It is management's responsibility to prevent such problems before they begin, and to establish a control environment designed to identify and immediately stamp out any fraudulent reporting that does occur.

The tone of a company's control environment is set at the top, by the board of directors in general and the audit committee in particular. The rest of the board often relies on the audit committee to notice and question any unusual business practices, aggressive accounting methods or violations of the company's code of business conduct. But at many companies audit committee members may not have the expertise in matters of internal control that CPAs do, and some people serving on audit committees have very little accounting or financial background at all. Accordingly, audit committee members need a reference guide to their responsibilities. That is the function of an audit committee charter.

Exhibit 1: Resources an Independent Audit Committee Needs

The charter should authorize audit committee

  1. Funding to retain outside legal counsel without approval from management.

  2. Funding to retain an independent accounting firm if a second opinion is called for.

  3. Ready access to all books, records and employees of the corporation.

  4. Power to conduct any investigation appropriate to fulfilling its responsibility.

A comprehensive charter enhances the effectiveness of the audit committee, serving as a road map for committee members. A well-thought-out charter also should describe the committee's composition and specify access to appropriate resources (see sidebar, exhibit 1). In addition, while auditors may find it difficult to detect fraud when management misrepresents the facts, they should take the control environment into account when planning audits, which means auditors should be looking at their clients' audit committee charters.

As the chief auditor at Glendale Federal Bank, I met regularly with our board's audit committee and have seen firsthand how valuable a strong audit committee charter can be. Each year, I prepared a schedule of the audit committee responsibilities listed in the bank's audit committee charter and cross-referenced it to the date and page of the audit committee minutes, documenting that the committee members had fulfilled all of their responsibilities. For clarity, we structured our presentations to the committee to reflect the responsibilities described by the charter, using the charter as a checklist. That focused the committee members' efforts and made them much more effective than they otherwise might have been.

The charter also served as a script for the committee members when they questioned management, the independent accountant and the internal auditor. For example, the charter specified that the audit committee explicitly ask the external auditor for an opinion about the appropriateness, not just the acceptability, of accounting principles and financial disclosures, putting them in context (see exhibit 4, section on responsibilities for reviewing audits). At a bank like Glendale, that might have involved a discussion of the range of acceptable loan loss reserves and where the bank's reported reserves fell within that range, together with a discussion of why it was appropriate to set the bank's reserves at that point within the range.

In most jurisdictions, no law mandates companies to have audit committees. Connecticut is the only state that, by law, requires them for large public companies. The SEC does not require audit committees either, although the major stock exchanges do. Most boards of directors consider it good practice for a company to have an audit committee, though, and 959 of the Fortune 1,000 companies do have audit committees.

Some audit committees do not have charters, sometimes the committee's responsibilities are specified in the corporation's bylaws or resolutions, but most do. Since financial statements are very important to shareholders, and public companies have fiduciary responsibilities to their shareholders, it makes sense for boards to delegate the details of financial oversight to committees of experts and to give those committees explicit guidelines to follow.

The audit committee charter is analogous to an employee job description listing the employee's responsibilities, the employer's expectations for the employee and the basis for the employee's performance appraisal. The audit committee is responsible to the rest of the board and the shareholders, and its charter details what the shareholders reasonably can expect the committee members to do. Nonetheless, even though a good charter exists, and the audit committee faithfully discharges the duties described by it, changing conditions can make a periodic review and update advisable. For example, if the AICPA publishes new criteria for determining the independence of an external auditor or the SEC redefines what constitutes independence for an audit committee member, the charter should be reviewed. Thus, the best audit committee charters are living, changing documents.

Early audit committee charters often were only two paragraphs long and did not include substantive responsibilities. However, over the last decade investors and regulators have engaged corporate boards and executives in a rousing discussion about how corporations should be governed. The proper role of the audit committee has played a pivotal role in all of those discussions of corporate governance. As a result of this controversy, six studies of corporate governance principles have influenced how audit committees are shaped (see exhibit 2), causing the best audit committee charters today to be considerably more detailed.

1. The Treadway report. In October 1987, the Committee of Sponsoring Organizations (COSO) issued the first of these six documents, The Report of the National Commission on Fraudulent Financial Reporting , better known as the Treadway report after the chairman of that commission, former SEC Commissioner James C. Treadway.

COSO was a private-sector initiative, jointly sponsored and funded by the AICPA, the American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors and the Institute of Management Accountants. The Treadway report identified corporate governance principles that would significantly reduce the potential for fraudulent financial reporting. The commission itself was formed in response to several high-profile financial frauds, primarily at savings and loan institutions. In the late 1980s, neither audit committees nor external auditors had proved adequate watchdogs against fraud, resulting in extensive litigation against directors as well as accounting firms. While the Treadway report standards do not carry the force of law, they have been introduced in such suits as evidence of responsible practices.

The Treadway report was the first formal documentation of conventional wisdom about audit committee responsibilities, setting standards based on best practices rather than on common practices. Some recommendations: that audit committees have charters, that those charters specify members' responsibilities to prevent fraudulent financial reporting and that only independent directors serve on audit committees (see exhibit 3). It assigned significant oversight responsibility to the audit committee. It also suggested minimum frequencies for reviewing financial statements (quarterly), management's compliance with the corporate code of conduct (annually) and review of any potential conflicts of interest posed by consulting arrangements with the company's public accountant (annually).

Exhibit 2: Six Documents That Changed Audit Committee Charters

1987 The Report of the National Commission on Fraudulent Financial Reporting , better known as the Treadway report, prepared by the Committee of Sponsoring Organizations (COSO). Those organizations were the AICPA, the American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors and the Institute of Management Accountants.

1988 The Macdonald Report , prepared by the Commission to Study the Public's Expectations of Audits, formed by the Canadian Institute of Chartered Accountants.

1991 The Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), passed by the U.S. Congress in response to the savings and loan scandals.

1992 Internal Control, Integrated Framework , published by COSO.

1993 In the Public Interest, A Special Report , by the Public Oversight Board (POB) of the SEC practice section of the AICPA division for CPA firms (the 1993 POB report).

1995 Directors, Management, and Auditors, Allies in Protecting Shareholder Interests , by the POB (the 1995 POB report).

2. Further COSO recommendations. The Treadway report also called for the COSO groups to develop a common definition of internal control and to provide guidance for judging the effectiveness of internal controls. COSO issued its report, Internal Control, Integrated Framework , in September 1992. It provided a foundation for assessing the effectiveness of a corporation's internal control structure and detailed the attributes of an effective control system. This COSO report emphasized the audit committee's role in establishing the tone at the top, explicit moral guidelines about right and wrong and the obligation to communicate ethical values to all employees.

However, it also explicitly assigned some responsibilities to management, mostly the duty to keep the committee informed of both routine and controversial or sensitive information and that that information should be made available to the committee on a timely basis. Some examples of sensitive information: travel expenses of senior officers, significant litigation, investigations by regulatory agencies, embezzlement or misuse of corporate assets, violations of insider trading rules, political payments and illegal payments.

3. The MacDonald report. In Canada, the same circumstances that had prompted formation of the Treadway commission motivated the CICA to form the Commission to Study the Public's Expectations of Audits, resulting in the MacDonald Report . Issued in 1988, it contained many of the same recommendations as the Treadway report. Although primarily directed at corporations operating in Canada, its guidance is equally applicable to the audit committees of U.S. corporations.

The MacDonald Report went further than the Treadway report in recommending that the CICA auditing standards committee provide guidance on matters the independent accountant should raise with the audit committee and the actions to take when the audit committee fails to respond appropriately to the concerns raised. The AICPA later adopted a similar recommendation (SAS no. 82, Consideration of Fraud in a Financial Statement Audit).

4. FDICIA. Congress passed the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) in response to the savings and loan crisis. FDICIA requires that management and the independent public accountant report on the effectiveness of internal controls over financial reporting. It also establishes requirements for the membership of, and guidance on the duties of, audit committees. Although FDICIA is applicable only to depository institutions insured by the FDIC, some of the act's provisions are appropriate for other corporations pursuing best practices.

FDICIA drew heavily on both the Treadway and the MacDonald reports but went further in two areas: (1) defining independence for audit committee members and (2) requiring that, for banking institutions with more than $3 billion in assets, audit committee members have banking or related financial management expertise.

5. The first POB report. In 1993, the POB issued In the Public Interest, A Special Report . The POB became concerned with the extent and effect of litigation against independent accounting firms, including cases such as United States v. Arthur Young & Company, Standard Charter v. Price Waterhouse and Miniscribe v. Coopers & Lybrand . In United States v. Arthur Young , the U.S. Supreme Court described the independent audit as a public watchdog function, noting that the independent public accountant owes ultimate allegiance to the corporation's creditors and stockholders, as well as to the investing public. This public watchdog' function demands that the accountant maintain total independence from the client at all times and requires complete fidelity to the public trust. If investors were to view the auditor as an advocate for the corporate client, the value of the audit might well be lost.

Clearly, the public impression of the accounting profession and its conduct of audits had suffered. In response to this litigation, the POB report dated March 5, 1993, affirmed that the integrity and reliability of audited financial statements are critical to the wellbeing of the American economy and went on to recommend steps to regain public confidence in the accounting profession. In the Public Interest encouraged independent accountants to help audit committees understand their responsibilities and to make recommendations to the committees to help them improve the internal controls of the corporations whose shareholders they represent, in other words, to go further than the minimum requirements of an audit by issuing a management letter. According to the report, audit committee members should request such a letter if they are not getting one. Any management resistance to the idea of asking the independent accountants for a management letter should raise a red flag for the audit committee and the auditors.

6. The second POB report. In 1995, the POB issued another report, Directors, Management, and Auditors, Allies in Protecting Shareholder Interests , which highlighted the importance of informed discussions between independent accountants and audit committees. The 1995 POB report, noting that audit committees play a critical role in the corporate governance process, recommended a series of best practices to make the relationship between the independent accountant and the audit committee more effective. One such practice: The independent auditor's engagement letter should specify that the client is the audit committee, making it clear that the auditor is not beholden to management. Another, in the words of Jerry D. Sullivan, the POB executive director: Corporate boards and audit committees should expect to receive, and independent auditors should deliver, forthright and candid reports in a timely manner on the quality, not just the acceptability, of a company's financial reporting. In fact, Sullivan refers to that recommendation as the central suggestion of the 1995 report.

These best practices generally move the substance of the audit away from a compliance and rule orientation and toward the qualitative. For example, if a corporation has a much more liberal policy on merchandise returns than its competitors, that fact, and its implications for revenue recognition, should be discussed with the audit committee, even though GAAP would permit the sales to be booked.

Before I joined Glendale Federal, I was a senior manager for a dozen years at a large accounting firm, where I consulted with clients on audit committee issues. I noted a direct correlation between the overall effectiveness of an audit committee and the extent to which its charter reflected best practices. If an audit committee didn't have a charter, or had a very limited charter, its members often were ineffective. When, after joining Glendale Federal in 1991, a new audit committee chairman asked me to draft a fresh charter for the bank's audit committee, in part because of FDICIA, I was in an excellent position to do so. That charter provides the basis for the sample shown in exhibit 4.

Since then, as a member of the AICPA banking and savings institutions committee, I am often called on to advise banks and thrifts when they update their charters. Most of that advice is not specific to banking institutions but is applicable to all audit committee charters. Of course, this one model is not a perfect fit in all situations. Many features have to be customized to fit the particular situation at an organization. A board of directors often will seek the advice of consultants or lawyers when it develops a new charter or revises an existing one. To meet its fiduciary responsibilities, it is best to approve the charter formally, review it periodically and revise it as necessary when conditions change. The audit committee may find a record of the deliberations leading to the final document helpful, especially if disagreements about interpretation arise.

View, Exhibit 5, Percentage of Companies Following Treadway Commission Recommendations.


Cybersecurity threats proliferating for midsize and smaller businesses

This report details how SMBs can properly protect private information from breaches, design and implement a cybersecurity policy, and create safeguards for training and education.


Being responsive to clients

CPAs and their firms have daily pressures and hectic schedules, but being responsive is crucial to client satisfaction. Leaders in the profession offer advice for CPA firms that want to be responsive to clients.


Test yourself on these often confused words

The spelling checker on your word processing program can do only so much to flag problems. Your best insurance is to learn the troublesome words that trip up writers and use them correctly by the standards of formal, written English.