The audit committee calendar: what to ask your IA, when.
Our practice, in detail.
1. The audit committee's role, in two sentences.
The audit committee exists to give the board independent assurance that the company's financial reporting, internal controls and risk management are sound. Internal audit is the committee's principal source of evidence for that assurance; the committee's job is to direct, challenge and act on what the IA function produces.
That is the entire mandate. Everything else (the formal terms of reference, the regulatory requirements, the committee's role in auditor selection) flows from this central purpose.
2. Q1: scoping refresh and prior-period closure.
The first audit-committee meeting of the financial year should cover three items related to internal audit:
- Approval of the annual internal-audit plan (or the rolling 24-month calendar, see our scoping note). The committee asks: has the risk universe been refreshed? Are emerging risks (new plant, new ERP, new geography, regulatory change) reflected in the plan?
- Closure of prior-period findings. The committee asks: of the open findings carried forward, how many closed in Q4? How many remain open beyond their target dates? What is the reason?
- Approval of the IA budget and team composition. The committee asks: is the IA budget commensurate with the scope? Is the team's experience sufficient for the risks identified?
This meeting sets the tone for the year. A committee that approves a plan without challenge has implicitly authorised the IA function to look only at the areas selected.
3. Q2: first IA cycle of the year.
The second meeting reviews the first quarter's internal-audit report. The committee asks:
- What were the high-significance findings, and what is the root cause? The committee should not be reading a list; it should be hearing two or three findings discussed in depth.
- Has management accepted the findings and committed to action? Where there is disagreement, the committee should hear both sides and form a view.
- Are there any findings that suggest the financial statements need review? An IA finding with statement implications (revenue recognition, provisioning, related-party transactions) should escalate to the statutory auditor.
The committee should also check that the executive summary fits on a page and that findings follow the fixed grammar. If they do not, that is feedback to the IA function and to the firm.
4. Q3: IFC interim and continuing cycles.
The third meeting reviews the second quarter's internal-audit report and any interim work on IFC. The committee asks the same questions as in Q2, plus:
- How is the IFC review tracking against the annual timeline? The IFC review should be at the design-effectiveness phase by Q3.
- Are there design gaps that require remediation before year-end? Design gaps cannot be remediated by retesting; they require control redesign, which takes time.
- Status of prior-period high-significance findings - any beyond target dates?
5. Q4: annual IFC, statutory audit interface.
The fourth meeting is the busiest. It covers:
- The annual IFC opinion preparation. The IA function presents the IFC testing results; the committee asks whether any deficiency requires classification as a significant deficiency or material weakness.
- The interaction with the statutory auditor. The committee meets the statutory auditor without management present, and asks specifically about any disagreements with management, scope limitations, or concerns about the control environment.
- The board's IFC representation. The committee reviews the draft IFC representation that will go into the board's report, and ensures it is consistent with the IA testing and the statutory auditor's opinion.
- The next year's IA plan (preliminary). The committee asks the IA function what they have already identified as emerging risks for the next cycle.
6. The three questions every meeting.
Regardless of what is on the agenda, three questions belong in every audit-committee meeting:
"What did internal audit find this quarter that surprised you?"
The answer should not be "nothing". An IA function that surprises no-one is either not looking hard enough or is not telling the committee everything.
"Which open findings worry you most, and why?"
The committee should hear the IA function's judgement, not just the status of the register. The findings that worry an experienced auditor are not always the ones with the highest financial impact.
"Where does management push back on your findings, and how is that being resolved?"
Productive disagreement is healthy. Persistent disagreement is a signal. The committee's job is to know which is which.
Frequently asked
How often should the audit committee meet?
The Companies Act, 2013 prescribes a minimum of four meetings a year for listed and prescribed companies, with not more than four months between meetings. In practice, the cadence aligns with the quarterly results, with additional meetings called as needed for the annual IFC review or for specific events.
Should the internal auditor have direct access to the audit committee chair?
Yes. The internal auditor reports functionally to the audit committee; an open, direct channel to the committee chair (outside formal meetings) is essential and is normally formalised in the IA charter.
What is the audit committee's role in approving the IA firm appointment?
The audit committee recommends the appointment, reappointment, terms and remuneration of the internal auditor to the board. This includes formally approving any change of IA firm and the rotation of the lead engagement partner where applicable.
How does the audit committee handle a finding management rejects?
First, hear both sides. Second, if the disagreement involves a matter of judgement (e.g. classification of an item), the committee may accept either position with reasoning recorded. Third, if the disagreement involves a question of fact (e.g. whether a control exists), the committee may direct further work to resolve the factual question.
What is the role of the audit committee in fraud reporting?
Section 143(12) of the Companies Act, 2013 requires the statutory auditor to report any fraud above the prescribed threshold to the central government, and below the threshold to the audit committee. The audit committee should have a documented protocol for receiving and acting on such reports, including from internal sources, the IA function, and whistleblower channels.