An audit committee is a committee of an organisation's board of directors which is responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external.
In a U.S. publicly traded company, an audit committee is an operating committee of the board of directors charged with oversight of financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee members. A qualifying (cf. paragraph "Composition" below) audit committee is required for a U.S. publicly traded company to be listed on a stock exchange. Audit committees are typically empowered to acquire the consulting resources and expertise deemed necessary to perform their responsibilities. The role of audit committees continues to evolve as a result of the passage of the Sarbanes-Oxley Act of 2002. Many audit committees also have oversight of regulatory compliance and risk management activities.
Not for profit entities may also have an audit committee.
Internationally, an audit committee assists a board of directors to fulfil its corporate governance and overseeing responsibilities in relation to an entity's financial reporting, internal control system, risk management system and internal and external audit functions. Its role is to provide advice and recommendations to the board within the scope of its terms of reference / charter. Terms of reference and requirements for an audit committee vary by country, but may be influenced by economic and political unions capable of passing legislation. The European Union directives are applied across Europe through legislation at the country level. Although specific legal requirements may vary by country in Europe, the source of legislation on corporate governance issues is often found at the European Union level and within the non-mandatory corporate governance codes that cross national boundaries.
- Institute of Internal Auditors definition: "The Audit committee refers to the governance body that is charged with oversight of the organization’s audit and control functions. Although these fiduciary duties are often delegated to an audit committee of the board of directors, the (...) Practice Advisory is also intended to apply to other oversight groups with equivalent authority and responsibility, such as trustees, legislative bodies, owners of an owner-managed entity, internal control committees, or full boards of directors" (IIA Practice Advisory 2060-2 of 2004).
- In Nigeria, the Audit Committee is defined as a “Committee of Directors and the enterprises shareholders representatives whose specific responsibility is to review the annual financial statements before submission to the Board of Directors”.
- In Uzbekistan, audit committee — a committee, consisting of the members of the supervisory board of an economic entity, as a rule, including at least one independent member, responsible for establishing control over the correctness of financial reporting, selection of an independent auditing organization, overseeing audit processes, as well as obtaining and reviewing the results of internal and external audits ("Law on Audit Activity".).
- The above definitions are focused on the private sector. A similar definition has been developed by the government auditors in the INTOSAI’s Internal Control Standards: "A committee of the Board of Directors whose role typically focuses on aspects of financial reporting and on the entity's processes to manage business and financial risk, and for compliance with significant applicable legal, ethical, and regulatory requirements. The Audit Committee typically assists the Board with the oversight of (a) the integrity of the entity's financial statements, (b) the entity's compliance with legal and regulatory requirements, (c) the independent auditors' qualifications and independence, (d) the performance of the entity's internal audit function and that of the independent auditors and (e) compensation of company executives (in absence of a remuneration committee). (Standard INTOSAI GOV #9100, "Internal Control Standards for the Public Sector”, annex 2).
In India, according to Section 177(1) of the Companies Act 2013, the Board of Directors of every listed company and such other class or classes of companies, as may be prescribed, shall constitute an Audit Committee.
As per Rule 6 (Committees of the Board) of the Companies (Meetings of Board and its Powers) Rules, 2014, the Board of directors of every listed companies and the following classes of companies shall constitute an Audit Committee and a Nomination and Remuneration Committee of the Board:
All public companies having:
- Paid-up Capital ≥ ₹10 Crore;
- Turnover ≥ ₹100 Crore;
- Loans + Borrowings + Debentures + Deposits ≥ ₹50 Crore.
Usually, membership of the committee is subject to the maximum number of 6 persons.
- In the US, a qualifying audit committee is required for listed publicly traded companies. To qualify, the committee must be composed of independent outside directors with at least one qualifying as a financial expert.
- The European Union's 8th Directive on company law 2006/43/EC states that “Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing.”
- Institute of Internal Auditors best practice: “The audit committee will consist of at least three and no more than six members of the board of directors... Each committee member will be both independent and financially literate. At least one member shall be designated as the "financial expert" as defined by applicable legislation and regulation”.
Boards of Directors and their committees rely on management to run the daily operations of the business. The Board's role is better described as oversight or monitoring, rather than execution. Responsibilities of the audit committee typically include:
- Overseeing the financial reporting and disclosure process.
- Monitoring choice of accounting policies and principles.
- Overseeing hiring, performance and independence of the external auditors.
- Oversight of regulatory compliance, ethics, and whistleblower hotlines.
- Monitoring the internal control process.
- Overseeing the performance of the internal audit function.
- Discussing risk management policies and practices with management.
The duties of an audit committee are typically described in a committee charter, often available on the entity's website.×
- European Union: Directive 2006/43/EC, article 41.2: (...) the audit committee shall, inter alia: (a) Monitor the financial reporting process; (b) Monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; (c) Monitor the statutory audit of the annual and consolidated accounts; (d) Review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audited entity.
- Public sector: Cf. Standard INTOSAI GOV #9100 
Role in oversight of financial reporting and accounting
Audit committees typically review financial statements quarterly and annually in public companies. In addition, members will often discuss complex accounting estimates and judgments made by management and the implementation of new accounting principles or regulations. Audit committees interact regularly with senior financial management such as the CFO and Controller and are in a position to comment on the capabilities of these managers. Should significant problems with accounting practices or personnel be identified or alleged, a special investigation may be directed by the audit committee, using outside consulting resources as deemed necessary.
External auditors are also required to report to the committee on a variety of matters, such as their views on management's selection of accounting principles, accounting adjustments arising from their audits, any disagreement or difficulties encountered in working with management, and any identified fraud or illegal acts.
Role in oversight of the external auditor
Audit committees typically approve selection of the external auditor. The external auditor (also called a public accounting firm) reviews the entity's financial statements quarterly, audits the entity's financial statements annually, and issues an opinion providing assurance on the entity's annual financial statements. Changing an external auditor typically also requires audit committee approval. Audit committees also help ensure the external auditor is independent, meaning no conflicts of interest exist that might interfere with the auditor's ability to issue its opinion on the financial statements.
- European Union: Directive 2006/43/EC, article 41.3 and 41.4: "In a public-interest entity, the proposal of the administrative or supervisory body for the appointment of a statutory auditor or audit firm shall be based on a recommendation made by the audit committee. The statutory auditor or audit firm shall report to the audit committee on key matters arising from the statutory audit, and in particular on material weaknesses in internal control in relation to the financial reporting process."
Role in oversight of regulatory compliance
Audit committees discuss litigation or regulatory compliance risks with management, generally via briefings or reports of the General Counsel, the top lawyer in the organisation. Larger corporations may also have a Chief Compliance Officer or Ethics Officer that report incidents or risks related to the entity's code of conduct.
Role in monitoring the effectiveness of the internal control process and of the internal audit
Internal control includes the policies and practices used to control the operations, accounting, and regulatory compliance of the entity. Management and both the internal auditing function and external auditors provide reporting to the audit committee regarding the effectiveness and efficiency of internal control.
- IIA Practice Advisory: Cf. PA1110-1 paragraphs 2 and 3 (where the “board” means “an organization's governing body, such as a board of directors, supervisory board, (...) any other designated body of the organization, including the audit committee to whom the chief audit executive may functionally report)
- European best practice for the role of the Audit Committee in overseeing internal audit.
Role in oversight of risk management
Organizations have a variety of functions that perform activities to understand and address risks that threaten the achievement of the organization's objectives. The policies and practices used by the entity to identify, prioritize, and respond to the risks (or opportunities) are typically discussed with the audit committee. Having such a discussion is required for listing on the New York Stock Exchange. Many organizations are developing their practices towards a goal of a risk-based management approach called Enterprise risk management. Audit committee involvement in non-financial risk topics varies significantly by entity. Dr. Ram Charan has argued for risk management early warning systems at the corporate board level.
- European best practice for the role of the Audit Committee in risk management: cf.
Impact of the Sarbanes–Oxley Act of 2002
The Sarbanes–Oxley Act of 2002 increased audit committees’ responsibilities and authority. It raised membership requirements and committee composition to include more independent directors. Companies were required to disclose whether or not a financial expert is on the committee. Further, the Securities and Exchange Commission and the stock exchanges proposed new regulations and rules to strengthen audit committees.
Below are a few key milestones in the evolution of audit committees:
- 1939: The New York Stock Exchange (NYSE) first endorsed the audit committee concept.
- 1972: The U.S. Securities and Exchange Commission (SEC) first recommends that publicly held companies establish audit committees composed of outside (non-management) directors.
- 1978: NYSE adopts a listing requirement that audit committees be composed entirely of independent directors.
- 1988: AICPA issues SAS 61 "Communication with Audit Committees" addressing communications between the external auditor, audit committee and management of SEC reporting companies.
- 1999: NYSE, NASD, AMEX, SEC and AICPA finalize major rule changes based on Blue Ribbon Committee on Improving the Effectiveness of the Corporate Audit Committee.
- 2002: Sarbanes-Oxley Act is passed in the wake of corporate scandals and includes whistleblower and financial expert disclosure requirements for audit committees.
Interaction with the board, and with non-executive board members
- The European Confederation of Institutes of Internal Auditing (ECIIA)’s best practice:
"The work of the audit committee can only be valuable if sufficient time is allotted on the board agenda for the audit committee to present the results of its work. The audit committee should also feel that the board is taking appropriate action on its report."
- European Union best practice: Cf. European Parliament resolution of 10 March 2009 on implementation of Directive 2006/43/EC on statutory audits of annual accounts and consolidated accounts (2008/2247(INI)): ‘’”(...) Stresses that recent experience shows the need for frequent and high-quality interaction within audit committees and between independent directors, supervisory boards and auditors; and that non-executive board members should consider carefully the possibility of having meetings without executive board members being present.”’’
Frequency of interaction with management
Many audit committee chairpersons conduct interim calls with key members of management between quarterly meetings. Key contacts may include the CEO, CFO, Chief Auditor, and external audit partner. Many boards also schedule dinners prior to formal meetings that allow informal interaction with management. Some companies also require their boards to spend a certain amount of time learning their operations beyond board meeting attendance.
These are formally scheduled private meetings between the audit committee and key members of management or the external auditor. These meetings typically are unstructured and provide the opportunity for the committee to obtain the feedback of these managers in private. A key question audit committee members ask in such sessions is: "Is there anything you would like to bring to our attention?"
Audit committees should complete a self-evaluation annually to identify improvement opportunities. This involves comparing the committee's performance versus its charter, any formal guidelines and rules, and against best practices. Such a review is confidential and may or may not include evaluations of particular members.
Various consulting and public accounting firms perform research on audit committees, to provide benchmarking data. Some results are identified below:
- 54% of committee members surveyed felt the audit committee was "very effective", while 38% indicated "somewhat effective."
- Risk management, internal control, and accounting estimates and judgments were the top priority areas for 2007.
- Most audit committees have 3-4 members and are usually chaired by persons with experience as a CFO, external auditor, or CEO.
- Audit committees meet 6-10 times per year, either face-to-face or via teleconference, with the former lasting from 1–4 hours and the latter 1–2 hours.
- Audit committee members devoted 50–150 hours to their responsibilities each year.
- The percentage of audit committees with oversight responsibility for: IT compliance (66%), business continuity (50%), and information security(45%).
- 41% were "very satisfied" with the internal audit function, while 52% were "somewhat satisfied."
- Two-thirds felt the Chief Internal Audit position was for a professional internal auditor, rather than as a "stepping stone" to other roles.
- 93% indicated the audit committee was "somewhat" or "much more" effective since the Sarbanes-Oxley Act was implemented in 2002.
- 58% of committee members were "somewhat satisfied" that they understood management's processes to identify and assess significant business risks.
- Only 17% of audit committees had primary responsibility for oversight of non-financial risk; the full board had this responsibility in 56% of companies.
In a 2011 study, the Council of Europe concluded that: “The Benchmarking results from a sample of 15 international organisations in Europe show that 11 have an audit committee (of which the name may vary from Audit Committee, Advisory Committee on Audits, Audit Advisory Board, Audit Progress Committee, Finance and Audit Committee, Independent Advisory Oversight Committee, Independent Audit Advisory Committee of Experts) and in seven, the Audit committee plays a role in the selection of the External Auditor".
A 2009 study on 23 international organisations showed that 10 had an Audit Committee and 3 considered having one in future, with 8 reporting to the Governing Body level and 2 reporting to DG/Executive Director level. The sizes of all Audit Committees were between 3 and 9 members, with 5 committees having a mix of external expert members and internal members.
- Example of Audit Committee Terms of Reference: at the Council of Europe (1. Guiding principle, 2. Role of the committee, 3. Membership of the committee, 4. Terms of appointment, 5. Rules and procedures, 6. Access to documents, 7. Reporting, 8. Resources): wcd.coe.int/wcd/ViewDoc.jsp?id=1684131&Site=CM 12 January 2011.
- Sample Audit Committee Charter by TheIIA.org Committee Charter
- Powerpoint presentation on Audit Committee by TheIIA.org: Purpose, Process, and Professionalism. 
- nacdonline.org National Association of Corporate Directors
- Association of Audit Committee Members, Inc.