Audit committees and assurance: conversation starters

Published: 4 October 2023

5 minute read

Assurance and other topics discussed by audit committees are vital to investors' understanding of companies. These are particularly relevant to financial reporting and internal control. The audit committee report is a valuable source of information for investors. However, direct conversations with audit committee chairs, too, can act as a helpful additional resource. They could provide insight into the company’s approach to current and future areas of regulatory focus and market participants' areas of interest.  

Investors may not, traditionally, have engaged in discussions with audit committee chairs.

In order to promote such conversations, the FRC has developed a series of ‘conversation starters’ for investors to consider.

The conversation starters are structured by topic and include an initial ‘broad’ question with several more detailed follow-up questions.  

Below is the first in a series of conversation starters for use by investors wishing to engage with audit committees and companies on assurance-related topics. Future areas of focus may include, further ESG-related considerations, approach to materiality, contextualising risk and business model, use of emerging technology and other topical issues as they emerge.

Significant matters

Conversation starter

Please give more detail about the significant issues the committee considered in relation to the financial statements.

Suggested follow-ups

  • How does the committee determine what makes an issue "significant"?
  • How have the significant issues been addressed?
  • How have these significant issues changed since last year? How do you expect them to change in the coming year? Are there any emerging issues which you expect to become significant in the future?
  • How did you decide which significant issues to include in the audit committee report?
  • What system(s) are in place to ensure the committee is able to monitor the evolution of significant issues and to identify further emerging issues?

Further reading

Effectiveness of the audit committee

Conversation starter

Please explain how the committee evaluates its own effectiveness.

Suggested follow-ups

  • Have you made any changes as a result of these evaluations?
  • The demands upon the committee with regards to upcoming amendments to, or new, regulation and emerging areas of risk such as climate, ESG and cyber are increasing all the time. Are you concerned about the resultant increase in workload for the committee?
  • What measures have you taken to ensure that committee members have the skillset to oversee these emerging risks?
  • Is the committee sufficiently diverse to avoid groupthink?
  • Can you give examples of how the committee has challenged company management?
  • What measures have you taken to ensure comments from your internal and/or external auditors regarding the effectiveness of the committee have been considered and relevant actions taken?
  • How often were emerging areas of risk considered and addressed by the committee?

Further reading

Principal risks

Conversation starter

Please describe the committee's role in the oversight of management's principal risk disclosures in the annual report.

Suggested follow-ups

  • What was the committee's role with regards to disclosures around principal risks, going concern, viability, the description of the business model and how opportunities and risks to the business over the longer term have been considered?
  • How does the committee take into account other, emerging areas of risk - such as supply chain resilience, geopolitical, pandemic, etc.?

Further reading

Risks - climate

Conversation starter

Please describe the committee's role in relation to the reporting of climate-related risks.

Suggested follow-ups

  • To what extent is climate change being incorporated into key accounting assumptions about areas such as impairments, depreciation and asset decommissioning?
  • How is this likely to change in future?
  • Where relevant, is the committee satisfied with the level of assurance in the company's TCFD disclosures?

Further reading

Risk - cyber

Conversation starter

What role does the committee play in relation to the company's disclosures about cyber-related risks?

Suggested follow-ups

  • Do the cyber-related risk disclosures adequately reflect the company's preparedness and its understanding of the full threat landscape, company vulnerabilities, mitigating actions and their effectiveness?

Further reading

Risks - fraud

Conversation starter

How does the committee satisfy itself that management has systems in place to detect fraud?

Suggested follow-ups

  • To what extent is the committee involved in the oversight of the company's whistleblowing procedures?
  • How do you ensure that these are appropriate?

Audit effectiveness

Conversation starter

How does the committee measure the effectiveness of the external audit?

Suggested follow-ups

  • Please talk about the relationship with the external auditor. How do you balance the need for cooperation and ongoing dialogue with the requirement to objectively assess the auditor's work?
  • Can you give examples of how you have challenged the auditor's findings?
  • Can you give examples of how the auditor has challenged management?
  • Can you explain the key firm and network level controls relied on to address identified risks to audit quality?
  • Can you discuss the findings of internal and external inspections of the audit (and firm)?
  • Have you obtained feedback about the conduct of the audit from key people involved?
  • Did the audit go to plan? Did any last minute issues arise? Do you feel that the auditor spent enough time on the key areas of risk?
  • Can you explain whether and how the external auditor's management letter indicates a good level of understanding of the business? Have the recommendations been acted on?

Further reading

Planning the audit

Conversation starter

Please describe the committee's role in the planning of the audit.

Suggested follow-ups

  • Did you consult with any shareholders as part of the planning process? If so were there specific areas they wanted the audit to include?
  • How did you decide the key areas of risk for the audit?
  • How have these risk areas changed from previous audits?
  • How are they likely to change in future?
  • How do you decide if the audit fee is appropriate?
  • What are your views on the use of technology in audit?

Further reading

Auditor appointment and tendering

Conversation starter

Please describe the tender process for the appointment of the external auditor.

Suggested follow-ups

  • What factors are most important to you in selecting an auditor?
  • How many applicants were there?
  • Which criteria did you use to assess the applicants?
  • Why did you select the newly appointed firm?
  • How will the transition process be managed?
  • What is the committee's policy with regards to using the external auditor for non-audit services?

Further reading

Internal controls/internal audit

Conversation starter

Please describe the tender process for the appointment of the external auditor.

Suggested follow-ups

  • What factors are most important to you in selecting an auditor?
  • How many applicants were there?
  • Which criteria did you use to assess the applicants?
  • Why did you select the newly appointed firm?
  • How will the transition process be managed?
  • What is the committee's policy with regards to using the external auditor for non-audit services?

Further reading

Internal controls/internal audit

Conversation starter

Please explain the committee's role with regards to monitoring the effectiveness of internal audit.

Suggested follow-ups

  • Have there been any significant issues raised by internal audit and, if so, how has the committee addressed them?
  • How does the committee ensure that the internal audit plan is aligned to the key risks of the business?
  • How does the committee establish, approve, and support the authority, role, and responsibilities of the internal audit function?
  • How does the committee ensure the internal audit function has sufficient resources to fulfil the internal audit mandate and achieve the internal audit plan?
  • Has the committee considered an independent, third party review of internal audit effectiveness?
  • Has the committee ensured an external independent third party quality assessment of the internal audit function is conducted at least every five years?

Further reading