Audit Committee

What is an audit committee?

Half the ISA 260 communications we review never reach an audit committee at all. The management letter goes to the finance director, the file gets a tick next to "communications sent," and the people actually responsible for overseeing management's response to audit findings never see them. The committee exists on the organisation chart but not in the engagement's communication path.

An audit committee is a sub-committee of the board that oversees the financial reporting process, the external auditor, the internal control system, and regulatory compliance. ISA 260.4 establishes the auditor's responsibility to communicate with those charged with governance (TCWG), and in many entities the committee is the body that fulfils this role.

ISA 260 .A5 addresses how the auditor decides whether to communicate with the committee, the full board, or both. Where an audit committee exists with delegated responsibility for oversight of financial reporting, the auditor generally communicates with the committee. But the auditor must understand the committee's actual terms of reference (some committees have advisory roles only, with final authority resting with the full board).

The committee also has a receiving role under ISA 265 . When the auditor identifies significant deficiencies in internal control, ISA 265.9 requires written communication to TCWG. In practice, the committee receives the management letter or equivalent communication and is expected to make sure management addresses the findings.

Why it matters in practice

In our experience, the most common error is directing ISA 260 communications to management instead of TCWG. Teams send the management letter to the finance director and treat the obligation as complete. If the FD is management, not governance, the communication has not reached the intended recipient. Nobody enjoys the conversation about whether the FD counts as TCWG, but skipping it is how files get flagged in an inspection.

On smaller engagements, teams record "not applicable" for the committee assessment. ISA 260.10 still requires the auditor to identify who is charged with governance, even if no committee exists. On an owner-managed entity, the owner-manager may fulfil both management and governance roles. The auditor must document this dual role and direct ISA 260 communications accordingly. The file should tell a story about who received what, and why the recipient met the TCWG definition.

Where an audit committee does exist, its effectiveness is part of the control environment assessment under ISA 315 .A83. An active committee that meets four times a year, has members with financial expertise, receives management papers in advance, and pushes back on significant accounting judgments is a positive indicator. A committee that meets once a year and approves the FS without discussion provides minimal oversight, and the auditor's control environment evaluation should reflect that.

Key standard references

• ISA 260.4 : Establishes the communication requirement with those charged with governance.
• ISA 260 .A1: Describes variations in governance structures across jurisdictions.
• ISA 265.9 : Requires written communication of significant deficiencies to TCWG.
• ISA 315 .A83: Links audit committee effectiveness to the control environment assessment.

Related terms

Related reading

Frequently asked questions