What is an Audit Committee?
ISA 260.4 establishes the auditor's responsibility to communicate with those charged with governance. In many entities, the audit committee is the body that fulfils this role. The committee typically oversees the financial reporting process, the appointment and work of the external auditor, the entity's internal control system, and regulatory compliance.
ISA 260.A5 addresses how the auditor determines whether to communicate with the audit committee, the full board, or both. Where an audit committee exists with delegated responsibility for oversight of financial reporting, the auditor generally communicates with the committee. But the auditor must understand the committee's actual terms of reference — some committees have advisory roles only, with final authority resting with the full board.
The audit committee also has a receiving role under ISA 265. When the auditor identifies significant deficiencies in internal control, ISA 265.9 requires written communication to those charged with governance. In practice, this means the audit committee receives the management letter or equivalent communication and is expected to ensure that management addresses the findings.
Key Points
- ISA 260.4 requires communication with those charged with governance, often through the audit committee.
- Committee effectiveness is a control environment indicator under ISA 315.A83.
- ISA 265.9 requires written communication of significant deficiencies to TCWG.
- Not every entity needs an audit committee, but ISA 260.10 still requires identifying who is charged with governance.
Why it matters in practice
The most common error is directing ISA 260 communications to management instead of those charged with governance. Teams send the management letter to the finance director and treat the obligation as complete. But if the finance director is management, not TCWG, the communication has not reached the intended recipient. The people responsible for overseeing management's response to audit findings may never see them.
On smaller engagements, teams record "not applicable" for the audit committee assessment. But ISA 260.10 still requires the auditor to identify who is charged with governance, even if no audit committee exists. On an owner-managed entity, the owner-manager may fulfil both the management and governance roles. The auditor must document this dual role and direct ISA 260 communications accordingly.
Where an audit committee does exist, its effectiveness is part of the control environment assessment under ISA 315.A83. An active committee that meets regularly, has members with financial expertise, and challenges management on significant accounting judgments is a positive indicator. A committee that meets once a year and approves the financial statements without discussion provides minimal oversight, and the auditor's control environment evaluation should reflect this.
Key standard references
- ISA 260.4: Establishes the communication requirement with those charged with governance.
- ISA 260.A1: Describes variations in governance structures across jurisdictions.
- ISA 265.9: Requires written communication of significant deficiencies to TCWG.
- ISA 315.A83: Links audit committee effectiveness to the control environment assessment.
Related terms
Frequently asked questions
Must every entity have an audit committee?
No. Audit committees are required for listed entities in most jurisdictions but optional for private companies. Regardless, ISA 260.10 requires the auditor to identify who is charged with governance, even if no audit committee exists.
How does the audit committee affect the auditor's work?
The committee's effectiveness is a key element of the control environment under ISA 315.A83. An active committee that challenges management on accounting judgments is a positive indicator. The committee also receives ISA 265 significant deficiency communications in writing.