The duties and responsibilities of the audit committee are currently the focus of a great deal of interest, not just in the Netherlands but globally. Measures which are being considered or have recently been adopted range from stricter requirements regarding independence to a greater level of responsibility in the selection and work of the external auditor. In this newsletter, we will be looking at the various developments.
Corporate scandals have led to criticism of audits, and have exposed the fact that there is an urgent need for thorough internal controls. This is the driving force behind the new requirements that are being set to audit committees and their performance. It is a fact that the audit committee is becoming an increasingly important player in the improvement of the internal control, the quality of financial reporting and the external audit. This is in line with the core tasks of the audit committee in the area of internal risk management and control systems, the provision of financial information and the compliance with the recommendations of, and following up on comments by, the internal and external auditors.
The most important source of new regulations for audit committees is the new European audit directive (Directive 2014/56), which must be implemented in the Netherlands by mid-2016 at the latest. The starting shot for this was given end of April with a public consultation, but the rules for the audit committee have not (yet) been included in this. This means that much of what is discussed below has not yet been detailed in the Netherlands context. Apart from the directive, there are new rules for audit committees in Regulation 537/2014 which has direct effect, without implementation. Other matters which are important in the background include the current review of the OECD Corporate Governance principles and – for banks – the BIS Corporate Governance Principles for Banks and the BIS Guidelines on external audits of banks, which were drawn up by representatives of the affiliated central banks. Although these are not binding, they are important indicators for regulators and supervisory authorities.
Obligatory audit committee
The new EU audit rules do not require a change of the Dutch system in which public interest entities (PIEs), in short: listed companies, banks and insurance companies, are required in principle to set up an audit committee, but can choose to designate a different body (for example the supervisory board) to perform the duties of the audit committee (Decision implementing the EU directive on statutory audits of annual accounts and consolidated accounts).
The independence rules for the members of the audit committee of PIEs will be tightened up on the basis of the new audit directive. Currently at least one member must be independent within the meaning of the Dutch Corporate Governance Code (Decision implementing the EU directive on statutory audits of annual accounts and consolidated accounts). In future, this will be the majority, which in any event should include the chairman (see below). Assuming the current Corporate Governance Code, listed PIEs will continue to be subject to the stricter regime of the Code, which stipulates that a maximum of one member of the entire supervisory board may not be independent. The new rules are therefore of particular importance to non-listed PIEs.
According to the new audit directive, in future the chairman of the audit committee will have to be independent; the current rules do not address this point. The Corporate Governance Code, which is only applicable to listed companies, only stipulates that the chairman cannot be the chairman of the supervisory board or a former director of the company.
Expertise and experience
Currently, at least one member of the audit committee must be a financial expert within the meaning of the Corporate Governance Code (III.3.2), meaning that this person must have acquired relevant knowledge and experience in the area of financial administration/accounting. This requirement will be supplemented and tightened up.
The new EU audit rules require that the members of the audit committee "as a whole" must have expertise which is relevant to the sector in which the audited entity is active. The existing requirement, that at least one member has the necessary expertise in the area of accountancy and/or auditing, has been maintained.
We note that this differs from the BIS consultation referred to above in which the requirement is made that all members have thorough knowledge of financial reporting, internal control and auditing, or the necessary experience which makes a thorough supervision of these subjects possible. The 2015 (Dutch) Banking Code also takes this approach.
One important factor with regard to the future supervision of audit committees is that the AFM expressed concern in its Audit Committees Report published at the end of March regarding the level of expertise within audit committees. Further research among supervisory directors of smallcap funds has shown that they do not generally have backgrounds in the areas of reporting, auditing or internal control.
Duties and responsibilities
In the Netherlands, auditors of companies are appointed by the general meeting of shareholders. The Corporate Governance Code stipulates that the supervisory board make recommendations for this, in which context both the audit committee and the board of directors issue advice. The AFM has indicated that the board of directors is nevertheless taking too big a role in the process of selection of the auditor. On the grounds of the new EU audit rules, the audit committee must bear responsibility for the procedure of selection and recommendation of the auditor to be appointed. The Minister of Finance has also committed to amending the law in order to reduce the role of the board of directors, in which context both the appointment regulation itself will be amended, and the manner of instructing, and the reporting by, the external auditor. This could eventually mean that the Dutch rules are stricter on this point than the European regulations.
On the grounds of the new audit directive, the audit committee must notify the board of directors, or – more logically in the Dutch context – the supervisory board regarding the result of the audit, and explain how the statutory audit has contributed to the integrity of the financial reporting, and which role the audit committee has played in this. It will be helped in this by the fact that the auditor will have to draw up an extensive audit opinion for the audit committee in future. This does not affect the fact that it is increasingly being expected of the audit committee that it carry out its own research into the quality of the audit, as is shown not only from the AFM report and the new audit directive, but also from the BIS consultation.
It has been proposed – specifically for banks – that the audit committee be made responsible for evaluating external advice regarding the structure and effectiveness of the risk management and control structure (BIS consultation). This also increases the duties of the audit committee, although it is in line with its already existing core responsibilities of monitoring the risk management and control structure.
It is possible that the audit committee will be given a role – set down in law – as discussion partner for the internal audit function (IAD). There is currently no concrete obligation for institution of an IAD. This is stipulated for banks in the 2015 Banking Code, while the Corporate Governance Code only stipulates an annual "needs evaluation" in the event that no internal audit function is present. The new EU auditing rules remain silent on this subject. However, the debate does seem to be moving in that direction. For example, the report of the AFM notes that audit committees must be fully of the risks attached to not having an internal auditor and the extra responsibility that this demands of the supervisory directors regarding the internal risk management and control systems.
Under the new EU audit rules, the audit committee will play a larger role in the assessment of the independence of the auditor and threats to it, not only when this involves auditing services, but also with regard to the permitted – with restrictions – combination of auditing and non-auditing services.
Finally, it is worth noting that no concrete regulations have been included to strengthen communication or dialogue between the external auditor and the audit committee. This does not affect the fact that this is generally considered desirable, as is also shown in the preamble to the new auditor regulation (no. 14). The AFM also came out in favour of this in its audit committee report. The BIS Guidelines on external audits of banks referred to above do contain concrete guidelines, specifically for banks, on the dialogue between the audit committee and external auditors. We would not be surprised if the AFM issues further guidelines on this dialogue at a later stage.
The Dutch implementation of the new audit directive has recently started, without the new rules for audit committees being included in it. It is probable that, to this end, the Decision on Statutory Audits of Consolidated and Other Annual Accounts referred to above will be amended at a later date. We discussed a number of options which will come into play in this respect. One of these is whether the current regulation of audit committees in the Corporate Governance Code can be maintained or whether (more) compulsory measures are needed.
As part of a broader trend, contacts between supervisory authorities and the audit committee will probably become more intensive. The AFM is hoping that its study will make a further contribution to and provide greater depth to the dialogue with audit committees. The legislature has further plans to permit the AFM to share findings from the supervision of auditors pertaining to individual audits with the supervisory board; it is probable that the audit committee or its chairman will become the primary point of contact for the supervisory authority. This is also common practice in – for example – the United Kingdom. In Germany, this has even gone a step further, and it has been proposed that the audit committee must provide information on the result and implementation of its work at the request of the supervisory authority.
Finally, it will be interesting to see how the extensive "supplementary audit opinion" will develop for the audit committee in practice; this is new territory for all the parties involved. The Dutch implementation of this part of the EU audit rules will be fleshed out at a later phase; there is currently only a legal basis being created for this. In some member states, thought is currently already being given to the supplementary opinion, for example see the UK consultation. We can imagine that the AFM will be given the authority to implement further regulations on this point.