Audit Committee Reporting: The Package That Produces Clean Meetings (and the Pre-Read That Doesn't)

Audit committee pre-reads have a specific, narrower scope than full-board pre-reads, and the discipline that produces clean AC meetings is the discipline of what does not go in the package, not what does.

The audit committee charter is the controlling document, and most mid-market companies under-read it In the engagements we have run with mid-market boards, both PE-backed private companies and IPO-bound companies preparing for public-company governance, the most consistent finding about audit committee reporting is that the audit committee charter, the document that defines the committee's scope, has been adopted but not operationalized. The charter typically references SOX-derived expectations (oversight of the external auditor, oversight of internal control over financial reporting, oversight of the financial statements, oversight of risk management, oversight of compliance), but the pre-read the committee actually receives does not align to these scopes, and the meeting devolves into a re-read of the full board package. The pattern matters because the audit committee's responsibilities are not delegable to the full board. SOX requires (for public companies) that the audit committee be directly responsible for the appointment, compensation, and oversight of the external auditor; that the audit committee establish procedures for the receipt, retention, and treatment of complaints regarding accounting, internal accounting controls, or auditing matters; and that the audit committee pre-approve all audit and permitted non-audit services. For PE-backed private companies preparing for IPO or for sale to a public buyer, the same scopes apply prospectively and warrant operating the audit committee as if SOX already applied, because the auditor, the underwriter, and the buy-side diligence team will all eventually evaluate the committee's record under those standards. The pre-read is the artifact that operationalizes the charter, and the seven sections we describe below are the sections we observe consistently produce clean meetings. The structure is unforgiving by design; what goes in the AC pre-read goes in, and what does not goes to the full board package or to a separate distribution. Section one: external auditor's planning memo and audit-status update The external auditor's planning memo is the artifact the auditor produces at the start of the audit cycle (typically in Q3 or Q4 of the fiscal year, before fieldwork begins) and updates throughout the audit, and the AC pre-read for the relevant quarter should include the most recent version. The planning memo describes the auditor's risk assessment for the engagement, the planned audit response (which areas will receive substantive testing, which will rely on controls testing, which will use analytical procedures), the materiality thresholds (overall financial statement materiality, performance materiality, and the trivial-misstatement threshold), the engagement team and any specialists involved, and the timing and milestones for the audit. The audit-status update, distributed quarterly during the audit cycle, reports against the plan: areas of substantive testing completed, areas in progress, areas not yet started, audit findings to date, management adjustments proposed and accepted, audit difficulties encountered, and any disagreements with management. The update is the artifact that allows the audit committee to discharge its oversight responsibility intelligently rather than ceremonially; without it, the audit committee learns about audit issues at the same time the financial statements are being signed, which is too late for the committee's input to matter. The discipline we recommend: the audit-status update is a standing first item on the AC pre-read during the audit cycle, the external auditor's lead partner attends the AC meeting either in full or for an executive session, and the audit committee has the opportunity each quarter to ask the external auditor "what should we be aware of that management has not raised." Cross-link to /blog/21-day-diagnostic-vs-big-four-audit for the broader audit-and-diagnostic distinction. Section two: financial statements with management's certification The financial statements section of the AC pre-read includes the period's financial statements (P&L, balance sheet, cash flow statement, and statement of stockholders' equity) with footnotes and any MD&A or supplementary information that will be filed or distributed externally. The financial statements are accompanied by management's certification, for public companies, the formal Section 302 and 906 certifications under SOX, and for private companies, an analogous management representation that the statements are prepared in accordance with GAAP, that the disclosure controls operated effectively during the period, and that material weaknesses or significant deficiencies in internal control are identified. The discipline that distinguishes a clean AC review from a rushed one is the depth of the variance and quality-of-earnings discussion in the supporting materials. The financial statements should be accompanied by a memo from the controller (or CFO) that addresses the period's significant accounting estimates, any changes in accounting policies, any new accounting pronouncements affecting the period, the rationale for any unusual or non-recurring transactions, the status of any pending litigation or regulatory matters with accounting implications, and the explanation for any material variances against budget or against the prior period. The audit committee's job in this section is not to re-audit the financial statements, that is the external auditor's job, but to challenge management on the judgments that went into the statements, to ensure the statements present fairly, and to identify any disclosures that warrant additional attention. The challenge function is what distinguishes an audit committee that adds governance value from one that ratifies management's work without scrutiny. Section three: internal control deficiencies and remediation The internal-control section reports on the operation of the company's internal control over financial reporting during the period, for public companies, under the SOX 404 framework with the COSO 2013 internal control standard, and for private companies (especially IPO-bound), under an analogous framework that prepares the company for the SOX 404 attestation requirements that will apply post-IPO. The section includes any control deficiencies identified during the period (whether by management's testing, the external auditor, or internal audit), the classification of each deficiency (control deficiency, significant deficiency, or material weakness), and the remediation status of previously-identified deficiencies. The classification matters because the disclosure consequences differ. Material weaknesses (for public companies) require disclosure in the periodic report and trigger market reactions; significant deficiencies are reported to the audit committee but not publicly disclosed; and control deficiencies that do not rise to either threshold are reported internally and remediated as part of normal operations. The audit committee's oversight responsibility runs to all three classifications, with most of the committee's attention warranted at the material weakness level and at the aggregation of significant deficiencies into a possible material weakness. The remediation discipline is the part of this section that most often goes wrong. A control deficiency identified in Q1 should be remediated by Q2 or Q3, with the remediation tested and validated; a deficiency that remains unremediated through year-end becomes a finding in the year-end audit, and a pattern of unremediated deficiencies suggests a control environment problem rather than isolated control breakdowns. The pre-read should report remediation by deficiency, with target completion dates, owner names, and current status. Section four: whistleblower hotline activity The whistleblower hotline (under SOX Section 301 for public companies, and under analogous expectations for PE-backed and IPO-bound private companies) is the channel by which employees, contractors, and third parties can report concerns about accounting, internal controls, or auditing matters. The audit committee is required (for public companies) to establish the procedures for receipt and treatment of these reports, and the AC pre-read should include a quarterly summary of hotline activity. The summary covers the volume of reports received, the categories of reports (financial reporting, employment matters, code-of-conduct violations, harassment or discrimination, conflicts of interest, other), the disposition of each material report (investigated, substantiated, partially substantiated, unsubstantiated), the remediation actions taken for substantiated reports, and any open investigations. The audit committee's role in this section is oversight rather than direct investigation; the committee receives the reports, ensures the procedures are operating, and engages directly only when a report implicates senior management or the external auditor. The discipline we recommend: the hotline is operated by a third-party provider (NavexGlobal, ConvercentNow Onesight, EthicsPoint, AllVoices, RedFlag) with reports routed to a defined intake, typically the general counsel, with copy to the audit committee chair for material reports. The AC pre-read includes the quarterly summary, with the audit committee chair reviewing the underlying report-level detail in advance of the meeting. The chair's oversight role on hotline activity is among the most important audit committee responsibilities and is most often delegated unintentionally. Section five: ERM risk register and risk-oversight update Enterprise risk management (ERM) is the company's framework for identifying, assessing, monitoring, and responding to the risks that could affect the company's strategy, operations, financial reporting, or compliance. The risk register is the live artifact that lists the company's identified risks, classifies them by likelihood and impact, assigns risk owners, defines mitigation actions, and tracks status. The audit committee's role in ERM oversight is established under SOX (for public companies) and under emerging governance norms (for private companies), with the committee responsible for reviewing the risk register, challenging the assessment of risks, and ensuring that the risk-mitigation actions are being executed. The AC pre-read's ERM section is the quarterly risk update: new risks identified since last meeting, risks whose likelihood or impact assessment has changed, risks that have been resolved or de-escalated, and the status of mitigation actions on the company's most material risks. The materiality threshold for the AC's attention is typically the top ten or top fifteen risks in the register, with deeper-level risks managed by the relevant operating leaders without explicit AC attention. The discipline that distinguishes a working ERM from a ceremonial one is the connection between the risk register and the company's operating decisions. A risk register that lists "cybersecurity" as a top-five risk with "implementation of MFA" as the mitigation, and that has not changed in three years, is a register that is not being operated. Cross-link to /blog/securem-security-review-methodology-fixed-scope for our methodology on the cybersecurity dimension of the risk register; the same discipline applies to financial, operational, regulatory, and strategic risks. Section six: related-party transactions Related-party transactions are transactions between the company and any party with a direct or indirect relationship to the company, directors, officers, beneficial owners above the relevant threshold, family members of any of the foregoing, and entities controlled by any of the foregoing. SOX Section 404 (for public companies) and analogous private-company governance norms require the audit committee to review and approve all material related-party transactions, with the materiality threshold defined in the company's related-party transaction policy. The AC pre-read's related-party section reports on the period's related-party transactions: new transactions entered into during the period, transactions amended or extended during the period, and the status of any prior transactions (still in effect, expired, terminated). Each transaction is described with the parties, the relationship, the terms, the rationale, the price-vs-arms-length analysis, and the audit committee approval (date, attendees, recusals). The discipline most often missing in mid-market private companies is the related-party transaction policy itself. We have observed companies whose related-party transactions are routinely identified but managed without a written policy that defines the materiality threshold, the approval workflow, the disclosure requirements, and the recusal mechanics for committee members with conflicts. The policy is a one-to-two-page document that the company's board adopts and the audit committee operates. For IPO-bound companies, the related-party transaction discipline becomes a regulatory requirement under Item 404 of Regulation S-K, and the policy and the historical record of related-party approvals become part of the registration statement's disclosures. Cross-link to /blog/private-company-mda-ipo-readiness for the IPO-readiness implications. Section seven: complex accounting estimates The complex accounting estimates section reports on the company's significant accounting estimates that involve material judgment, revenue recognition under ASC 606 (especially variable consideration, contract modifications, and material rights), allowance for credit losses (under ASC 326), inventory valuation (lower of cost or net realizable value, especially for slow-moving or obsolete inventory), goodwill and intangible asset impairment (under ASC 350), long-lived asset impairment (under ASC 360), income tax provisions (especially uncertain tax positions under ASC 740), stock-based compensation (under ASC 718, especially for grants with performance conditions), and any other estimate the company's external auditor has flagged as a critical audit matter. For each estimate, the section describes the methodology, the key assumptions, the sensitivity of the estimate to changes in assumptions, and any change in methodology or assumptions from the prior period. The audit committee's role is to challenge management on the assumptions, to compare the assumptions to the prior period and to industry norms, and to ensure the estimates are consistent with the external auditor's view of the underlying judgments. The complex accounting estimates section is the section the audit committee most often skips and is the section the external auditor most often wants the committee to engage with. The disconnect produces audit committee meetings in which the auditor surfaces a significant audit matter that the committee was not aware of, and the committee's response is to ratify management's position rather than to challenge it. The fix is to include the complex accounting estimates section as a standing item on the AC pre-read, with the auditor's perspective on each estimate referenced explicitly. What does not go in the AC pre-read: the discipline of exclusion The AC pre-read should exclude content that belongs to the full board's responsibilities. Operational status updates (revenue, sales pipeline, headcount efficiency, customer wins and losses) belong in the full-board package, not the AC pre-read. Investor reporting metrics (the twelve metrics described in our KPI dashboards field guide) belong in the investor-reporting cadence, not the AC pre-read. Day-to-day finance work (close progress, team capacity, vendor selections, system implementations) belongs in management's operating reviews, not the AC pre-read. The exclusion discipline matters because the AC has a defined scope, and including content outside that scope dilutes the committee's attention to the matters within scope. The AC chair and the CFO should review the pre-read together before distribution, with the explicit question "does this section relate to the AC's defined scope, or does it belong elsewhere?" Sections that fail this test are routed to the full board or to a separate operational distribution. The cross-reference to /blog/board-reporting-decisions-not-status is direct: the full-board pre-read is the home for the operational and investor-reporting content, and the AC pre-read is the home for the audit, control, risk, and compliance content. The two pre-reads are different documents, with different distribution and different attention from different audiences. The cadence: quarterly, with ad-hoc on incidents The standard AC cadence is quarterly, aligned with the quarterly close cycle, with the meeting timed to occur after the quarterly close is substantially complete and the financial statements are in near-final form. This timing allows the AC to review the financial statements before they are released externally and allows the external auditor to attend with substantively-complete review work. The ad-hoc cadence applies to incidents: a significant control deficiency identified out-of-cycle, a material whistleblower report, a related-party transaction requiring approval, a regulatory inquiry, a significant change in the auditor's planning memo, a fraud detection, or a material adverse legal development. The AC chair and the CFO have a standing protocol for triggering an ad-hoc meeting, with the meeting scheduled within five-to-ten business days of the trigger event and the agenda focused narrowly on the triggering matter. The annual cadence adds the year-end financial statement review, the auditor's report on internal control (for public companies), the auditor's appointment and independence review, and the audit committee's self-assessment. The self-assessment is a once-yearly review by the audit committee of its own performance against the charter, with findings used to update the charter or the operating procedures for the following year. The executive session with the external auditor: a structural feature, not an afterthought The executive session, the portion of the AC meeting in which the external auditor meets with the audit committee without management present, is the structural feature that allows the auditor to surface concerns the auditor would not raise in management's presence. The session is required (for public companies) by NYSE and Nasdaq listing standards, and we recommend it as standard practice for PE-backed private companies preparing for IPO or for any private company with a robust audit committee. The discipline of the executive session is in the consistency: the session is a standing agenda item at every AC meeting (not only at year-end), the agenda includes a structured prompt ("does the auditor have any concerns the committee should be aware of that have not been raised in the open portion of the meeting?"), and the AC chair is responsible for maintaining the session's confidentiality with respect to management while ensuring that any actionable concerns are followed up appropriately. The companion executive session with the CFO (without the rest of management) and with the controller (without the rest of management) is a less-common but increasingly-recommended practice that allows the AC to hear directly from the CFO and the controller about concerns regarding tone-at-the-top, accounting judgments, or pressure on financial reporting. The companion sessions should be brief (five to ten minutes each) and structured around defined questions. The audit committee charter for private companies: the prospective SOX overlay For PE-backed private companies above approximately $50M in revenue, and for any private company anticipating an IPO within three years, we recommend operating the audit committee under a charter that prospectively adopts the SOX-derived expectations the company will eventually be subject to. The charter typically includes (a) the committee's composition (a minimum of three independent directors, with at least one financial expert under the SEC's definition), (b) the committee's responsibilities (oversight of the external auditor, oversight of internal control, oversight of financial statements, oversight of risk management, oversight of compliance), (c) the committee's authorities (engagement of external counsel and advisors, access to management and the auditor, ability to hold executive sessions), and (d) the meeting cadence and the reporting line to the full board. The financial expert designation is the requirement most often unmet in mid-market private companies, and it is the requirement that becomes most consequential in the registration window. The SEC's definition of financial expert (under Item 407 of Reg S-K) requires either (a) experience as a public company CFO, controller, principal accounting officer, or auditor, or (b) experience supervising a person who held one of those positions. The pool of qualified financial experts is narrower than most private-company boards realize, and identifying and recruiting the financial expert two years before the registration window is the discipline that prevents a last-minute scramble. Cross-link to /blog/private-company-mda-ipo-readiness for the IPO-readiness governance roadmap. What we recommend Operate the audit committee under a charter that documents the committee's scope, responsibilities, and authorities, even for private companies, and especially for PE-backed and IPO-bound companies. The charter is the controlling document, and the AC pre-read should reference the charter explicitly. Build the AC pre-read around the seven sections we describe: external auditor's planning memo and status update, financial statements with management's certification, internal control deficiencies and remediation, whistleblower hotline activity, ERM risk register and risk-oversight update, related-party transactions, and complex accounting estimates. Exclude content that belongs to the full board's responsibilities or to management's operating reviews. Run the executive session with the external auditor as a standing agenda item, not as a year-end formality. The companion executive sessions with the CFO and with the controller add an additional channel for the committee to hear about concerns that would not surface in the open meeting. Maintain the cadence as quarterly with ad-hoc on incidents, and run the annual self-assessment to update the charter and the operating procedures based on the prior year's experience. The self-assessment is the discipline that distinguishes an audit committee that improves over time from one that drifts. For IPO-bound companies, identify the financial expert two years before the registration window. The financial expert designation is a regulatory requirement under Item 407 of Reg S-K, and the recruitment timeline is longer than most private-company boards anticipate. Cross-link to /blog/board-reporting-decisions-not-status for the full-board pre-read structure, /blog/management-vs-financial-reporting-boundary for the disclosure controls discipline, /blog/securem-security-review-methodology-fixed-scope for the cybersecurity dimension of the risk register, and /blog/private-company-mda-ipo-readiness for the IPO-readiness governance roadmap.