Since the entry into force of the Act of 17 December 2008, listed companies and financial companies (i.e. credit institutions and insurance companies) have been obliged to set up an audit committee. The company's auditor works closely with this committee.
The audit committee should be composed of non-executive directors and at least one member should be independent (within the meaning of Article 526ter BCC) and possess the requisite level of expertise in accountancy and auditing. The audit committee should report regularly to the board of directors on the exercise of its duties and in any case when the board draws up the annual accounts, consolidated annual accounts and brief financial overview (intended for publication). In addition, the committee should monitor the financial reporting process, the effectiveness of the company's internal controls and risk management system, internal audits (if any) and the effectiveness thereof, the audit of the annual accounts and consolidated accounts, including follow-up on any questions and recommendations made by the auditor, and the auditor's independence, in particular with respect to the provision of additional services to the company.
Part of the auditor's job is to assist the audit committee. For instance, the auditor reports to the audit committee on key issues raised by the audit of the annual accounts, in particular material weaknesses in internal controls in relation to the financial reporting process. The auditor also checks whether the draft annual report of the board of directors meets the requirements of Article 96 of the Company Code. This means that the auditor must check, for instance, whether the draft report mentions any derogations from the Corporate Governance Code of the company. It should be noted that the auditor can be held liable for failure to fulfil this obligation.
In addition, the auditor should (i) confirm annually to the audit committee in writing its independence from the company, (ii) inform the audit committee annually of any additional services provided to the company, and (iii) examine with the audit committee any risks to its independence and the measures to be taken to minimize such risks.
Due to the close relationship between the audit committee and the auditor, the audit committee is responsible for proposing to the board of directors the appointment (or reappointment) of the auditor.
In addition to the Company Code, the Corporate Governance Code 2009 also contains provisions on the tasks and duties of the audit committee and provides guidance as to what should be done in order to fulfil the statutory duties set out above. The Corporate Governance Code 2009 indicates, for instance, that the audit committee should have at least three members, that at least half the committee's members should be independent (versus one in the Company Code), and that the chairperson of the board of directors cannot also chair the audit committee. The audit committee should meet at least four times a year and review (at least every two to three years) its terms of reference and its own effectiveness and recommend any necessary changes to the board. The committee should meet at least twice a year with the external and internal auditors to discuss the audit process. In addition, an independent internal audit function should be established or at least once a year it should be considered whether this is necessary.
Unlike financial institutions, which are subject to specific rules on compliance policies and risk management, there are currently few rules on compliance and risk management for listed companies. The only provision in the Corporate Governance Code 2009 is that an independent internal audit function should be established, with resources and skills adapted to the company's nature, size and complexity, and that if the company does not have such a position, the need for one should be reviewed at least annually. The Corporate Governance Committee has issued some guidelines which can be of help in the establishment of an internal control and risk management system, the effectiveness of which should be checked by the audit committee at least once a year with a view to ensuring that the main risks (including those relating to fraud and compliance with existing legislation and regulations) are properly identified, managed and disclosed in accordance with the framework approved by the board.
The Corporate Governance Code 2009 further indicates that the audit committee should review the specific arrangements which staff may use to confidentially voice concerns about possible irregularities in financial reporting or other matters. If deemed necessary, arrangements should be made for the proportionate and independent investigation of such matters, including appropriate follow-up actions and schemes whereby staff can inform the chairperson of the audit committee directly. Of course, care should be taken to ensure that the rules on personal data protection are respected when establishing a whistleblowing scheme.