Actualidad Spain

Audit Committees for entities of public interest

Technical Guidelines 3/2017 CNMV

Spain issues guidelines so that the Auditing Act 22/2015, passed into law on 21st July 2015 can be applied to Entities of Public Interest. They define these as (i) issuers of securities trading on official secondary securities markets, credit institutions and insurance companies subject to supervision and control from the Bank of Spain, the National Securities Exchange Commission and the General Insurance & Pension Funds Directorate, as well as autonomous regional bodies with powers to organise and supervise insurance institutions, respectively, together with issuers of securities trading on the alternative stock exchange market belonging to the growth companies segment, (ii) entities whose regulation is decided on the basis of their significant public relevance because of the nature of their business, their size or their number of employees; and (iii) groups of companies in which the parent company falls into one of these categories mentioned above.

The technical guidelines set out standardised explanations and operating principles for the country’s most important Audit Committees, laying down:

Key principles

  • Responsibility: the audit committee is responsible for advising the Board of Directors and for supervising and monitoring the process of preparing and presenting financial information; for the independence of the external auditors, and efficiency of the internal control and risk management systems.
  • Scepticism: members of the audit committee should be sceptical, questioning the assessment procedures and conclusions reached by the institution’s executives and management, retaining a critical viewpoint and formulating their own position.
  • Constructive dialogue encouraging members to express themselves freely: the audit committee should encourage constructive dialogue among its members, promoting free expression and a critical attitude; the Chair of the committee should verify that all members are participating freely in deliberations without being subjected to pressure internally or from third parties.
  • Continuous dialogue with internal audit, the external auditors and senior management: the audit committee should ensure that communication is effective and regular with its most common interlocutors, especially with: (i) the company’s senior management, particularly with the CEO and CFO; (ii) the head of internal auditing; (iii) the lead auditor in charge of the financial auditing; without this representing a threat to the independent operation of the committee.
  • Sufficient capacity for analysis: the audit committee must have the authority to request and obtain expert advice, legal opinions and reports, when they deem this to be necessary.

How audit committees perform their duties

  • Composition

The Guidelines acknowledge that diversity of gender, professional experience, skills and sectoral knowledge encourage healthy scepticism and a critical attitude. Depending on the complexity, size and activity sector of the institution, ideally at least one of the committee members will have IT experience to make it easier to supervise the internal risk control and management systems, which tend to use complex IT applications.  

The criteria for appointments to the audit committee, as well as the requirements members should fulfil, must be specified in the board of directors’ or the audit committee’s regulations.

Members of the audit committee who are also members of the board of directors, which entails having management, economics, financial and business skills, must also have some knowledge of accounting and auditing, as well as internal control, risk management and business management.  Likewise, the committee must have a regular training programme that ensures its members’ knowledge is kept up to date.

In order to ensure that new members of the audit committee have a similar basic level of knowledge about the firm, the guidelines recommend induction programmes, which should address the following areas: (i) the role of the audit committee, its responsibilities and aims; (ii) how the specialist committees set up by the entity operate; (iii) the time dedication expected of each committee member; (iv) 360º vision of the institution’s business and organisational model and of its strategy; (v) the institution’s information requirements.

  • Operations

The Guidelines recommend that the committee should have regulations governing how it operates, approved by the Board of Directors and posted on the company website to make them available to shareholders, investors, regulators and other stakeholders.

The guidelines sketches the contents of the annual business plan, which should cover the following activities:

  • Establish specific goals for each of the audit committee’s functions.
  • Set an annual calendar of meetings.
  • Organise information and meeting agendas in a systematic fashion.
  • Supplement the audit committee’s formal meetings with sessions or working groups scheduled to prepare particular issues.
  • Plan meetings and other vehicles for regular communication with the institution’s managers, the internal auditor and external auditors.
  • Anticipate the need to use external experts to provide advice in some tasks.
  • Plan such training as may be advisable to carry out certain functions correctly.

Because of the importance, complexity and volume of the functions, the Guidelines recommend that the committee holds at least four meetings a year, in which as well as the participation of all members of the committee, it recommends the attendance of certain others (executive directors, managers, employees, etc) solely to deal with certain points on the agenda and at the Chair of the committee’s invitation. The Chair of the audit committee will act as the spokesperson at board meetings and, if required, at the institution’s general meeting.

The paper makes the institution’s management responsible for the audit committee having access to appropriate, timely and sufficient information so that it can do its job properly.

The committee must have a secretary and the help it needs to plan meetings and agendas, write documents and minute meetings, collate and distribute information, among other tasks. The committee must have enough financial resources to bring in external advice on specific issues.

The Guidelines acknowledge that it is reasonable for committee members, and particularly the Chair, to receive sufficient remuneration commensurate with their responsibility and workload, and that the Chair’s remuneration may be different from that of the other members.

  • Oversight of financial and non-financial information

The Guidelines make clear that it is up to the company management to design and manage the internal control system, while it is the audit committee’s responsibility to supervise it, including the reception of reports from the heads of internal control and internal audit and formulation of conclusions about the extent to which the system is secure and reliable, and to make proposals for improvements.

The institution’s management is also responsible for preparing the financial statements and management reports, which should supply comprehensive, clear, relevant and reliable information that satisfies the applicable standards and other regulations. The audit committee should bear in mind the different sources of information available, when assessing whether the entity has applied accounting policies correctly, using their own judgement to reach an independent conclusion, having reviewed the clarity and integrity of all related financial and non-financial information.

So that the audit committee can operate appropriately, it needs to know about and understand the senior managers’ decisions about how to apply the most significant criteria and the results of the reviews conducted by internal audit, as well as to maintain fluid lines of communication with the external auditors to hear their opinion of the financial information. The committee should also check that the information posted on the entity’s website is kept up to date and coincides with the information formulated by the company directors. As such, in the event of discrepancies with the information posted on the website, the committee must report its opinion to the Board of Directors.

The Guidelines recommend that audit committees supervise how the “whistleblower channel” operates. To such end, it must receive regular information about the channel, including the number of complaints received, their source, nature, results of the investigations and proposals for action, so that the audit committee can propose the actions required to improve how it works and reduce the risk of irregularities in the future.

  • Oversight of risk management and control

On the matter of risk oversight, the paper makes provisions for the audit committee to take charge of the internal control and risk management systems in toto, encompassing both financial and non-financial risks.

The Audit committee must regularly assess the need to have an independent area for risk control and management. In the event of the institution deciding not to have its own in-house department, the audit committee should ensure that the entity has implemented alternative processes so that senior management, the audit committee itself and the Board of Directors know whether the risk control and management system has worked as stipulated in the policy approved by the Board, for which the committee must receive regular reports from management on how the systems set up work and the conclusions reached on this. Similarly, if the entity has a specialist risk committee, the functions of the audit committee must be coordinated with those of the committee specialising in risk management and control.

  • Internal Audit oversight

The Guidelines establish that the audit committee, in those institutions that do not have an internal audit department, should determine whether one is necessary. If this department is not created on the back of this assessment, the committee must ensure that the institution has put alternative processes in place that provide sufficient assurance that the internal control function is working.

For those institutions that already have an internal audit department, the committee should assess and approve its functions, action plans and resources every year, ensuring that they are appropriate for the institution’s needs and, if required, propose the appointment, re-election or severance of the person in charge of the area. This committee will also verify that the profiles of internal audit members are suitable and that they can perform their role objectively and independently. The requirements laid down in the Institute of Internal Auditors’ professional practices standards for internal auditing and the recommendations in the Codes of Good governance for listed companies can be used as a benchmark.

When overseeing the annual internal auditing plan, the committee must check that:

  • The core business risk areas identified in the plan are covered.
  • There is appropriate coordination with other assurance functions, such as those over risk management and control, or regulatory compliance, as well as with the external auditors.
  • Resources are available, approved at the outset, including the hiring or use of experts.
  • The head of internal auditing is granted access to the internal auditing committee.
  • Significant changes in the plan are reported to the audit committee.
  • The conclusions reached by internal auditing are appropriate, the action plans are being executed as agreed and within the scheduled timeline, and regular progress reports provided to the audit committee.
  • Discrepancies that may have arisen among the institution’s senior management have been resolved or submitted for consideration by the audit committee itself.
  • The conclusions of their reports are presented according to schedule, prepared in line with an annual plan or in response to specific requests that the committee may have made itself or approved.
  • An activity report is presented every year that must contain, at least, a summary of actions and reports competed over the year, explaining why any tasks that were scheduled in the annual plan have not been completed, and also why any that were not planned in the calendar were carried out; this should include an inventory of areas of weakness, recommendations and action plans contained in the various reports.


  • Relationship with the financial auditor

As mandated by law, the audit committee is responsible for the selection procedure of the external auditor. It must take taking into account factors such as the scope of the audit, the training, experience, resources of the auditor or the auditing company, fees, independence and effectiveness, as well as the quality of the auditing services tendered. For this reason, the Guidelines recommend that the audit committee defines a selection procedure which sets out the criteria or parameters for evaluating a reasonable number of auditors and auditing firms that are invited by the audit committee itself to tender for the business.

The paper establishes that the choice of auditor will be the result of an appropriate weighing up of the different criteria, without attaching greater importance to quantitative criteria such as the fees quoted or the auditor’s capacity to offer additional services other than the audit.

The audit committee should also ask the auditor to confirm or make a declaration of independence, so that it can then issue a report on this, prior to the publication of the external auditor’s report.

The Guidelines recommend that communication between the audit committee and the external auditor be fluid and continuous, although communication between the audit committee and the external auditor should not infringe the auditor’s independence nor the efficiency with which they conduct the audit or pursue auditing procedures.

When the audit is complete, the audit committee must review with the external auditor the significant findings of their work, as well as the content of the auditor’s report and of the additional report for the audit committee.

The committee must carry out a final assessment of the auditor’s performance and how it has contributed to the quality of the audit and the integrity of the financial information. In the event of there being areas for concern or that are unresolved about the quality of the audit, the committee must consider the option of informing the Board of Directors; if this course of action is appropriate, it must leave a timely written record of this to the supervisory bodies.

  • Assessment and follow-up

The paper recommends that the audit committee should independently assess the performance of the Board as part of its annual assessment, to reinforce its functionality and improve planning. For this reason, in order to achieve greater transparency, the extent to which the assessment has given rise to significant changes in the entity’s internal organisation and procedures should be made public.

The Guidelines indicate that publishing the audit committee’s report on its operation enables shareholders and other stakeholders to understand the activities of the committee throughout the year. The report should thus contain:

  • Regulations governing the audit committee
  • Composition of the audit committee over the year, including the category and time served of each member
  • Functions and tasks performed in practice throughout the year by the audit committee, as well as the changes made and referral to the rules by which it is regulated
  • Meetings held and number of attendees, specifying whether third-party, non-committee members have been invited.
  • Number of meetings held with the internal and external auditors
  • Significant activities carried out over the period with regard to: (i) financial and non-financial reporting and the related internal control mechanisms; (ii) transactions with related parties; (iii) corporate social responsibility policy and how it has been implemented during the year; (iv) risk management and control; (v) internal audit; (vi) external audit; (vii) follow-up of the committee’s own action plans; (viii) nature and scope of communications.
  • Evaluation of how the audit committee has worked and its performance, as well as the methods used to assess its efficiency
  • Information about the audit committee’s opinion as to the external auditor’s level of independence.
  • Information about which practical guidelines on audit committees are being followed, if applicable, and to what extent
  • Conclusions
  • Date on which the audit committee prepared the report and the date it was approved by the Board of Directors.