The audit committee is the cornerstone of public company financial governance. No other board committee carries as broad and consequential a legal mandate. Under the Sarbanes-Oxley Act of 2002, SEC rules, and the listing standards of the New York Stock Exchange and Nasdaq, the audit committee bears direct legal responsibility for overseeing the company’s external financial reporting, its independent auditors, its internal control framework, and its whistleblower and complaint-handling mechanisms. For private companies that have audit committees — and many do, particularly those backed by institutional investors or preparing for a public offering — these standards set the baseline for governance expectations. Understanding what the audit committee must do, how it must be composed, and how it should function is essential for every director who serves on one.

Prior to Sarbanes-Oxley, the audit committee existed primarily as a governance best practice, without the force of law behind its specific responsibilities. The accounting scandals of the early 2000s — Enron, WorldCom, Tyco, and others — demonstrated conclusively that companies could manipulate their financial statements on a massive scale while their boards and audit committees remained uninformed or complicit. Congress responded by dramatically expanding and formalizing the audit committee’s legal role. The result is a framework in which the audit committee, not management, has ultimate authority over the independent auditing function, and in which audit committee members face personal legal exposure if they fail to discharge their responsibilities with adequate care.

Composition and Independence Requirements

Every public company listed on the NYSE or Nasdaq must have an audit committee composed entirely of independent directors. All members must satisfy the exchange independence standards and the stricter SEC independence requirements of Exchange Act Rule 10A-3, which prohibit accepting any compensatory fees from the company (other than director fees) and prohibit being an affiliated person of the company. These requirements cannot be waived, though the SEC’s rules provide a one-year phase-in period for newly listed companies and an exemption for companies that have recently listed through an IPO or business combination.

Both the NYSE and Nasdaq require audit committees to have a minimum of three members. Each member must be financially literate — defined as being able to read and understand fundamental financial statements, including a balance sheet, income statement, and cash flow statement. In addition, at least one member must qualify as an ‘audit committee financial expert’ under SEC rules. The financial expert designation requires a person who has, through education and experience as a principal financial officer, principal accounting officer, controller, public accountant, auditor, or other comparable experience: (1) an understanding of generally accepted accounting principles (GAAP) and financial statements; (2) the ability to assess the general application of GAAP in connection with accounting for estimates, accruals, and reserves; (3) experience preparing, auditing, analyzing, or evaluating financial statements that present accounting issues of comparable breadth and complexity to those that can reasonably be expected to be raised by the company’s financial statements; (4) an understanding of internal controls over financial reporting; and (5) an understanding of audit committee functions. The company must disclose whether it has an audit committee financial expert, who that person is, and whether that person is independent.

The audit committee’s charter is the primary governance document that defines its authority, responsibilities, and procedures. NYSE and Nasdaq listing standards require listed companies to adopt an audit committee charter that addresses at minimum: the purpose and goals of the committee; a requirement that the committee consist of at minimum three independent directors; the committee’s specific responsibilities for auditor oversight and financial reporting; and the committee’s annual performance self-evaluation obligation. Most audit committee charters go well beyond these minimums and set out in detail the committee’s oversight responsibilities, the frequency and content of meetings, management’s obligations to provide information to the committee, and the committee’s authority to retain advisors. The charter should be reviewed annually for currency and completeness, and updated to reflect changes in applicable law and listing standards.

Oversight of the Independent Auditor

The most fundamental responsibility of the audit committee under Sarbanes-Oxley is the direct oversight of the company’s independent auditor. Section 301 of Sarbanes-Oxley, codified in Exchange Act Section 10A(m), provides that the audit committee of a listed company is directly responsible for the appointment, compensation, and oversight of the work of any registered public accounting firm employed by the company for auditing or related services, and that the independent auditor reports directly to the audit committee. This was a revolutionary change from pre-Sarbanes-Oxley practice, under which management typically selected and managed the auditor relationship while the audit committee played a more passive role.

In practice, the audit committee’s oversight of the independent auditor encompasses several specific responsibilities. The audit committee must annually evaluate the auditor’s qualifications, performance, and independence, and make a recommendation to the full board (or, in some companies, directly to shareholders) regarding the retention or replacement of the auditor. This evaluation should consider: the quality and experience of the engagement team; the auditor’s expertise in the company’s industry; the quality and thoroughness of the audit; the auditor’s communication with the committee; the auditor’s independence; the fees charged; and any regulatory issues affecting the audit firm. In recent years, shareholders and governance advocates have placed increasing emphasis on mandatory audit firm rotation as a tool for maintaining auditor independence, though neither the SEC nor the PCAOB has adopted mandatory rotation rules for US companies.

The audit committee must pre-approve all audit and non-audit services provided by the independent auditor. Under Sarbanes-Oxley Section 202, it is unlawful for a registered public accounting firm to perform audit services for a public company unless the audit committee has pre-approved the engagement. Non-audit services — with limited exceptions for certain routine work — must also be pre-approved. Certain non-audit services are flatly prohibited regardless of audit committee approval: bookkeeping, financial information systems design, appraisal or valuation services, actuarial services, internal audit outsourcing, management or human resources functions, broker-dealer or investment adviser services, and legal services unrelated to the audit. The prohibition on these services reflects the foundational principle that the auditor’s independence requires that the auditor not occupy a position of advocacy or management within the company it audits.

The PCAOB’s auditing standards require the independent auditor to communicate a number of specific matters to the audit committee. These include: critical audit matters — issues arising from the audit that required especially challenging, subjective, or complex auditor judgment; significant accounting estimates and the related assumptions; significant unusual transactions; the auditor’s assessment of the quality of the company’s accounting principles and significant accounting policies; any significant difficulties encountered during the audit; and any disagreements with management. The audit committee must receive and consider these communications as part of its oversight function, and should engage in substantive dialogue with the auditors — including private sessions without management present — to ensure that the committee has the information it needs to assess the integrity of the financial reporting process.

Oversight of Internal Controls Over Financial Reporting

Sarbanes-Oxley Section 404 imposes one of the most significant ongoing governance obligations in public company law. Section 404(a) requires management — specifically, the CEO and CFO — to include in the company’s annual report an assessment of the effectiveness of the company’s internal control over financial reporting (ICFR). Section 404(b) requires the independent auditor to audit and report on management’s ICFR assessment for large accelerated filers (though smaller reporting companies are exempt from Section 404(b)). The audit committee has the ultimate board-level responsibility for overseeing the internal controls framework, including the Section 404 compliance process.

Internal control over financial reporting refers to the processes and procedures designed and maintained by management to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. The framework most widely used by US companies for assessing ICFR is the COSO Internal Control — Integrated Framework, which evaluates five components of internal control: the control environment, risk assessment, control activities, information and communication, and monitoring activities. The audit committee should understand the COSO framework sufficiently to assess management’s ICFR evaluation and the auditor’s related report.

A ‘material weakness’ in ICFR — defined as a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis — requires immediate disclosure and represents a serious governance failure. Audit committees that learn of a material weakness must engage closely with management on the remediation plan, set specific timelines for remediation, and ensure that the company’s disclosures accurately describe both the weakness and the remediation steps. Repeated material weaknesses, or a failure to remediate them promptly, may suggest systemic governance problems that the audit committee itself has failed to adequately address.

Oversight of Financial Reporting and Related-Party Transactions

The audit committee is responsible for overseeing the integrity of the company’s financial reporting process, including the financial statements included in the company’s SEC filings. This responsibility requires the audit committee to review and discuss with management and the independent auditor the company’s annual and quarterly financial statements before they are filed with the SEC. The committee must assess whether the financial statements are presented fairly, whether accounting policies are appropriate and consistently applied, whether management’s significant accounting estimates are reasonable, and whether the disclosures are adequate. The committee should ask management and the auditors hard questions: Are the accounting policies chosen among the most conservative available? Are there areas where the accounting treatment is aggressive? Has management exercised discretion in ways that are favorable to reported results?

Related-party transactions deserve the audit committee’s particular attention. SEC Regulation S-K requires disclosure of transactions with related parties — including executive officers, directors, and significant shareholders — that exceed $120,000 and in which the related party has a direct or indirect material interest. Many companies have adopted related-party transaction policies that require all proposed related-party transactions to be reviewed and approved by the audit committee (or the full board) before they are entered into. The audit committee’s review of related-party transactions should consider whether the transaction is on arm’s-length terms, whether it is in the best interests of the company, and whether adequate disclosure of the transaction will be made in the company’s public filings.

Whistleblower Procedures and Complaint Handling

Sarbanes-Oxley Section 301 requires audit committees to establish procedures for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or auditing matters, and for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. This requirement reflects Congress’s recognition that employees are often the first to know about financial fraud or accounting manipulation, and that they are far more likely to come forward if they can do so confidentially and without fear of retaliation.

In practice, audit committees typically satisfy this requirement by overseeing the company’s ethics hotline or whistleblower reporting system. The audit committee should periodically review the volume and subject matter of complaints received through the hotline, the process for investigating those complaints, the outcomes of investigations, and any patterns suggesting systemic issues. The committee should ensure that the company has a credible anti-retaliation policy — and that the policy is enforced — because a hotline that employees do not trust produces no useful information. Under Dodd-Frank, the SEC has its own whistleblower program that provides financial awards to individuals who report securities law violations, which creates an additional incentive for employees to go directly to the SEC rather than reporting internally. A well-functioning internal whistleblower system — one that investigates complaints promptly, treats reporters fairly, and actually remedies the issues identified — is the best tool for ensuring that serious issues are resolved internally before they reach regulators.

Cybersecurity and Emerging Risk Oversight

The SEC’s 2023 cybersecurity disclosure rules created new board-level governance obligations that intersect significantly with the audit committee’s responsibilities. The rules require public companies to disclose in their annual reports a description of the board’s oversight of risks from cybersecurity threats, including whether the full board, a committee of the board, or a combination is responsible for the oversight of such risks. Many companies assign primary cybersecurity oversight responsibility to the audit committee, either because the audit committee already oversees internal controls (which overlap with cybersecurity controls) or because the audit committee is seen as the most sophisticated financial and risk oversight body on the board. Whether or not cybersecurity oversight sits with the audit committee, the committee should ensure that it receives regular briefings from the chief information security officer and that the company’s cybersecurity risk management processes are reflected in the company’s public disclosures.

The audit committee’s remit has expanded beyond purely financial oversight in other respects as well. As companies have adopted environmental, social, and governance (ESG) reporting obligations — including the California climate disclosure laws and the EU’s Corporate Sustainability Reporting Directive for companies with EU operations — the audit committee has in many cases assumed oversight of the accuracy and integrity of ESG disclosures. The principles that govern financial reporting oversight — accurate measurement, consistent methodology, appropriate disclosure, and independent verification — apply equally to non-financial reporting, and the audit committee is well-positioned to apply those principles to the emerging ESG disclosure framework.

The Audit Committee’s Relationship with Management and Auditors

The audit committee’s effectiveness depends critically on the quality of its relationships with management, the internal audit function, and the external auditors. The relationship with management must be one of constructive scrutiny: the committee relies on management for information, but it must be willing to ask hard questions, challenge management’s accounting judgments, and insist on full and complete disclosure even when management would prefer a more favorable presentation. The committee chair, in particular, must be willing to push back on management and to escalate concerns to the full board when necessary.

The relationship with the external auditors requires particular attention to the auditor’s independence. The audit committee should be alert to any signs that the auditor is too deferential to management, that engagement partner rotation is overdue, or that non-audit fees are creating incentives for the auditor to remain in management’s good graces. The committee should hold regular executive sessions with the external auditors — without management present — to provide auditors with an opportunity to raise concerns that they might be reluctant to voice in management’s presence. These sessions should be documented in committee minutes.

The internal audit function is one of the audit committee’s most important tools. Internal audit provides the committee with an independent view of the company’s internal controls, risk management processes, and compliance posture. The audit committee should approve the internal audit charter, review and approve the internal audit plan, receive and discuss internal audit reports, and evaluate the performance of the chief audit executive. Many governance authorities recommend that the chief audit executive have a reporting line both to the CFO (for operational purposes) and directly to the audit committee (for independence purposes), ensuring that internal audit is not subordinated entirely to the management function it is meant to oversee.

Serving on an audit committee is among the most demanding and consequential roles in American corporate governance. The committee operates at the intersection of law, accounting, finance, and risk management, and its members carry legal obligations that require genuine financial sophistication, rigorous engagement with management and auditors, and an uncompromising commitment to accuracy and transparency in the company’s public disclosures. Companies that invest in building strong audit committees — with qualified, engaged, independent members who understand their legal responsibilities — are companies that are fundamentally better governed and better positioned to earn the sustained trust of investors, creditors, and regulators.