Audit committees: five questions the chair should ask every quarter
Most audit committee meetings get stuck on routine approvals — minutes, fee proposals, statutory updates. The five questions below are what an effective chair brings to every quarterly meeting, in this order.
There is a standard rhythm to audit committee meetings at most Indian companies. The first 30 minutes go to the minutes of the previous meeting, the standing approval items — internal audit fee proposal, statutory auditor fee proposal, CARO observations — and the matters arising. Then the agenda moves to the substantive items: internal audit report, statutory auditor update, related-party transactions, financial statements. By the time the substantive items are reached, the committee has 90 minutes left, and the discussion runs through the prepared slides at a pace that allows for clarifying questions but not strategic ones.
This is not the chair's fault, exactly. The agenda is structured by the company secretary. The materials are prepared by management. The committee members read the pack the day before and arrive prepared to respond to what they have been sent. The structure is reactive.
An effective chair pushes against this structure. Not by overhauling the agenda — that requires constituency-building with management and the secretary — but by bringing five recurring questions to every meeting. These questions cut across the prepared materials and produce a different conversation. Over time, management adjusts the materials to anticipate the questions, which is the point.
Question one: what were the top three changes in our risk universe this quarter?
The risk universe is the documented inventory of risks the organisation faces. It should not be static. New product launches change it. Geographic expansion changes it. Senior leadership changes change it. Regulatory developments change it. A material customer concentration developing changes it.
If the management's answer is 'no material changes' for two consecutive quarters, something is wrong. Either the risk universe is not being actively maintained, or material changes are happening and are not being escalated to the committee.
The follow-up question, when the answer is 'no material changes': has anyone reviewed the risk universe document this quarter? If the answer is 'it was reviewed in connection with the annual planning exercise eight months ago', the universe is stale.
The expected answer is two or three specific items: a new ECL methodology calibration on the lending book; a new SaaS vendor that holds customer data; a senior personnel change in a key process owner role; a change in regulatory framework that affects compliance scope. Specific, recent, with implications.
Question two: where did internal audit findings cluster this quarter?
The internal audit report typically lists findings by process or by entity. The committee reads them sequentially. The question of pattern across findings — where they cluster — is often missed.
Patterns are where the deeper signal sits. If findings on segregation of duties are appearing across three different functions in the same quarter, the company has an ITGC or HR access problem that is systemic, not local. If findings on related-party documentation are appearing across multiple group entities, the governance around RPTs is not operating.
The chair asks the chief audit executive to overlay the findings against the org chart, the IT environment, the policy framework. The patterns that emerge are agenda items for management.
The follow-up: are these patterns also visible in prior-quarter findings? If yes, the recurrence is a separate question — what did management do with the previous quarter's findings, and why are similar issues recurring?
Question three: are statutory compliances current — show me the MCA, GST, TDS dashboards?
Statutory compliance is treated by many committees as 'reported up' rather than 'reviewed in detail'. The committee secretary states that compliances are current. The committee moves on.
Ask for the dashboard. Specifically:
MCA — ROC filings due, filed, pending. Director filings, beneficial ownership, secretarial standards adherence.
GST — returns due, filed, any deficiency notices, any pending refund claims, any open assessments.
TDS — tax deducted, deposited, returns filed, any default notices, any pending demand orders.
PF/ESI/Labour — contribution due, paid, returns filed.
Other regulator-specific compliances by sector — RBI for NBFCs, SEBI for listed entities, FEMA for cross-border, environmental for manufacturing.
The dashboard either exists or it does not. If it does not, the committee's view of statutory compliance is unsupported by evidence. If it exists but shows recurring late filings, the question shifts to whether the secretarial function is adequately resourced.
Question four: what are management's plans for open audit observations older than 30 days?
Audit findings have a remediation timeline. The committee approves the timeline at the meeting following the audit. Then the findings move to an open-finding tracker that is supposed to close them within the agreed period.
Findings drift. The remediation owner is busy with other priorities. The original timeline slips. Three quarters later, the finding is still open and the committee has to ask why.
The chair sets a standing review of any finding open more than 30 days past its target closure. For each, the responsible executive walks through the status, the blocker, and the revised timeline.
Two patterns emerge. First, some findings turn out to be harder to remediate than originally scoped — usually because they require system changes, vendor coordination, or organisational redesign. The revised timeline is reasonable, and the committee adjusts.
Second, some findings have been on the list for so long that the original owner has moved on or the underlying process has changed. These need to be either closed, reassigned, or escalated as material weaknesses.
Question five: are there any whistleblower complaints I should know about?
The whistleblower channel reports up to the audit committee chair. Most companies have a defined intake — through the chief audit executive, the company secretary, or a third-party hotline. Most chairs do not review the intake at every meeting.
The question is asked every quarter, with the expectation of a substantive answer. Even if there are no material complaints, the answer should reference the volume of complaints in the quarter, the triage decisions made, and any complaints that escalated to preliminary inquiry.
If the answer is consistently 'no complaints in the quarter', the question shifts to whether the channel is operating. Is the channel known to employees? Is the third-party hotline (if used) producing intake? Is there a barrier — perception of retaliation, lack of confidentiality — that is suppressing complaints?
An audit committee with zero whistleblower volume across multiple quarters is not always reassuring. It can mean the culture is excellent. It can also mean the channel is broken.
What gets displaced
Asking these five questions does not extend the meeting. It displaces other content. The standing approvals can be condensed. The internal audit findings can be summarised at higher altitude in the meeting itself, with the detail in the pack. The financial statements review can take less time if the committee has been engaged with management on a rolling basis through the quarter.
The displacement is what the chair has to negotiate with the secretary and the management. The first meeting under a new question framework usually runs over. By the third quarter, the rhythm adjusts.
What management will eventually do
Once the chair has asked the five questions for three or four consecutive meetings, management adjusts. The pre-read materials start to address them. The risk universe gets a 'changes this quarter' section. The internal audit findings get a pattern-summary slide. The statutory compliance dashboard becomes a standing report. The open-findings tracker is updated and prioritised by age. The whistleblower intake summary is added to the chief audit executive's report.
This is the point. The chair's questions reshape the materials. The materials reshape the meeting. The meeting reshapes what management spends time on between meetings.
Two things the chair should not do
Do not turn the meeting into management review. The committee's job is oversight, not running the function. If the question reveals a problem, the next step is to assign management an action with a timeline, not to debate the operational fix in the meeting.
Do not let routine approvals become contentious. The standing items — fee proposals, minutes, statutory updates — should be moved quickly with focused review. The committee's time is better spent on the five questions than on debating internal audit fees by line item.
What an effective committee looks like over a year
The committee that has been running these five questions for four quarters has, by the end of the year, a different view of the company than the committee that has been running the standard agenda.
It has a refreshed risk universe with quarterly tracked changes. It has pattern-level visibility into internal audit findings, with management responses to recurring themes. It has a current statutory compliance dashboard. It has an aged open-findings tracker that management is actively closing. It has a quarterly whistleblower summary.
These five inputs, accumulated over four quarters, change the board reporting at year-end. The committee chair's annual report to the board is no longer a summary of meetings held; it is a substantive view of where the control environment is, where the risks are concentrating, and what management is doing about it.
The audit committee chair has the most leverage of any board role over the company's control environment, not because of the formal authority of the role, but because of the questions the chair chooses to ask in the meeting. Five well-chosen recurring questions, asked over four quarters, produce more meaningful oversight than any agenda restructuring.
What this looks like in practice
A working pattern from a committee chair we advised. Eight quarters into the engagement, the chair walks into the meeting with one page of handwritten notes. The five questions. Beside each, the chair has noted two or three follow-ups based on the pre-read.
The meeting runs 90 minutes. The standing approvals take 15. The substantive discussion runs against the five questions, in order. Management has anticipated each one. The follow-ups are sharper than they were a year ago.
The committee leaves with three action items: one for the chief audit executive, one for the CFO, one for the company secretary. Each has an owner, a timeline, and a closure expectation at the next meeting.
That is the meeting working as designed. It does not happen by accident. The chair shaped it.
References
