In prior years, there have been unique enterprise, process and technology risk issues and financial reporting issues for audit committees to consider in addition to the normal ongoing activities articulated within the committee’s charter. These exciting, unprecedented times continue to evolve the committee’s agenda. We discuss the agenda items for 2022 in this issue of The Bulletin and also offer questions for audit committees to consider when self-assessing their performance. In formulating these topics, we considered input from our interactions with client audit committees and insights from meetings with active directors in various virtual forums.
ENTERPRISE, PROCESS AND TECHNOLOGY RISK ISSUES
Our suggested agenda includes five enterprise, process and technology risk issues:
Over the years, there has been a tendency in many companies to assign oversight responsibility to the audit committee when a new risk or regulation emerges, or a significant change occurs in the business. Many boards delegate their overall responsibility for risk oversight to the audit committee, a responsibility that presents challenges in an environment of rapid change in the marketplace and most industries — such as the one faced today.
Therefore, now may be a good time for the audit committee to pause and assess the scope of its activities and how it affects the committee’s workload, focus and composition. It is paramount that responsibilities unrelated to financial reporting do not detract from the committee’s primary role of overseeing the reliability of financial reporting. In collaboration with the board chair, there may be opportunities to assign responsibilities to other board committees or even to the full board. A review of the audit committee’s responsibilities could also mean more frequent meetings and, if necessary, lengthening meetings to accommodate a crowded agenda.
Smart boards are recognising the importance of a compelling strategy supported by targets and goals for the future that enables the companies they serve to convey a convincing sustainability commitment to the marketplace. Likewise, these boards recognise the importance of whether management’s ESG storyline to the street is resonating with investors and impacting the company’s valuation. Given the stakes, the audit committee should collaborate with the board chair and committee chairs to assess whether the present assignment of ESG oversight responsibilities sufficiently enhances the board’s governance of ESG/ sustainability strategy, performance, reporting and disclosures. Some directors are even considering a separate ESG committee.
The audit committee should understand changes in both the current and long-term enterprise risk outlooks and consider their implications when evaluating the sufficiency of financial, sustainability and other public reporting and disclosures. An understanding of the company’s risks helps to:
- Inform the committee’s consideration of risks from a financial statement accounting and disclosure perspective (e.g., cybersecurity and privacy incidents, litigation developments, and changes in market and other key risks).
- Enable the committee to put into proper context the various representations and assertions received from management, newly reportable critical audit matters and audit scope changes raised by the external auditor, and internal control concerns, errors and irregularities and other findings presented by internal audit.
- Facilitate the contribution of quality input on ESG reporting (e.g., compliance with the SEC’s requirements of human capital disclosures, the ISSB’s sustainability reporting requirements and expectations from institutional investors) and the adequacy of the company’s risk factor disclosures in public filings.
- Provide insight as to workplace disruptions and the competition for talent that can impact the internal control environment.
CFOs have a mandate that extends beyond the scope of traditional finance to more strategic matters that include data security and privacy, enhanced data analytics, ESG strategies and reporting, supply chain management, changing expectations of internal customers, and regulatory challenges. Their success in addressing these expansive responsibilities augments their ability to add value to all who seek their help, including the audit committee.
Protiviti’s most recent finance trends survey offers insights on how CFOs and finance leaders worldwide are informing and shaping the business on a wide variety of fronts. Our global survey findings offer context for relevant questions audit committees should consider directing to finance leaders. These questions pertain to cybersecurity and data privacy, ESG reporting, talent management, forecasting and planning, and investments in technology and talent. They are of interest to the audit committee because the success and effectiveness of finance impacts the quality of the function’s input into topics germane to the committee’s oversight responsibilities. They may be appropriate for an executive session with the CFO.
CAEs and internal audit functions are facing unprecedented challenges today. Demands are increasing, and expectations are rising as companies face increased business complexity and competition. Interestingly, the results from Protiviti’s 2021 Next-Generation Internal Audit Survey reveal relatively low maturity levels in the governance, methodologies and enabling technology internal audit is deploying. If internal audit is not raising its game, its value will inevitably decline in a rapidly changing environment. “Analog auditing” doesn’t mix well in the digital age. Accordingly, the audit committee should consider inquiries around the capabilities the CAE needs to maximise the internal audit function’s value to the organisation.
Next-generation capabilities enable internal audit to keep pace with the company’s overall digital transformation strategy, embrace change, improve continuously and maintain relevance. They pave pathways to efficiencies, adaptability, increased engagement and deeper, more valuable insights. That’s why the audit committee should ask the CAE to articulate the function’s next-generation vision and strategy and whether it’s aligned with change taking place across the company. Importantly, internal audit should possess the requisite competencies and skills to facilitate its transition to new value-adding capabilities.
FINANCIAL REPORTING ISSUES
Financial reporting issues are fundamental to the audit committee’s core mission. Our suggested agenda includes three such issues:
This particular agenda item was included on last year’s recommended agenda for audit committees. It remains relevant to next year’s agenda as the evolution to the post-pandemic new normal continues. The audit committee should inquire about the impact of reopening and recovery on assumptions and estimation processes underlying impairments of goodwill, long-lived assets, and receivables, loans and investments; valuation and net realisable value determinations associated with inventories and various fair value measurements; revenue recognition; loss contingencies; and other accounting and disclosure matters.
Given the complexity of these matters, companies must also consider information that becomes available after the balance sheet date but before the issuance of financial statements. If significant subsequent events occur, companies are required to disclose their nature and either an estimate of the financial statement impact or a declaration that an impact assessment cannot be made.
The workplace continues to evolve as the pandemic has empowered many employees — particularly those whose physical presence in interacting with people and machines isn’t required at a specific location or in a specified environment — by giving them a desire for a voice and choice as to where and when they work. As a result, many organisations are transitioning to various forms of a hybrid work environment. That said, there’s uncertainty as to what the post-pandemic norm will look like, particularly as the number of companies implementing permanent work-from-anywhere policies continues to grow. It’s the race to the “new nimble.”
For the audit committee, the question arises as to the effects of these continued workplace developments on internal control over financial reporting, cybersecurity risks, and exposure to compliance and fraud risk. Committee members should consider questions around changes in the control environment and internal processes that have been implemented as a result of adjustments to the workplace.
Internal audit, general counsel or an outside consultant can assess the whistleblower programme against best practices, including user-friendly, multiple reporting channels, available 24/7; multilingual capabilities; a zero-tolerance retaliation policy; accurate, intelligent tracking, reporting and analytics for decision-making; secure and scalable infrastructure; periodic user training, at least annually, on the scope and use of whistleblower channels; use of third parties to engender confidence in programme independence and credibility; effective protocols around handling and investigating reported incidents; and clear reports to decision-makers and the audit committee.
Integrity of complaint reporting channels is also a priority to consider. A review might consider the risk of misinformation or disinformation about financial reporting and internal accounting controls communicated via hotlines and web reporting tools. It should also consider the myriad cyber concerns, including, but not limited to, the underlying security practices of third-party platforms and the potential for documentation provided by ill-intentioned reporters (e.g., document-based malware and links to malicious websites).
SELF-ASSESS COMMITTEE EFFECTIVENESS
As it self-assesses its performance periodically, the audit committee might consider some illustrative questions. Committee members should periodically assess the committee composition, charter and agenda focus in view of the current challenges the company faces.
In Assessment Questions for Audit Committees to Consider, we cover such topics as committee composition and dynamics, committee charter and agenda, oversight of internal controls and financial reporting, oversight of the external auditor, among other things.
Hopefully, 2022 will put the COVID-19 pandemic squarely in the rearview mirror. Indeed, 2022 can be a year in which the audit committee, along with the board, recalibrates its focus in helping management prepare for a disruptive decade ahead.
For more about the 2022 audit committee agenda, read the article here.
(The Bulletin: Volume 7, Issue 12)