Setting the 2021 Audit Committee Agenda

Setting the 2021 Audit Committee Agenda

How has the audit committee agenda changed?


With 2020 almost in the rear view mirror (thankfully!), the 2021 audit committee agenda is shaping up differently than in years past. The past 12 months presented an opportunity for audit committees to support the key players managing the financial reporting process. Going forward, that support could prove to be critically important as the business environment continues to present disruptive challenges. Board members should not be surprised by anything 2021 has to offer. The key is ensuring the companies they serve are resilient and agile enough to withstand whatever surprises the next 12 months may have in store.

 

ENTERPRISE, PROCESS AND TECHNOLOGY RISK ISSUES

Our suggested agenda includes four enterprise, process and technology issues:

1. 

Consider shifts in the risk landscape to establish an appropriate business context
 
Have the implications of changes in the nature and severity of risks been considered by the committee in discharging its various responsibilities?

The COVID-19 pandemic is a reminder, if not a wake-up call, that we all work and live in a disruptive world. The current and prospective effects vary by industry as well as by the prospects for and shape of a recovery. Companies in the entertainment, tourism, food services, hospitality, gaming and other industries dependent on concentrating and gathering people could take several years to recover and return to pre-pandemic norms. Some companies may not recover at all without resizing their business significantly or even rethinking business models to channel their core competencies in different ways to generate new revenue sources.

Shifting customer and consumer behaviours and preferences, the evolving workplace, the revisiting of supply chains, and formidable economic headwinds are altering the fundamentals underlying most every industry. Growing geopolitical tensions, the increasing complexities of the digital economy and the emergence of “born digital” market entrants, rising challenges in attracting and retaining top talent, ever-changing cybersecurity and privacy threats, and the implications of the transition taking place in the United States as a result of the recent elections add even more unknowns to the mix in creating both market opportunities and emerging risks that loom large on the horizon.

No discussion of changing risk profiles is complete without reference to the circumstances calling attention to the importance of social equity and equal justice. These circumstances — and what has been, in most cases, a vocal and supportive response by businesses to do more to level the playing field — set a context for the audit committee’s role in evaluating the diversity of its composition, the treatment of company management and staff, and company engagement with partners and stakeholders consistent with the board’s overall focus on the CEO’s commitment to social responsibility — including diversity, equity and inclusion issues.

The disruption in the marketplace makes it difficult for management teams to sustain the organisation’s core values and culture. This disruption can spill over to the internal control environment. Audit committees should be cognizant of emerging business risks and changes in the nature and severity of critical enterprise risks in discharging their responsibilities. The company’s risk assessments, as well as assessments from other sources, enable the committee to put into proper context the representations and assertions received from management, newly reportable critical audit matters, and audit scope changes raised by the external auditor and internal control concerns, errors and irregularities and other findings presented by internal audit.

Understanding how management’s view of risk aligns with or differs from others’ perspectives across the industry facilitates the committee’s assessment of the adequacy of the company’s risk factor disclosures in public filings. Understanding the company’s risks also informs the committee’s consideration of risks from a financial statement accounting and disclosure perspective (e.g., cybersecurity and privacy and identity incidents, litigation developments, changes in the market, valuation and impairment issues, and other key risks).


2. 

Work with the CFO to review the finance function’s resiliency
 
How effective and efficient was the financial reporting process during and since the lockdown with people working from home? What did we learn? How has the function improved its resiliency going forward?

With the continued threat of additional COVID-19 surges, the risk of additional lockdowns remains as national, state and local authorities loosen public protocols, and businesses and schools reopen. Mixed messages from infectious disease experts and concerns over the timing and efficacy of vaccines, appropriate testing protocols, asymptomatic individuals, and other factors add to the uncertainty. The plaintiffs’ bar’s preparations to litigate raise further concerns for employers who are exercising good faith efforts to manage reopening as best they can with as much advice as possible from medical experts.

With this backdrop and the company’s plans to reopen, finance should be positioned to validate strategic discussions on the deployment of capital and provide reliable reporting. Below are questions audit committees should consider regarding the finance function’s resiliency going forward in these difficult times:

  • How effective and efficient was the financial reporting process when our employees worked remotely? What did we learn about our people and processes?
  • What skills did our people develop, what processes were redesigned, what worked and what didn’t? Do all personnel critical to the financial reporting process have a backup? Were there any disruptions in the flow of information and reporting?
  • Did our employees have all the technology and tools they needed? Did urgent efforts to adopt new tools and technologies and transition to a remote workplace achieve acceptable productivity and returns? Did those efforts create information security issues? Given that COVID-19 accelerated digital transformation, how is finance going to sustain those improvements in 2021 and beyond?
  • Due to the disruption in 2020 to address pandemic-associated risks, are there any priorities, like improving supply chain resiliency, that need to be addressed in 2021?

Finance organisations with advanced digital operating capabilities that enable a robust remote workplace are more likely to sustain their operations and the control environment during the next pandemic or a disruptive event of similar magnitude. The audit committee should ascertain the CFO organisation’s assessment of the work environment’s resiliency and the efficacy of investments to improve it in the event of future disruptions, and it should understand what changes, if any, are needed.


3.

Encourage the CFO to function as a strategic partner in addressing cybersecurity, privacy and other key priorities
 
Is finance sufficiently resourced to focus on such matters as evolving cyber threats, more advanced data analytics, internal customer expectations, financial planning and analysis, regulatory challenges, and internal controls as a strategic partner with the rest of the organisation?

The prior agenda item emphasises the importance of finance making technology investments to operate digitally. Protiviti’s latest global finance survey provides more insights into the challenges, activities and funding decisions CFOs and finance leaders are prioritising for the coming year.[1] Our findings offer a context for additional questions audit committees should consider:

  • Is finance contributing its expertise as a strategic partner in enhancing and focusing cybersecurity programs, and, if so, how? The cyber-threat landscape is in a constant state of flux due to the pandemic’s acceleration of workplace redesign and continuous change in the workplace through artificial intelligence, robotics and other technologies. Collaborating with chief information officers and chief information security officers to secure the distributed work environment, newly implemented collaboration or cloud tools, and privacy of data within the finance organisation and throughout the enterprise is the topmost CFO priority. This finding is consistent with results of our studies from prior years. Finance has a role in monitoring and strengthening how data security and privacy investments are benchmarked and allocated, and how cyber risks are quantified in dollar amounts and expressed in business terms.
  • How is finance working with internal customers to address the latter’s increasing expectations for more dynamic financial analysis and insights? Our study indicates that CFO organisations produce more frequent analyses and detailed insights for the business and deploy advanced technologies offering dynamic reporting based on increasingly real-time inputs. And internal customers want more of it, too: COVID-19 disruptions have increased the number and frequency of their requests for insights, possibly because of the difficulty in planning due to the lack of reliable historical data.
  • How is the CFO assessing the talent and skills investments most likely needed to enable the company to address current and future disruptions and opportunities effectively? CFOs must make these assessments of their finance organisations while managing an increasingly diverse portfolio of full-time employees, contract and temporary workers, expert external consultants, managed services providers, and outsourcing partners. While roughly one-third of finance organisations experienced staff reductions during the pandemic, many CFOs are increasing resources dedicated to addressing internal customers’ changing demands, data analytics enhancements and cloud-based finance applications.

The audit committee should be cognizant of the organisation’s increasing demands and support finance leaders’ efforts to address and resource them. This may be an appropriate discussion to have with the CFO in an executive session.

 


4.

Work with the CAE to formulate appropriate imperatives for internal audit to ensure the function’s continued relevance
 
Is the CAE effective in achieving appropriate risk coverage, agile responses to new and emerging risks, and efficient delivery of value-added insights regarding risk culture, risk management capabilities and the internal control environment?

At a recent Protiviti webinar of audit executives, 89% of the participants able to respond with a “yes” or “no” indicated that the chief audit executive (CAE) shares information with the audit committee about internal audit’s plans to undertake transformation or innovation activities. Conducted just before the disruptive onset of COVID-19, Protiviti’s latest survey of internal audit executives reiterated this theme with a finding that audit committee interest in internal audit transformation and innovation activities is rising. The survey also noted that the committee wants to see more coverage of risks and more in-depth audit reviews, which can best be accomplished through next-generation competencies. This expectation requires audit leaders to enhance the relevance, visual appeal, and conciseness of their board-level communications.[2]

Below are useful questions for audit committees to consider when meeting with the CAE:

  • Does the committee set the tone with expectations of the CAE to take the lead in getting the function’s transformation process on its agenda?
  • Is the CAE communicating the function’s vision and strategy effectively with quality information? Is internal audit’s approach aligned with the change taking place across the company, and does the function possess the competencies and skills to facilitate the transition to new capabilities?
  • Does the CAE craft board-level updates linked to strategic risks, based on dynamic risk assessments and other next-generation audit methodologies and technologies, and deliver them with compelling visual appeal?
  • Do internal audit’s methodologies deploy agile methods to incorporate new and emerging risks on a timely basis in the audit plan and provide faster, deeper and more valuable insights?
  • Does internal audit deploy robotic process automation (RPA) bots to take on tedious and time-consuming data-gathering and other highly repetitive manual tasks? Does it leverage advances in automation and data science technologies to monitor transactional data to identify process or policy deviations and incorporate data analytics and near real-time risk analysis and dashboards with drill-down capabilities to help focus audit selection, scoping and testing?
  • Does the committee give the CAE sufficient time on its agenda to address these matters?

The opportunity before the audit committee is for internal audit to enhance its value proposition by becoming a problem-solver, rather than a mere problem-finder. Next generation capabilities enable internal audit to keep pace with the company’s overall digital transformation and embrace change, improve continuously and maintain its relevance, paving the way to efficiency, adaptability, increased engagement and deeper, more valuable insights. It is a work in progress, and the committee should be privy to it.


FINANCIAL REPORTING ISSUES

Financial reporting issues are fundamental to the audit committee’s core mission. Our suggested agenda includes four such issues:

5.

Address accounting and reporting implications of operational adjustments during the pandemic and recession
 
Have discontinued operations and divestitures, termination benefits, and the impact of contract modifications been reported properly? If the company received government assistance, is it being accounted for appropriately?

Many companies have had to adjust their operations in the face of the pandemic’s crushing effects. If operations have been discontinued and/or divestitures of assets or businesses have occurred, the accounting and reporting treatment should be carefully considered. Compensation adjustments, severance pay and termination benefits should be recognised when management decides to implement them. The company should also properly account for government assistance if it has received it.

The business should also address the impact of contract modifications. For example, companies experiencing decreased revenues, higher operating costs and/or cash flow challenges due to COVID–19 may obtain additional or bridge financing, restructure existing debt agreements, or obtain waivers in debt covenants. These changes may represent a debt modification, debt extinguishment or a troubled debt restructuring, and all three measures have different accounting and reporting implications. If covenants are breached, the debt must be reclassified from long term to current on the balance sheet.

These points illustrate that the company’s decisions to adjust operations during the pandemic have accounting and reporting implications. The audit committee should address such matters with management and the external auditor.


6.

Assess COVID-19-related impacts on financial reporting assertions
 
Are the pandemic’s effects on estimation processes underlying asset impairments, valuation, net realisable value, loss contingencies, and other accounting and disclosure matters understood and addressed?

In the financial reporting process, management often exercises significant judgement regarding various subjective estimates and valuations sensitive to changes in external and internal risk factors. The current unprecedented environment and the recession it has spawned have forced companies to take a closer look at impairment, valuation, net realisable value, loss contingency and exposure considerations. To illustrate:

  • Impairment of goodwill — Do COVID-19, the present industry outlook and the current social issues have significant direct or indirect implications on expectations of future cash flows that could reasonably be deemed sustainable into the future? If so, a test of impairment in goodwill is required.
  • Impairment of long-lived assets — Has there been a significant drop in market prices considered to be sustained (rather than temporary), adverse changes in the use or utility of certain assets or asset classes, or negative changes in the business climate? If so, that can trigger the need to perform an impairment assessment of long-lived assets.
  • Inventories: net realisable value — Have there been significant COVID-19-related revenue declines or disrupted supply chains? If so, management should evaluate whether there’s a need to adjust inventory carrying values. Perishables, products with short shelf lives or expiration dates, or specific seasonal inventories are at risk of impairment.
  • Inventories: significant excess capacity costs — Have unplanned work stoppages or severe slowdowns due to labour or material shortages caused manufacturing levels to drop below standard levels? If so, excess fixed overhead that cannot be allocated to product due to underutilised capacity must be expensed in the period incurred.
  • Impairment of receivables, loans and investments — Given the volatility in financial markets, is there a need to assess the value of investments for potential impairment, particularly debt or equity instruments from issuers affected by the virus or its related outcomes? If so, how this is done varies for different types of instruments.
  • Fair value measurement — Has management considered market uncertainty and volatility in determining fair value in situations where it’s called for? As complicated as this is in the current environment, market prices cannot be ignored in valuation assessments.
  • Revenue recognition — In addition to the obvious impacts of reduced revenue due to the virus’s impact, has management taken into account the initial and ongoing evaluation of variable consideration inherent in customer contracts such as discounts, refunds, price concessions, performance bonuses and penalties?

Depending upon the circumstances, audit committees should inquire of management and the external auditor regarding significant accounting estimates and their implications to the financial statements. The complexity of these matters is increased further in that companies must consider information that becomes available after the balance sheet date but before the issuance of the financial statements. If significant subsequent events occur, companies are required to disclose their nature and either an estimate of the financial statement impact or a declaration that an impact assessment cannot be made.


7.

Evaluate the pandemic’s near-term and longer-term impacts on the internal control environment
 
 How are recent and expected changes in the workplace and current plans for reopening physical locations affecting the company’s internal control over financial reporting, cyber-threat landscape, and exposure to compliance and fraud risk?

For many companies, it will be necessary to reimagine how many employees should return to the office, whether workplace entry should be staggered, where people will work, and with whom workers will interact and how. Social distancing may require teams that previously worked in close proximity to one another to spread out over a larger footprint. That may require leasing more office space, organising work in shifts or designing a hybrid arrangement where some people return to the office while others continue to work remotely at home or in satellite offices. Flexible thinking, process improvements, continued technology enhancements and various health protocols are likely in many organisations to maximise health and safety. 

Audit committees should consider the following questions:

  • Has management consulted with legal counsel to ensure the company remains in compliance with applicable laws, including privacy rules, and is exercising appropriate due diligence to reduce litigation risk?
  • With respect to internal controls, have there been any significant changes? Has the flux in internal processes during the lockdown and with the planned re-entry affected the integrity of the company’s internal control structure and execution of key internal controls over financial transactions and reporting?Have there been significant personnel changes from attrition, downsizing, the virus or reassignments? If so, have the changes affected the performance of any key controls? Are there any segregation-of-duties issues? Are the changes and the pandemic’s effects material enough to warrant disclosure?
  • How are recent and expected workplace changes and plans for reopening physical locations affecting the company’s cyber-threat landscape and exposure to compliance and fraud risk? Have IT, general and change management controls remained strong?

The audit committee is the board’s advocate for strong internal control over financial reporting. The above questions illustrate areas of inquiry committee members should pursue in the event of significant changes in the organisation and workplace.


8.

Consider the nature of critical audit matters raised by the independent auditor
 
In the event the external auditor reports critical audit matters, has the committee evaluated them in consultation with the auditor and management?

For large, accelerated filers (public companies with a market capitalisation of $700 million or more), the external auditor is required to discuss critical audit matters (CAMs) in the audit report. These matters relate to material accounts or disclosures and involve especially challenging, subjective or complex auditor judgement, making any significant issues arising during the audit process more transparent.

The requirement goes into effect in the fiscal year ending on or after December 15, 2020, for other public companies (e.g., calendar-year reporting companies). According to the U.S. Securities and Exchange Commission’s (SEC) rules, emerging growth companies are exempt until they lose their designated status.

If one or more critical audit matters are identified, the audit committee should discuss them with the auditor and management. Once the underlying issues are understood, the committee should determine whether the disclosures are clear. If there are significant judgemental issues on which management and the auditor do not agree, or if management is applying aggressive accounting principles, there may be an opportunity for the committee to inquire of management as to whether the company’s accounting and reporting processes can be streamlined and improved.


ADDITIONAL CONSIDERATIONS

9.

 
Assess other matters: Keep an eye on ESG developments

This year we have not included new accounting standards and relevant regulatory releases on the suggested audit committee agenda given the lack of significant new developments. However, observable market forces continue to elevate the importance of ESG-related matters. It’s a matter of when, not if, the market can expect more rulemaking and standard-setting on ESG-related impacts.

Note that the SEC recently amended Regulation S-K to require a description of human capital measures or objectives used in managing the business, provided such disclosures are material to understanding the company’s business as a whole. The audit committee should review these new disclosures in light of developments occurring at the company.


10.

 
Audit committee self-assessment questionnaire
Audit committees should assess their performance periodically. To help committees periodically assess their composition, charter and agenda focus in view of challenges the company is facing, see Protiviti’s self-assessment questionnaire.

(The Bulletin: Volume 7, Issue 9)

Click here to access the prior Bulletin editions: Protiviti’s Review of Corporate Governance. Sign up here to receive quarterly editions straight to your inbox.

[1]2020 Global Finance Trends Survey, Protiviti, October 2020.
[2]Exploring the Next Generation of Internal Auditing, 2020, Protiviti.