The demands on boards of directors are as significant as they have ever been. Each committee of the board faces its own challenges, too, and the audit committee is no exception. With new accounting standards coming online, an increasingly active Public Company Accounting Oversight Board (PCAOB) inspections agenda, the relevance of the traditional accounting and reporting model under fire, and continued uncertainty in the geopolitical, business and regulatory environment, audit committees indeed have their hands full.
As in prior years, we have identified several agenda items for audit committees to consider in the upcoming year. In formulating these agenda items, we considered input from our interactions with client audit committees as well as insights from roundtables and surveys we conducted during 2019 and discussions with directors in numerous forums.
ENTERPRISE, PROCESS AND TECHNOLOGY RISK ISSUES
Our suggested audit committee agenda for 2020 includes four enterprise, process and technology risk issues:
Given the dynamic environment, the audit committee should take a close look at the company’s risk profile at least annually. Ideally, this review should be supported by an updated risk assessment by management. As the committee evaluates disclosure issues, an understanding of the key risks can provide valuable insights. Some risks are considered from a disclosure perspective for example, cybersecurity and privacy and identity incidents, litigation developments, changes in market and other key risks, possible contingent liabilities that are not susceptible to reasonable estimation, and significant unusual transactions or events. The committee also should review the risk factor disclosures summarising the most significant risks that apply to the company to ascertain whether the top risks are adequately presented, particularly those risks unique to the industry sector(s) and geographic region(s) in which the company operates as well as risks that are unique to the company itself.
There is value in understanding how the company’s view of risk aligns with or differs from the view of other firms in the industry. The audit committees cannot oversee the reliability of financial reports in a vacuum.In the financial reporting process, management often exercises significant judgment regarding various subjective estimates and valuations that are sensitive to changes in external as well as internal risk factors. For example, in evaluating the adequacy of the allowance for doubtful accounts, management should consider such internal factors as changes in the company’s credit policies, collection history and the ratio of bad debt expense to actual write-offs by reporting period. External factors such as the expected economic outlook, competitive environment and emerging regulatory requirements are also relevant considerations.
Regardless of their designated role in the board’s overall risk oversight process, audit committee members should be cognizant of emerging business risks and changes in critical enterprise risks so that they can put into proper context the representations and assertions they receive from management, newly reportable critical audit matters and audit scope changes raised by the external auditor, and internal control concerns, errors and irregularities and other findings presented by internal audit. To that end, it may help the committee to have access to a periodic summary or profile of the top enterprise risks. An example of such a summary is illustrated in the above table highlighting the top 10 global risks for 2020 based on a recent global survey Protiviti completed and indicating whether the risk is increasing or decreasing since the prior year. Clearly, the environment is changing, and digital technology-related opportunities and challenges are driving many of the key risks.
Chief financial officers (CFOs) and finance organisations have a lot on their plates these days. Based on Protiviti’s recent survey of CFOs and finance leaders, the top five priorities are security and privacy of data, enhanced data analytics, process improvement, changing demands and expectations of internal customers, and embracing new technologies. Following closely behind these top-of-mind priorities are five additional significant topics: internal controls, accounting and finance implications of IT, financial planning and analysis, strategic planning, and profitability reporting and analysis.
These results suggest that finance organisations are not only looking for opportunities through innovation and new technologies, they are also backing these opportunities with planned budget increases. No longer just an opportunity or a “nice thing to do,” changing demands from internal customers have challenged CFOs to operate with a more strategic mindset as they become more security-minded, more data-driven, and more external and internal customer-focused to deliver demonstrable value.
The finance organisation is no different than any other business function, as every function is ultimately in the customer experience business, and every CFO knows that delivering deep, impactful and proactive insights for decision-making delights internal customers. This expectation of value delivered is leading to investments in innovation and emerging technologies as more finance organisations migrate from on-premises enterprise resource planning (ERP) systems and related applications to a hosted cloud model, implement robotic process automation (RPA) and artificial intelligence (AI), improve how they leverage and protect data, and investigate blockchain applications and virtual currencies.
Today’s dynamics are both an extension of and a far cry from yesteryear’s focus on increasing the efficiency of transaction processing to free up resources to enable value-added analysis, improved reporting and effective working relationships with operating personnel. Both now and in the future, CFOs and finance executives face disruptive change in their respective organisations, creating gaps in skills and talent. With tightening labour markets, these gaps are, in turn, driving workforce management innovations that are leading CFOs and finance leaders to employ new, more flexible labour models. That is why it is appropriate to inquire of the CFO in executive session as to whether finance is resourced appropriately to meet its responsibilities both internally as well as externally. As audit committees work with finance executives, they should understand this evolving and demanding world in which finance organisations operate, while ensuring finance keeps a steady eye on financial and public reporting.
Value delivery is a universal theme for every corporate function, including internal audit. Accordingly, many internal audit functions are developing next-generation competencies such as agile auditing, AI, machine learning (ML), RPA and continuous monitoring. The audit committee should be aware of the chief audit executive’s (CAE) plans to innovate and transform internal audit into an agile, multiskilled and technology-enabled function.
The audit committee should expect the CAE to take the lead in getting the function’s transformation on its meeting agenda. Our research has determined that fewer than one in five organisations report that their audit committee is highly interested in the internal audit group’s innovation and transformation activities. So, it is incumbent on CAEs to convey the function’s commitment to innovation and transformation to the audit committee through effective and efficient information-sharing practises and persuasive presentations. If committee members aren’t seeing this from the CAE, they should inquire why.
In the digital age, internal audit should be effective at recognising new market opportunities, emerging risks and changes to the organisation’s risk profile quickly and efficiently enough to incorporate them into the audit plan in a timely manner. And that is why directors cannot be indifferent to the CAE’s level of awareness of available digital techniques and tools that are imperatives of next-generation audit. As companies move to cloud computing and adopt AI and ML concepts, an agile methodology enabled with the right skills, resources and technology helps the CAE sustain internal audit’s relevance by providing assurance, in the most efficient manner, to the board and other stakeholders on the risks that matter most. The board should accept nothing less than an audit function that efficiently delivers strong assurance and valuable insights to the business.
Undertaking this journey requires a recognition that the transformation of the audit function demands a fresh mindset and a commitment to continual evolution. Protiviti’s research indicates that while three in four internal audit groups are undertaking some form of innovation or transformation effort, more substantive progress is needed if early-stage, next-generation internal audit models are to mature and fulfill their massive value delivery potential.
The adoption of next-generation internal audit capabilities is at an early stage. The implementation of the governance mechanisms, methodologies and enabling technologies that comprise the next-generation internal audit model has so far occurred in a predominantly ad hoc manner. Internal audit groups within organisations that are digital leaders have made substantially more progress with their innovation and transformation initiatives. Among other practises, digital leaders are far more likely than other organisations to appoint internal audit innovation and transformation champions.
The concept of selective investing — environmental, social and governance (ESG) — offers a set of standards that the ever-increasing number of socially conscious investors are using to evaluate investment alternatives. As professionally managed funds deploying ESG factors to screen investments have increased assets under management into the trillions of dollars, directors and executives have noticed. And as institutional investors call on directors and chief executives to contribute more to society than just acceptable financial results, and companies begin to embrace a broader focus on stakeholder interests, demands have increased for more transparency and uniformity in reporting on these activities. Regulators are also being petitioned to initiate rulemaking to require standardised disclosures.
As the volume increases for comparable ESG-related disclosures, directors should be mindful of their growing importance to multiple stakeholders. Following are fundamental questions audit committees should consider in their oversight:
- Does the company’s sustainability reporting provide sufficient insight into its nonfinancial activities related to ESG matters? Are the disclosures sufficiently focused on the ESG criteria that investors and asset managers following the industry are using? Does management focus on ESG reporting as a public relations tool or compliance activity, or is it truly integrated with the corporate strategy?
- Does the committee understand the quality of the company’s disclosure controls and procedures over ESG disclosures in public reports? Is it satisfied that they provide reasonable assurance that such disclosures are fairly presented? Are the disclosures presented in accordance with an established framework, such as the Sustainability Accounting Standards Board (SASB) or the Global Reporting Initiative (GRI)? Or, are they customised to the company’s specific needs and approach?
- If the company does not issue sustainability reports, has the board considered whether it should? Are competitors issuing reports? Are major shareholders raising concerns?
Exactly how the future of sustainability reporting unfolds remains to be seen. Voluntary sustainability reporting, voluntary elections to hire external auditors to attest to sustainability report assertions, increasing pressure from activists for uniformity, and efforts by SASB and GRI to align global sustainability reporting standards are creating a powerful mix of converging forces that could spur many companies to enhance their ESG-related disclosures. Audit committees should be cognizant of these developments.
FINANCIAL REPORTING ISSUES
Financial reporting issues are fundamental to the audit committee’s core mission. Our suggested agenda includes three such issues for audit committees to consider:
One of the biggest changes to audit reports in decades is now happening. The external auditor of a public company is required to include a discussion of critical audit matters (CAMs) in audit reports beginning for fiscal years ending on or after June 30, 2019, for large accelerated filers (companies with a market capitalisation of US$700 million or more). This requirement is intended to augment the traditional pass/fail audit report to make significant issues confronting the auditor during the audit process more transparent. For most public companies, this requirement doesn’t kick in until their fiscal year ending on or after December 15, 2020. So-called emerging growth companies are exempted until they lose their designated status as an emerging growth company, as dictated by the U.S. Securities and Exchange Commission’s (SEC) rules.
Audit committees should prioritise understanding CAMs that the external auditor raises. These matters relate to accounts or disclosures that are material to the financial statements and involve especially challenging, subjective or complex auditor judgment. They are required to be communicated to the audit committee and disclosed in the auditor’s report to shareholders. Once the underlying issues are understood, the committee should determine whether the disclosures are clear, and management should take steps to address any underlying issues by improving the effectiveness and efficiency of the financial reporting process and related internal controls over financial reporting.
We recommend that committee members inquire soon — if they haven’t already — of their auditor and management as to the nature of CAMs that the auditor’s report is expected to address. Start the dialogue as early as possible in the planning process and set an expectation that, once an audit issue has been determined to be a CAM, the auditor should communicate it to the committee as soon as practicable. The committee should discuss CAMs with management to ensure the company is responding appropriately to address the matter. A best practise is to request that the auditor conduct a dry run to identify potential CAMs so that the committee, management and the auditor are on the same page early. If there are significant judgmental issues on which management and the auditor do not see eye to eye, or if management is applying aggressive accounting policies, management may have an opportunity to streamline and improve the company’s accounting and reporting processes.
Based on our analysis at the time this issue of The Bulletin went to print, 71% of companies have reported CAMs with and since the June 30, 2019 filings. The most common CAMs are goodwill and intangible assets, revenue recognition, fair value valuations and income taxes, with contingencies, inventory valuation and other estimates and assumptions that required auditors to exercise significant judgment also being reported. Of the companies reporting CAMs, only six reported as many as four CAMs, 17 reported three and just over half (54%) reported one, with an average of about 1.6 CAMs reported per company.
With the Financial Accounting Standards Board’s (FASB) decision to delay the effective dates of its various standards addressing leases, credit losses, hedging and long-duration insurance contracts, the good news is that many companies face an extended implementation timeline.
In effect, many companies have been granted a significant extension to prepare for these complex accounting standards — giving them an opportunity to learn from larger companies. The audit committee’s oversight should focus management on staying the course and remaining vigilant in preparations to comply. So long as companies follow a complete and thoughtful road map, are diligent in pursuing that road map, and have the affected accounts ready for audit, they should have no problem in executing the transition to the new standards by the revised effective dates, if not earlier. In fact, the FASB made it clear that organisations are welcome to adopt the standards before the effective dates.
But it is important for companies to focus on organising the effort sooner rather than later with the requisite project management, staffing, process refinements and technology solutions. No one should expect another reprieve from the FASB.
“So, what have we learned?” It’s a deceptively simple question that should be raised annually as a postmortem on the prior year with an eye toward identifying improvements in the financial reporting process. Like all processes, financial reporting operates in a dynamic environment and, accordingly, stands to be improved over time. The status quo is always under pressure.
For example, issues and challenges may be encountered in applying the revenue recognition standard; determining difficult accounting estimates related to asset impairments, income tax reporting, loss contingencies and other areas; preparing non-GAAP disclosures; overcoming internal control deficiencies; addressing critical audit matters raised by the external auditor; and implementing the new accounting standards discussed earlier. These instances represent opportunities to learn from experience and refine and improve the financial reporting process. Such discussions could identify the need for additional resources to deliver reliable financial reports. The committee should ascertain whether management is addressing such areas appropriately and bringing to bear the requisite skill sets and subject-matter expertise to resolve lingering issues, if any, on a timely basis.
Over the next year, the organisation may undergo significant change in several areas. As it does, the audit committee should serve as a vigilant advocate for financial reporting. For example, in working with other board members to monitor execution of corporate initiatives, such as cost-reduction plans or digital transformation efforts, audit committee members should ensure that nothing is done that would unintentionally compromise the integrity of financial reporting.
SELF-ASSESS COMMITTEE EFFECTIVENESS
It is a common practise for boards and their standing committees and individual directors to self-assess their performance periodically and formulate actionable plans to improve performance based on opportunities and areas of concern identified by the process. As part of that process, the audit committee and its members might consider the illustrative questions we have made available in a companion document to this issue of The Bulletin. The document is available here. In these dynamic times, we encourage committee members to periodically assess the committee’s composition, charter, agenda and focus in light of current challenges the company faces.
In “Assessment Questions for Audit Committees to Consider,” a comprehensive set of questions is provided. These questions may be customised to fit the committee’s assessment objectives. The questions cover the following topics:
- Committee composition and dynamics
- Committee charter and agenda
- Oversight of internal controls and financial reporting
- Oversight of the external auditor
- Risk oversight
- Business context
- Corporate culture
- Executive sessions
- Oversight of the finance organisation
- Oversight of internal audit
- Committee effectiveness
- Member orientation and education
We believe that the SEC and PCAOB view the audit committee as the final line of defense for ensuring quality financial reporting and financial statement audits. But with public reporting expanding beyond the traditional emphasis on financial performance, the audit committee’s role and responsibilities are evolving from “tough” to “tougher,” requiring more collaboration with other board committees. With change on the horizon, the next year offers an opportunity for directors to self-assess committee composition and scope with an eye toward improving the control environment, the financial reporting process, and disclosure controls and procedures related to nonfinancial disclosures.
 This list is based on the results of the latest annual global survey of senior executives and directors conducted by Protiviti and North Carolina State University’s ERM Initiative.
 Today’s Finance Priorities: Security, Data, Analytics and Internal Customers, Protiviti, September 2019.
 Embracing the Next Generation of Internal Auditing, Protiviti, March 2019.
 “The Results Are In: Sustainable, Responsible, Impact Investing by U.S. Asset Managers at All-time High — $8 Trillion!” Hank Boerner, Sustainability Update, November 16, 2016.
 “The Purpose of the Corporation and the Future of Work,” The Bulletin, Volume 7, Issue 4, Protiviti, October 2019.
 “PCAOB Revises the Auditor’s Report,” Protiviti Flash Report, June 5, 2017.
 “FASB Approves New Effective Dates for Four Major Accounting Standards,” Protiviti Flash Report, October 18, 2019. The short summary below shows the effective dates:
Note: “SROs” refers to smaller reporting companies, as defined by the SEC; “CYRC” refers to calendar year reporting company; “All Others” includes private and not-for-profits (except for public reporting debt obligors); and interim reporting requirements begin the following year for SROs and all other companies for leases, derivatives, and hedging and insurance contracts.
(The Bulletin: Volume 7, Issue 5)