As we approach 2018, the environment for audit committees appears to be “more of the same.” With the onslaught of new accounting standards, pressures on accounting firms from the Public Company Accounting Oversight Board (PCAOB) to increase audit quality, and uncertainty in the business and regulatory environment, it’s not a surprise that many audit committee members feel tasked to the limit. This storyline has been a constant one over recent years and continues unabated in 2018.
Based on interactions with client audit committees, roundtables we have held in 2017, surveys we have conducted, and discussions with directors in numerous forums, we have identified agenda items for audit committees to consider in 2018. Our suggested agenda consists of eight issues — four pertaining to enterprise, process and technology risks and four to financial reporting related risks.
The 2018 Mandate for Audit Committees
Enterprise, Process and Technology Risk Issues
Audit committees should periodically assess their effectiveness, ensure they have a sufficient business context in discharging their responsibilities, be alert for signs of a dysfunctional culture and ensure the necessary talent is in place to support their oversight. The following issues address these points.
01. Assess the effectiveness of the committee composition and focus
Do committee members have the requisite experience and expertise to oversee management on the appropriate issues, and are the committee charter and agenda focused on the issues most likely to affect the quality of financial and other information reported to investors? Do committee members have the time to do their jobs effectively?
It is a common practice for boards and their standing committees and individual directors to self-assess their performance periodically and formulate actionable plans to improve their performance based on opportunities and areas of concern identified by the process. As part of that process, the audit committee and its members might consider the illustrative questions provided at the conclusion of this issue. These questions pertain to such matters as committee composition, scope, important contextual topics, timely escalation of critical issues and other points of focus. The important point is to assess periodically the committee composition, charter and agenda in view of current challenges the company faces.
02. Understand the critical risks that could affect the business and its financial and public reporting
Are emerging business risks and changes in critical enterprise risks identified and addressed in a timely manner? Are cybersecurity, privacy and identity, and other related issues adequately considered?
Section 303A.07(b)(D) of the New York Stock Exchange (NYSE) listing standards requires audit committees to “discuss policies with respect to risk assessment and risk management.” Because this requirement doesn’t exist in other exchange listing standards, the extent to which audit committees are involved in the board risk oversight process varies across organizations.
With the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) release of the recent enterprise risk management (ERM) framework, we expect more attention over the next five years at the board and senior management levels on advancing risk management to meet the challenges of an unpredictable, volatile world. The COSO ERM framework will help organizations focus on four critical themes: integrating ERM with strategy; integrating risk with performance; tying risk considerations into decision-making processes; and laying the foundation for ERM with strong risk governance and culture. While these themes are not new and have been addressed in prior issues of The Bulletin, COSO’s emphasis on them is markedly different from its previous framework and unmistakable. Depending on the designated risk-related responsibilities in its charter, the audit committee may have an interest in senior management’s consideration of these themes.
In some entities, the board delegates its risk oversight responsibilities to the audit committee. In others, the audit committee takes on only those risk oversight responsibilities that address the risks inherent in the committee’s chartered activities (e.g., financial reporting, fraud, reputation, and certain compliance, technology and other risks).
Regardless of the scope of its risk oversight, committee members must understand the business, technology and other risks that could affect financial and public reporting. A summary of the most important risks — the critical enterprise risks — highlights the issues with which audit committees should be most concerned. To illustrate, we include the top 10 risks for 2018 based on a recent survey (see sidebar). This summary indicates whether the risk is increasing or decreasing since the prior year. The top risks list underscores the critical issues of disruptive change and resistance to change.
Armed with knowledge of the company’s risk profile and given the constantly changing business environment, audit committee members are able to focus on emerging business risks and changes in critical enterprise risks in order to discharge their responsibilities to ensure reliable financial and public reporting. In addition, certain risks must be considered from a disclosure perspective (e.g., cybersecurity, privacy and identity, and other related issues). Finally, when management conducts a risk assessment, the audit committee should be mindful that change can create significant unusual transactions or events; put pressure on established internal controls; impact accounting estimates, asset valuations, contingent liabilities, and risk disclosures; and drive changes in the scope of the external audit process.
03. Pay attention to conduct at the top, and consider whether the tone in the middle is consistent with the tone at the top
Is executive management sending the right signals to the organization through both words and actions? How does management know that the culture permeating the organization is aligned with the entity’s mission, vision and values?
In what’s been an ongoing, long-term trend, incidents have occurred over the past year evidencing poor judgment, gross neglect, irresponsible business behavior and illegal acts — actions that often are inconsistent with companies’ brand promises. These incidents raise timeless questions:
- What signals was executive management sending to the organization through both words and actions that could have incented the behavior?
- Were the warning signs of dysfunctional behavior evident from a risk management and internal control standpoint? For example, did the information the board of directors and senior management receive in exercising oversight in the area in which the incident occurred provide insights as to the potential issues? If not, why weren’t they warned? If so, why were opportunities missed to take timely corrective action?
- Were decision-makers aware of near misses (such as past policy violations or failure to heed established risk limits) or relevant information escalated from the front lines? Were there conflicts of interest that ultimately compromised established internal controls? If so, why wasn’t action taken?
- What concrete actions did senior management fail to undertake to ensure the culture permeating the organization was aligned with the entity’s mission, vision and values?
- What role did the board play in providing oversight and asking the tough questions? Did the board or a committee of the board hold executive or private sessions with the function or unit knowledgeable of the incident?
- Were warning signs posted by the second-line-of-defense function or internal audit? If so, why weren’t these warnings addressed?
The audit committee should exercise diligence in watching for a pattern or signs that indicate a dysfunctional or flawed risk culture. Conduct at the top is where it starts. But it doesn’t end there. If the tone in the middle is not aligned with the tone at the top, there could be serious risks lurking within the organization’s processes that are high in impact but slow in velocity as they await ultimate revelation in the form of massive product recalls, egregious safety violations, material financial reporting errors, cybersecurity breaches and other significant events. That can present problems for an audit committee if these latent risks lead to serious unknown deficiencies in the control environment.
04. Consider whether talent in the finance and internal audit functions is meeting expectations
Are there weak spots requiring attention? Are capabilities aligned with the company’s needs? Are there new skills required due to pending accounting changes?
As the organization and business environment change, the finance and internal audit functions must likewise evolve so that capabilities are aligned with the company’s needs. While finance’s specific priorities may vary from company to company, the audit committee should ensure the finance organization is resourced appropriately to deliver to expectations. With the advent of new accounting changes, finance needs to determine whether new skills, such as those needed to accommodate digital capabilities, are required to implement the changes successfully. Likewise, chief audit executives (CAEs) and their functions continue to face increasingly demanding expectations. When reviewing the CAE’s risk-based audit plan, audit committees should ensure these plans consider relevant issues, such as cybersecurity, compliance, operational or cultural matters.
In addition, within a digital and data-driven world, both finance and internal audit should embrace analytics. The most significant takeaway from a recent Protiviti survey indicates that CAEs and internal audit professionals increasingly are leveraging analytics in the audit process, as well as more continuous auditing and monitoring activities. That is important, as the pace of change demands internal auditors be more anticipatory, change-oriented and highly adaptive, particularly with respect to such matters as cybersecurity and various aspects of the digital revolution. Digital and advanced analytics enable broader audit coverage — more return on audit investment. Accordingly, audit committees should inquire as to what CAEs are doing on the digital and analytics front.
Financial Reporting Issues
Financial reporting issues remain at the heart of the audit committee agenda. That will never change. Following are four such issues for audit committees to consider.
05. Oversee implementation of the new revenue recognition standard
Is management getting the job done? Has the experience to date shown what can be expected on other new standards as they become effective?
In 2018, the game officially changes for revenue recognition. Public companies must adopt this accounting standard no later than annual reporting periods beginning after December 15, 2017, including interim reporting periods therein. That means a calendar-year reporting company must adopt the standard beginning with the first quarter of 2018. So, at this point the question becomes, “Is management getting the job done, because the job needs to get done?” Audit committees should monitor the quality of the implementation and ensure that issues, if any, are raised and addressed on a timely basis. To the extent that the company’s progress on this issue highlights strengths or weaknesses in the functions doing the work, that should be factored into company plans regarding other impending accounting changes.
06. Determine whether the company is sufficiently focused on matters the SEC considers important
Does the committee understand the Commission’s concerns (e.g., diversity, workload, non-GAAP disclosures, valuation issues, asset impairments, cyberdisclosures), and is it focused on those areas?
Building on the premise that a key element of board oversight is working with management to achieve high-quality financial reporting (including implementing quality accounting policies and internal control over financial reporting and appointing independent external auditors to promote accurate and timely financial reporting), the SEC chief accountant, Wesley Bricker, offered guidance to audit committees in a March 2017 speech:
- Understand the business environment — As noted earlier, the audit committee needs a strong business context to discharge its responsibilities effectively. In particular, aspects of the current business environment warrant consideration. For example: changes in the operating environment that can result in changes in competitive pressures and different financial reporting risks; significant and rapid expansion of operations that can strain existing internal controls and increase the risk of control breakdown; new business models, products or activities that may introduce new risks associated with financial reporting; and new accounting pronouncements.
- Committee diversity — Board composition, including diversity, and assessment should be board priorities. Diversity diminishes the extent of groupthink, and diversity of relevant skills (e.g., industry and financial reporting expertise) enhances the audit committee’s ability to monitor financial reporting.
- Committee workload — Citing a survey in which only 57 percent of audit committee members say their workload is manageable, Bricker stressed the importance of boards assessing the risk of audit committee overload and ensuring that the audit committee is able to fulfill its core roles and responsibilities.
- Tone and culture — Citing a survey in which roughly one in four audit committee members ranked tone and culture as top challenges in their oversight role, Bricker encouraged both audit committees and management to perform assessments on the adequacy of the control environment, including tone at the top.
- New accounting standards — Audit committees should give close attention to implementation of the new revenue recognition rules, as discussed earlier, and the standard on measurement and recognition of financial instruments, which is also required for public companies for fiscal years beginning after December 15, 2017, including interim periods within those fiscal years. The new lease accounting standard should also be on the committee’s radar, as it will be implemented in 2019.
- Non-GAAP and key operational measures — Audit committees are well-positioned to understand management’s purpose in disclosing non-GAAP and other key operational measures and management’s process and controls to ensure the accuracy and consistency of such measures with prior periods.
- Auditor oversight — Audit committees help set the tone for the company’s relationship with the external auditor and play an important role in preserving auditor objectivity, in part through direct oversight of the audit relationship. The audit committee must own the selection of the audit firm, make the final decision when it comes time to negotiate the audit fee and oversee the auditor’s independence.
- Advocacy for financial reporting — Audit committees should work with other board committees to monitor execution of corporate initiatives, such as cost-reduction plans, so that they are not unintentionally implemented in ways that would compromise the control environment and management meeting its financial reporting responsibilities.
07. Understand the audit issues raised by the PCAOB and how they might impact the audit process
The PCAOB’s inspections scope and new standards may influence the audit process.
Over recent years, the PCAOB’s inspections scope and new standards have influenced the audit process. Expect that trend to continue in 2018.
It’s always useful to take a look at the PCAOB’s road map, summarizing areas of significant audit risks targeted by the board’s inspectors, as this provides insight into areas that not only are of interest to auditing firms, but also areas that will affect how preparers and issuers track, process and report financial information. In addition to focusing on new accounting standards (as noted by the SEC staff), PCAOB inspectors will review the use of software audit tools by auditors, as well as audit procedures performed to assess and address the risks of material misstatement to financial statements posed by weak cybersecurity. Given the increasing occurrences of cybercrime, it’s not surprising that the PCAOB is emphasizing this area.
Another point of emphasis is on areas that may involve significant judgment, estimates and subjectivity from management and/or auditors, such as the auditor’s consideration of the entity’s ability to continue as a going concern, and income tax disclosures. Some of the more prevalent issues concerning estimation processes include those identified in prior years:
- Evaluating impairment analyses for goodwill and other long-lived assets
- Valuations of assets and liabilities acquired in business combinations
- Valuation of illiquid equity securities and debt instruments
The PCAOB continues to focus on procedures related to the above, as well as other accounting estimates, including fair value measurements used in financial reporting, due to the increased risk of material misstatement that such estimates may pose to the financial statements. Audit committees should inquire of preparers regarding the processes and controls over how estimates are developed, including management’s validation of data used in the estimation and evaluation of management’s assumptions, inputs and methodologies that are significant to the estimate.
In addition, the PCAOB will be looking at other areas of potential audit risk. These include recurring audit deficiencies, the impact of economic factors, referred work performed by other audit firms on multinational audits, auditor independence, information produced by entities for use by the auditor, and accounting for nonfinancial assets, allowance for loan losses and other judgmental areas.
08. Focus on the implications of areas of change that are imminent
For example, understand the new lease accounting standard’s impact on the company’s financials and the implications of incorporating critical audit matters in the auditor’s report.
In 2018, the new lease accounting standard will loom on the horizon for public companies. Directors should inquire of management’s progress in preparing to implement the new lease accounting standard, particularly for lessees. There is a lot to do if there are a significant number of leasing transactions — inventorying transactions outstanding; preparing initial interim period reporting; and establishing new policies, processes, systems and internal controls (particularly for subsequent remeasurement of lease contract modifications).
The PCAOB now requires the auditor to communicate, in the auditor’s report, any critical audit matters arising from the audit of the financial statements or, alternatively, state that the auditor determined that there were no such matters. A “critical audit matter” is defined as a matter that was communicated or required to be communicated to the audit committee and that relates to accounts or disclosures that are material to the financial statements, and (2) involves especially challenging, subjective or complex auditor judgment. This change is an important one for audit committees, as it could create a chilling effect on auditor communications with audit clients. If companies have significant judgmental issues on which management and the auditor do not see eye-to-eye, or if management is applying aggressive accounting in judgmental areas, these topics will likely appear in the auditor’s report as critical audit matters.
The audit committee has a difficult, demanding role amid regulatory expectations that it serves as the final line of defense for ensuring quality financial reporting. The coming year offers an opportunity for directors to self-assess committee composition and scope with an eye toward improving the control environment and the financial reporting process.
Enterprise Risk Management — Aligning Risk with Strategy and Performance, COSO, September 2017.
This list is based on the results of the annual global survey of senior executives and directors conducted by North Carolina State University’s ERM Initiative and Protiviti, available at www.protiviti.com/toprisks.
Embracing Analytics in Auditing, Protiviti, 2017.
Private companies must adopt the new rules no later than annual reporting periods beginning after December 15, 2018, including interim reporting periods therein.
“Advancing the Role and Effectiveness of Audit Committees,” Wesley R. Bricker, SEC chief accountant, remarks before the University of Tennessee’s C. Warren Neel Corporate Governance Center, March 24, 2017.
The new standard introduces a right-of-use principle for lessees providing that a lease conveys the right to control the use of an asset, creating an asset and a liability that must be reflected on the lessee’s balance sheet. As a result, lessee companies must record leased assets and lease liabilities on their balance sheets. Accounting will differ for capital and finance leases and operating leases; however, both types of leases would result in lessees recognizing a right-of-use asset and a lease liability. For lessor companies, there will likely be less change.
Protiviti PCAOB Flash Report: “PCAOB Revises the Auditor’s Report,” June 5, 2017.
(The Bulletin - Volume 6, Issue 9)