The demands on boards of directors are as significant today as they have ever been. Each committee of the board faces its own significant challenges, and the audit committee is no exception. Indeed, audit committees have their hands full with new accounting standards coming into effect, an active Public Company Accounting Oversight Board (PCAOB) inspections agenda, and continued uncertainty in the geopolitical, business and regulatory environments. Even the relevance of the accounting and reporting model is currently under fire.
As in prior years, we have identified several agenda items for audit committees to consider in the year ahead. In formulating the agenda items for 2019, we considered input from our interactions with client audit committees, roundtables and surveys we conducted during 2018, as well as discussions with directors in numerous forums.
ENTERPRISE, PROCESS AND TECHNOLOGY RISK ISSUES
Our suggested agenda for audit committees in 2019 includes four enterprise, process and technology risk issues.
(1) Understand and consider risks that could affect the business and its reporting
Is the committee privy to insights into emerging business risks and changes in critical enterprise risks? Are digital disruption, corporate culture, cybersecurity and other key issues adequately considered in its oversight?
An issuer’s financial statements include estimates and valuations of asset values, loss contingencies, and other matters that are affected by management’s assessment of the facts and circumstances inherent in the business environment. For example, in evaluating the adequacy of the allowance for loan losses, management must consider many internal factors, including the organization’s lending policies, procedures and underwriting standards; collection, charge-off and recovery practices; nature, volume and terms of outstanding loans; and existing credit concentrations. External factors are also relevant to the assessment, including global, national, and local economic and business conditions and developments; the competitive environment; estimated value of the underlying collateral; and applicable legal and regulatory requirements.
The point is that these and other relevant factors are subject to change, with the external factors susceptible to myriad market developments and the internal factors driven by management’s response to those developments. Such is the case with all financial statement estimates. Accordingly, change and its effects are highly relevant to financial reporting.
That is why the audit committee, irrespective of its role in the board’s overall risk oversight, should be aware of emerging business risks and changes in critical enterprise risks so that it can discharge its responsibilities to ensure reliable financial and public reporting. To that end, geopolitical events, digital disruption trends, organizational culture dysfunction, cybersecurity incidents, new laws and regulations, litigation and pending unasserted claims, and other developments should be identified in a timely manner, and their financial reporting implications understood.
To illustrate a summary of critical enterprise risks with which audit committees should be most concerned, we include a sidebar (see below) that highlights the top 10 risks for 2019. The list indicates whether a risk is increasing or decreasing since the prior year, based on findings from a recent global survey.1 (Note: All 10 risks are increasing. Also, notice the significant presence of technology-related risks on the list.)
Knowledge of the company’s risk profile and the changes in the business environment equips audit committee members to place into proper context the issues raised by management, critical audit matters and audit scope changes communicated by the external auditor, internal control concerns, internal audit findings, and other information the committee receives. Importantly, some risks must be considered from a disclosure perspective (e.g., cybersecurity and privacy and identity incidents, litigation developments, changes in market and other key risks, possible contingent liabilities that are not susceptible to estimation, and significant unusual transactions or events, to name a few). Other developments, such as notable attrition, may put undue pressure on established internal controls.
(2) Understand the impact of change on finance and its ability to deliver on expectations
Does the committee understand the impact of technology, changes in the business and new accounting standards on the finance function and its resource needs? Does it meet with the CFO and other senior finance executives periodically to ascertain whether they have the necessary skills and people to manage financial and reporting risks?
For many years, finance organizations have focused on increasing the efficiency of transaction processing to free up resources to enable value-added activities such as analysis, improved reporting and building effective working relationships with operating personnel. What’s new today is the advent of digital technologies that can be applied to the transaction processing and decision support processes of finance to enhance their cost-effectiveness further. Also new is the finance function’s ability to add value through robotic process automation (RPA), advanced data analytics and data visualization techniques, providing the company’s leaders with more timely and reliable information for decision-making.
The reality of the digital age is that chief financial officers (CFOs) and other finance executives face major — even disruptive — changes in their respective organizations and have two overarching challenges related to skills and scale. First, the magnitude of these changes can create a sudden need for markedly different forms of expertise. To illustrate, in the more common domain of the CFO, a change in the tax laws requires specific domestic and international tax skills and understanding. Outside of financial reporting, an enterprise resource planning (ERP) implementation requires finance professionals with technology and change management skills, an acquisition requires staff with integration experience, digital transformation requires data scientists, and so on.
Second, as CFOs manage change events of greater magnitude and with growing frequency, they need to be able to scale their teams up (and down) — quickly and efficiently — to execute these efforts. While these issues may not be new, they are more challenging today given the accelerated pace of change, shifts in workforce demographics, inevitable cost constraints and unrelenting expectations for speedy responsiveness. The “faster, better and cheaper” bell has never rung louder for finance than it does today.
As CFOs and other finance executives determine whether the finance organization requires new skills, such as those needed to engage in financial and strategic analysis, accommodate digital capabilities, implement change initiatives successfully, and plan process improvements to address key organizational priorities, they confront a range of difficult talent management questions:
- How do we resource these efforts (e.g., reassigning internal staff, hiring interim staff, investing in consulting services, or some combination of those approaches)?
- How do we hire and groom new expertise at a time when competition for in-demand talent has never been more intense?
- Does a traditional outsourcing relationship meet this need?
The point is that the audit committee should ensure finance is resourced appropriately to deliver on expectations. It is not good enough to merely ask the auditors for their view on the finance team. For example, it is worthwhile for committee members to spend one-on-one time with the CFO and other senior finance leaders to ascertain whether they have the right skills, number of people and other resources in their department to manage the company’s financial and reporting risks.
(3) Pay attention to ESG and integrated reporting developments
Is the committee considering the reliability of nonfinancial disclosures regarding environmental, social, governance and other matters in public reports?
As professionally managed funds have deployed the concept of selective investing — using environmental, social and governance (ESG) criteria to screen investments — and have grown assets under management into the trillions of dollars and increased their activism around ESG, directors and executives have taken notice.2 Regulators are receiving rulemaking petitions for standardized ESG disclosures.3 And these advancements have more companies embracing sustainable development and making commitments on the environmental, social and governance fronts. As they do so, they are finding it compelling, for a variety of reasons, to disclose their performance against ESG criteria to differentiate themselves from an investment-screening standpoint, particularly if investors expect such reporting. As more emphasis is placed on disclosure of ESG performance to the investment community, the audit committee should give greater attention to the effectiveness of the disclosure controls and procedures that provide reasonable assurance to management that such disclosures are presented fairly.
A related development the audit committee should monitor is the trend toward integrated reporting to address the company’s stewardship in deploying various forms of capital in the business — financial, manufactured, intellectual, reputational (social, cultural and community relationships), human and natural. The idea is for companies to tell their story in one integrated report, versus the fragmented approach of separate reports. This report would emphasize a broader range of measures underlying a company’s commitment to sustainable development and ethical values in pursuing near- and long-term profitable growth. The trend toward integrated reporting reflects the continued emphasis on disclosing nonfinancial data to investors consistent with the notion that market capitalization is derived from sources of value beyond strong financial performance. As with ESG reporting, the audit committee’s oversight emphasis on integrated reports — if the company were to issue one — should be on the effectiveness of the related disclosure controls and procedures.
(4) Ensure that internal audit is evolving to its highest and best use
Is internal audit accessing the talent it needs to deliver to expectations and on the audit plan?
Is it leveraging the tools of the digital age to broaden coverage on critical areas and deliver more value-added insights?
As with the finance organization, digital technologies and data analytics can be game changers for the internal audit function. Machine learning and RPA are among the many emerging technologies and innovations with which internal audit functions need to keep pace or else risk being left behind. However, our research indicates that the maturity of using digital technologies and data analytics in the audit process remains relatively low, particularly in North America, as many audit functions are likely using these capabilities as point solutions as opposed to part of a broader initiative to leverage analytics throughout the audit process.4
Most important, our research also points out that if a high level of information is shared with the audit committee regarding the use of analytics in auditing, the committee’s overall engagement in the process, which can include its willingness to authorize further investments in analytics, is higher. Thus, there is a correlation between audit committee engagement in analytics and information and insights the committee receives from internal audit’s use of analytics.5
In addition to the imperative to upgrade the function’s digital and analytics capabilities, our research indicates that fraud, cybersecurity threats, third-party risk, enterprise risk management and corporate culture are top audit plan priorities in 2019 for many companies. Other matters to consider might include the European Union’s General Data Protection Regulation (GDPR) and related legislation in various states (e.g., California and New York) regarding the collection and use of personal data, new accounting standards (e.g., revenue recognition and lease accounting), and ESG and sustainability reporting.
For many companies, it starts with setting expectations. With the pace of change demanding internal auditors to be more anticipatory, change-oriented and highly adaptive, the audit committee may want to inquire as to how internal audit is transitioning to analytics to improve its coverage of relevant audit areas in conjunction with the 2019 audit plan.
FINANCIAL REPORTING ISSUES
Financial reporting issues are fundamental to the audit committee’s core mission. Our suggested agenda for the year ahead includes four such issues for audit committees to consider:
(5) Oversee the financial reporting process and implementation of the new lease accounting standard
Is the audit committee satisfied with management’s preparation of the 2018 financial statements, including addressing revenue recognition accounting and all ramifications of the new leasing standard?
Overseeing the fairness of management’s approach to presenting the enterprise’s financial position, results of operations and cash flows is front and center to what the audit committee does. With organizations undergoing significant change, members of the audit committee:
- Must serve as an advocate for financial reporting in working with other board members to monitor the execution of corporate initiatives, such as cost-reduction plans, so that they are not unintentionally implemented in ways that would compromise the integrity of financial reporting;
- Should satisfy themselves as to the purpose of non-GAAP (generally accepted accounting principles) disclosures and other key operational measures, and with management’s processes and disclosure controls for ensuring their accuracy and consistency with prior periods; and
- Must give close attention to the implementation of new accounting standards.
Concerning the last point, the audit committee should pay close attention to revenue recognition and lease accounting. For the former, it will be the second time around for most companies. For the latter, it will be a first-time implementation,6 which the Financial Accounting Standards Board (FASB) recently amended with a new transition method and practical expedient to separating leasing contract components in accordance with the new standard’s requirements.7 The audit committee should ensure management addresses these important areas appropriately and monitors the quality of the implementation, including ensuring management brings to bear the requisite skill sets and subject-matter expertise as well as resolves issues, if any, on a timely basis.
(6) Focus on critical audit matters raised by the auditor
Critical audit matters communicated in the auditor’s report provide an opportunity for management and the audit committee to evaluate whether to make improvements to the financial reporting process.
A “critical audit matter” is defined by the PCAOB as a matter that (1) relates to accounts or disclosures that are material to the financial statements, and (2) involves especially challenging, subjective or complex auditor judgment.8 As such matters are required to be communicated to the audit committee and disclosed in the auditor’s report, they present an imperative for management and the audit committee to evaluate whether improvements need to be made to the financial reporting process. For example, if there are significant judgmental issues on which management and the auditor do not see eye to eye or if management is applying aggressive accounting principles, they represent an opportunity for the organization to streamline and improve the entity’s accounting and reporting. Now that public reporting of critical audit matters is a reality, this way of thinking may be the most practical response available to the audit committee and management.
(7) Understand issues raised by the PCAOB and the SEC that might impact the audit process
The PCAOB’s inspections scope and new standards may influence the audit process. Periodically, SEC commissioners and staff express concerns in areas that warrant the attention of issuers.
It’s been a relatively quiet year for the PCAOB on the standards front, and PCAOB inspections reports on large firms are pending issuance. At this time, the best action for audit committees is to remain vigilant in audit areas where significant deficiencies have been found in recent years in PCAOB inspections. These areas include:
- Recurring audit misstatements
- Assessment of and response to risks of material misstatement
- Deficiencies in internal control over financial reporting
- Significant accounting estimates and subjective areas, including fair value measurements, impairment analyses for goodwill and other long-lived assets, valuations of illiquid equity securities and debt instruments, and continuing as a going concern
- Income tax disclosures
- Deficient “referred” work in cross-border audits in certain countries
The committee should also pay attention to indicators of potential emerging risks, such as increased mergers and acquisitions (M&A) activity, volatile commodity prices, unexpected economic downturns, and the need to maintain audit quality as the audit firm grows its consulting services business.
Also, the audit committee should stay abreast of developments on the SEC front. Currently, the SEC appears to be more concerned with such macro issues as improving retail investor oversight, pursuing appropriate innovation in its oversight processes, and strengthening its performance in several areas, including enforcement programs. In accordance with the White House mandate to all federal agencies to reduce needless regulatory burdens, the SEC is also focused on eliminating provisions of Regulation S-K that are duplicative, overlapping, outdated or unnecessary, and it recently released some changes in this regard. All that said, the audit committee should be mindful that the SEC can raise issues affecting the company’s public reporting at any time in a variety of ways.
(8) Focus on other financial reporting areas of significance
Financial institutions and companies providing financing to customers should focus on the new standard for measuring credit losses on financial instruments. All companies must apply learnings from 2018 financial reporting (e.g., applying the new revenue recognition standard) and continue to refine their understanding of, and financial reporting on, changes to corporate income taxes in the U.S. (including earnings outside the U.S.).
Aside from revenue recognition, lease accounting and non-GAAP disclosures, as discussed above, the audit committee should ensure that lessons learned from the preparation of the 2018 audited financial statements are internalized and addressed in 2019 (e.g., any issues encountered applying the new revenue recognition standard). All companies must continue to refine not only their understanding of, but also their reporting on, changes to corporate income taxes in the United States, which affect earnings overseas as well.
Beyond the need to refine financial reporting based on the effects of income tax law changes in the United States by the end of this year, there aren’t any significant new standards on the horizon except for financial institutions, credit unions and other companies that provide financing to customers. These entities must focus on the new standard for measuring credit losses on financial instruments, which becomes effective for public companies in 2020 and private companies a year later. (Early application is permitted for all companies in 2019.) Specifically, they must adopt a current expected credit loss (CECL) model that requires them to exercise judgment to immediately record the full amount of expected credit losses in their loan portfolios using the method that’s appropriate given the facts and circumstances, instead of waiting until the losses qualify as “probable.” Beyond traditional loans, the revised standard will affect such assets as debt securities, trade receivables, net investments in leases, off-balance-sheet credit exposures and reinsurance receivables.
SELF-ASSESS COMMITTEE EFFECTIVENESS
It is a common practice for boards and their standing committees and individual directors to self-assess their performance periodically and formulate actionable plans to improve performance based on opportunities and areas of concern identified by the process. As part of that process, the audit committee and its members might consider the illustrative questions provided in the exhibit to this issue of The Bulletin. Committee members should periodically assess the committee composition, charter and agenda focus given the current challenges the company faces.
The exhibit includes a question that encourages a full board discussion to address whether there are topics covered by the audit committee that should be assigned elsewhere. It is not unusual for the audit committee to become the default committee when oversight responsibilities are assigned by the board to its various standing committees (i.e., if a topic doesn’t fit somewhere else, it gets assigned to the audit committee by default). If that has been past practice, the board needs to ensure the audit committee doesn’t get overloaded with responsibilities that detract from its primary function to ensure reliable financial reporting.
We believe that the SEC and PCAOB view the audit committee as the final line of defense for ensuring quality financial reporting and financial statement audits. But with public reporting expanding beyond the traditional emphasis on financial performance, the audit committee’s job and responsibilities are evolving from “tough” to “tougher,” requiring more collaboration with other board committees. With change on the horizon, 2019 offers an opportunity for directors to self-assess committee composition and scope with an eye toward improving the control environment, the financial reporting process, and disclosure controls and procedures related to nonfinancial disclosures.
EXHIBIT: Questions for Audit Committees to Consider
When the audit committee decides to assess its composition and focus, the following are illustrative questions to consider given the current challenges the company is facing:
- Are all members of the committee financially literate?
- Is at least one audit committee member an expert in financial reporting matters germane to the specific issues the company faces?
- Do audit committee members have the requisite experience and expertise, and is the committee’s composition sufficiently diverse to oversee the financial reporting process, an expanded emphasis on disclosing nonfinancial information to investors, and other relevant issues germane to the committee’s chartered activities?
- Are the committee charter and agenda focused on the issues most likely to affect the quality of financial and other information reported?
- Do committee members have the time to do their jobs effectively? For example, if a member serves simultaneously on multiple audit committees (say, for more than three public companies), has the board considered whether that individual can devote sufficient time and attention to the items on the company’s audit committee agenda?
- If the company is listed on the New York Stock Exchange (NYSE), does the audit committee discuss policies concerning risk assessment and risk management?
- If the audit committee takes on only those risk oversight responsibilities that address the risks inherent in the committee’s chartered activities (e.g., financial reporting, fraud, reputation, and certain compliance, technology and other risks), does it collaborate with other board committees and the full board to ensure that no significant risks are overlooked by the board in its risk oversight?
- If the board delegates its risk oversight responsibilities to the audit committee, is the committee able to devote sufficient time to the risk oversight process as well as to its other responsibilities? Does the committee give sufficient time to monitoring the strength of the company’s risk governance and culture?
- Regardless of the scope, are committee members satisfied that they have an understanding of the business, technology and other risks that could affect financial and public reporting?
- Does the board periodically assess the topics allocated to its standing committees? If not, has the audit committee considered having a full board discussion to address whether certain topics on the committee’s agenda should be transferred to another board committee or to the full board?
- Does the audit committee have a strong business context to discharge its responsibilities effectively? For example, does it consider:
- Changes in the operating environment that can result in changes in competitive pressures and different financial reporting risks;
- Significant and rapid expansion of operations that can strain the control environment and increase the risk of controls breakdowns;
- Changes in the control environment, including the tone at the top, which could affect its overall effectiveness;
- How new business models, products or activities may introduce new risks associated with financial reporting;
- New accounting pronouncements and tax regulations; and
- Other relevant aspects of the current business environment that present change from the prior year?
- Does the committee give adequate attention to overseeing the following areas?
- The financial reporting process, including reviewing annual and quarterly financial statements, earnings releases (including management’s discussion and analysis, information and guidance provided to analysts and rating agencies, and pro forma or “adjusted” non-GAAP information in releases)
- Critical accounting policies, quality of management judgments and estimates impacting the financial statements, and written communications between external and internal auditors and management
- Hiring, retention, performance and compensation of the external auditor, including pre-approval of non-audit services to be provided by the external auditor, and policies on hiring personnel from the external auditor (with an appropriate cooling-off period)
- Setting the tone for the company’s relationship with the external auditor in preserving auditor objectivity, in part, through direct oversight of the audit relationship and overseeing the auditor’s independence
- Establishing procedures for handling complaints and employee concerns on accounting, financial reporting, internal control, auditing and related compliance issues, and periodically evaluating and revising the process as necessary
- Unless responsibility is delegated to one or more other board committees, does the audit committee perform the following duties:
- Understand the company’s risk profile and oversee risk assessment and risk management practices? (Note: This is a requirement for NYSE-listed companies.)
- Oversee the organization’s ethics and legal compliance policies, including the code of conduct and mechanisms for employee reporting?
- Is the committee satisfied with the following?
- Appropriate financial reporting controls and disclosure controls and procedures are in place.
- It is being notified of any significant deficiencies and material weaknesses on a timely basis and is kept informed of steps taken along the timetable for remediating these issues.
- It is notified promptly of significant compliance issues and regularly briefed on the status of outstanding issues.
- The frequency and duration of committee meetings are sufficient to permit active discussions with senior management and other executives.
- Does the committee:
- Serve as an advocate for financial reporting in working with other board committees to monitor the execution of corporate initiatives, such as cost-reduction plans, so they do not result in unintended consequences that could compromise management meeting its financial reporting responsibilities?
- Understand the purpose of non-GAAP disclosures and other key operational measures included in public reports outside of the audited financial statements? Is it satisfied with management’s processes for ensuring the accuracy and consistency of this information with prior periods?
- Give close attention to the implementation of the new accounting standards?
- Before reporting on its activities to the full board and shareholders, is the committee satisfied a process is in place to ensure all matters in the committee charter are covered sufficiently by its activities?
- At least annually, does the committee review its responsibilities to ensure its workload is manageable?
Note: These questions are intended to be illustrative and do not purport to cover every topic the committee should consider.
 This list is based on the results of the latest annual global survey of senior executives and directors conducted by North Carolina State University’s ERM Initiative and Protiviti, available at www.protiviti.com/toprisks.
 “The Relevance of Sustainability Performance to Board Risk Oversight,” Board Perspectives: Risk Oversight, Issue 103, Protiviti, May 2018.
 For example, see letter to Brent J. Fields, Secretary, Securities and Exchange Commission, from investors and associated organizations representing more than $5 trillion in assets under management, October 1, 2018.
 Analytics in Auditing Is a Game Changer, Protiviti, March 2018.
 The FASB’s new lease accounting standard is scheduled to become effective for public companies in fiscal years beginning after December 15, 2018 (i.e., effectively January 1, 2019, for calendar-year companies, beginning with the first quarter of 2019), and for private companies a year later.
“FASB Issues Targeted Improvements to Lease Standard,” Flash Report, Protiviti, August 14, 2018.
 “PCAOB Revises the Auditor’s Report,” Flash Report, Protiviti, June 5, 2017.
(The Bulletin Volume 7, Issue 1): Protiviti's Review of Corporate Governance