A great deal has changed since we published Issue 8 of Volume 3 of The Bulletin, “Setting the 2009 Audit Committee Agenda.” We live in a world vastly different from that of just one year ago, and the current environment remains dynamic and challenging. Given where things stand today and looking forward into 2010, this issue of The Bulletin provides observations and ideas for consideration by boards and their audit committees. We will begin by describing 10 major challenges businesses face as a context for setting the 2010 audit committee agenda.
Ten Major Challenges
Following is a summary of 10 major challenges that many companies will face over the next 12 months. Needless to say, different industries face different issues and priorities, so the applicability and prioritization of the challenges included on this list will vary by industry.
The purpose of this list is to summarize many of the top-of-mind issues companies are facing in these interesting times, as this is the environment in which audit committees must plan their agendas for the coming year.
- Managing against an uncertain future – While we no longer face the prospect of an imminent meltdown in the financial markets, the waters are still very rough as companies look to the future and wonder what they don’t know. For example, what if there is an expansion of war in the Middle East involving Iran, driving up the price of oil to unprecedented levels? Or what if the default by Dubai World on the $60 billion it owes creditors creates more turmoil in the financial markets and further reduces investors’ willingness to take risks in the Gulf nations or, worse, is a fresh sign of a global property bubble? Or what if a second recession emerges and protectionist measures are adopted by the developed countries, leading to restrictions in global trade? While we can debate the plausibility of these and other scenarios, the reality is that companies must look at multiple views of the future to survive and prosper in an uncertain world. They also must evaluate the robustness and adaptability of their business model to thrive in a radically changed environment – even in unthinkable “black swan” scenarios that are highly unlikely to occur, but would have a huge impact if they did.
Another reality is that many managers have experienced only one environment for an extended period of time (i.e., operating cycles in which moderate to rapid growth could be reasonably expected during the upswing). During prior recessions, the cyclical nature of the economy led most managers to face the future with a reasonable level of confidence that the next boom was just around the corner, and they could plan accordingly. While we are as optimistic as anyone about the future, the reality is there are no guarantees that “business as usual” will return in the foreseeable future. Accordingly, company executives need to be prepared to look for opportunities to introduce new products and technologies and enter developing countries where the prospects for growth are evident or realistic or where growth is vital to meeting policy objectives (e.g., climate control initiatives, full employment, etc.). These developments may lead to new and emerging risks, which must be understood and managed.
- Evaluating the risks and assumptions underlying the business strategy – Both management and the board need to understand the risks inherent in corporate strategy. In addition, they must understand the significant assumptions underlying the strategy and ensure a process is in place to monitor the environment for changes that could alter those assumptions. This should be an ongoing process in an ever-changing world.
- Managing the balance sheet – Ensuring an optimal capital structure and securing the financing sources with the lowest cost of capital have long been priorities for corporate entities. Although McKinsey Quarterly reports there is no evidence that the long-term price of risk has increased over historical levels,1 short-term capital is not as easy to obtain as it was prior to the emergence of the financial crisis. Accordingly, many companies are scrubbing their balance sheets to manage working capital better and maximize cash flow from operations so that committed capital projects can be funded. For example, as they face the pressure of regulators focusing on the need for increased capital levels, banks are doing everything they can to maximize the value of problem loans so they can preserve as much enterprise value as possible. Ultimately, cash is king in the survival game. Longer term, the ability of an organization to perform well in the market depends on the efficiency of its capital structure.
- Managing organizational change and culture – Many businesses will need to restructure by selling or eliminating business lines. Stronger companies will seek opportunities to expand in a mergerand acquisition-rich environment. Any type of organizational change requires a heavy dosage of change management. With all of the change and turmoil over the past 12 months, it would be naïve to think that the corporate culture will remain unaffected. As corporate culture flows from the top down, the written and unwritten policies and operating philosophy of management all eventually impact the attitudes and performance of just about everyone across the enterprise. There has never been a more important time to ensure that organizational, process and individual metrics are aligned and on-strategy so that everyone is pulling in the same direction during these challenging times.
- Improving corporate governance and risk management – The financial crisis has put everything under the spotlight – for example, the effectiveness of risk management processes, the impact of incentive compensation on risk-taking behavior, the positioning of CROs and CCOs within the organization, the consideration of risk in strategy-setting and performance management, and the effectiveness of board risk oversight. As companies and their boards take a hard look at how they operate in light of these areas and apply lessons learned, they will improve their governance processes, as well as their risk management and risk measurement.
- Managing customer satisfaction, quality, time and costs – Competition has always been tough, and will be even more so in 2010 and beyond. Companies that thrive will be those that can deliver the quality customers want and expect in the fastest time and/or at the lowest cost. This focus forces management to look beyond organizational boundaries at the effectiveness of the supply chain and customer channels. Companies must guard against losing focus on their customers as they manage in a challenging operating environment.
- Re-evaluating compensation policies – From a compensation standpoint, it is no longer “business as usual.” Boards and compensation committees will be focused on evaluating the ties between compensation and longer-term performance, identifying personnel whose activities can place the enterprise at material risk, aligning the interests of executives with those of shareholders, and avoiding incentives to take unnecessary risks. While helpful, peer comparisons may no longer be enough to support the compensation plans in place. What investors may look for is a thoughtful rationale from management, as approved by the compensation committee, that links the incentive compensation structure to a longer-term strategy for creating sustainable value. The level of investor interest likely will be dictated according to the nature of the industry, the company’s business model, and the particular facts and circumstances.
- Attracting and retaining talent – The war for talent will be affected by the impact, real or perceived, of developing standards for incentive compensation (as discussed above), especially in financial services. Succession is another issue. As the changing demographics of an aging workforce have loomed large, companies have traditionally focused on who is in place and who is in the wings, with the objective of targeting how they compete for the best people. While both management and the board have always had to assess the capability and succession planning for key positions, that effort is even more important now as the most talented people have more opportunities open to them and larger numbers of quality people are available on the sidelines looking for gainful employment.
- Managing compliance in a more complex and intrusive regulatory environment – The financial crisis has spawned numerous legislative and regulatory initiatives in different countries. If reforms are not consistent on a global basis, dealing with regulatory change will be particularly daunting for multinational companies. In the financial services industry, regulators across the globe are likely to become more intrusive as they seek to prove they are up to the challenge, resulting in more aggressive actions at the individual institutional level to deal with issues, enhance risk management and improve capital levels. For instance, some regulators are proposing that large institutions develop “living wills” that provide road maps for how organizations will unwind their businesses if problems arise. This would be a very challenging exercise for the industry. Furthermore, developments in the regulatory environment are not limited to financial services, as we are seeing new developments in various countries in areas such as executive compensation and structuring the board of directors. Needless to say, the change readiness of many companies will be tested as regulatory reforms occur.
- Reducing risk of internal control and compliance breakdowns – As companies streamline their processes and “rightsize” their headcount, they need to be alert for signs the internal control structure is under stress and potentially prone to fail in critical areas, including opening up increased risk of fraud. This vigilance is important because as companies terminate their people and cut costs, there will be increased pressure on the remaining employees to perform and achieve results, leading potentially to an adverse effect on employee morale as personnel are asked to carry out the same tasks as before, with fewer resources, in an environment they may perceive as unstable.
It is at times like this when management must communicate the right messages around “doing the right thing” from a compliance standpoint, as well as from an ethical and responsible business behavior standpoint. As organizations look to improve information for decision-making, they also will need to upgrade their technology infrastructures and data management capabilities, as both are fundamental to better risk management and performance monitoring and increasing efficiency.
These are significant challenges that many companies face. In light of these challenges, audit committees must formulate an appropriate agenda.
The 2010 Agenda
In Issue 8, we introduced a “mandate” for audit committees and categorized the agenda items on that mandate into two categories – enterprise-level mandates and process and technology risk issues. We believe many items that were on the 2009 agenda will apply in the coming year. We also have identified other issues that we believe will be relevant to audit committee business in 2010. The following 10 mandates are based on our interactions with client audit committees, roundtables we have conducted, and discussions with directors at conferences and other forums.
- Keep the company’s risk assessment evergreen – As noted above, the global economy is not out of the proverbial woods yet, and management must consider multiple views of the future when looking forward. Some are suggesting that boards (and not just boards of financial services institutions) should have access to risk experts. The National Association of Directors’ Blue Ribbon Commission recommends that boards clarify responsibilities both for the full board and for appropriate standing committees of the board as to the execution of the board’s risk oversight role. The message is that audit committees and boards should ascertain that they have the process, information and advice they need to fulfill their risk oversight responsibilities, consistent with the nature of the entity’s operations.2
Because of the dynamic environment and the potential for new and emerging risks, the audit committee may be charged with the responsibility to ensure that the company’s risk assessment process continues to function effectively to identify the enterprise’s significant exposures. While this oversight may be provided in other ways, a quality risk assessment is an essential prerequisite to many of the audit committee’s areas of inquiry and is germane to the committee’s responsibilities to discuss risk assessment and risk management policies with management, as required by one major stock exchange. Because the operating environment continues to change, it is important that the risk assessment process is sensitive to changing operating conditions.
Enterprise value is much more than the physical and financial assets reflected on corporate balance sheets. It is affected by such intangibles as customer assets, employee/ supplier assets and such organizational assets as the entity’s distinctive brands, differentiating strategies, innovative processes and proprietary systems. Intangible assets often have as much or more impact on enterprise value than physical and financial ones. Consider, for example, the risks that must be weighed with respect to suppliers and the supply chain. What is the financial condition of our key suppliers? Do we need contingency plans to maintain our supply lines? Should we be sourcing more strategically to reduce costs? Are our business partners capable of meeting their quality and time commitments? Should we be monitoring supplier performance more closely? The point is clear: An enterprise risk assessment contributes more value if it addresses all sources of enterprise value.
Using enterprise value as a context, the audit committee should focus on such questions as what are the “hard spots” and “soft spots” in the business plan; what keeps management up at night; do we know what we don’t know; are there any risks requiring additional information or perspectives; and how do changes in the operating environment affect the critical assumptions underlying our corporate strategy? A risk assessment is much more than a list of risks. The focus should be on creating transparency around the most critical risk exposures of the company, identifying changes in the operating environment and understanding how those changes impact the business. As a result, other standing committees of the board, as well as the full board itself, will have an interest in the risk assessment results – particularly when those results are evaluated in the context of the corporate strategy.
- Assess the capability and succession planning for the finance organization – The finance organization performs many activities directly under the oversight of the audit committee. Accordingly, given the changes taking place in many organizations over the past 12 months, the committee should satisfy itself that the skill sets available in finance match expectations. Given the aging workforce, as discussed earlier, succession is another area of inquiry. The committee should ensure that the finance organization has personnel who understand the organization’s industry, structure, culture, performance issues, and internal and public reporting requirements. As retention is an obvious priority, developing people and promotion from within should be emphasized whenever possible. Also, it is important to look for opportunities to hire financial talent at lower levels. In addition, external hires are ideal for obtaining higher or specific levels of expertise, achieving broader perspectives and expanded vision, and building an organization for other talent to follow. The good news for companies that must look outside for talent is that the available pool has never been greater.
- Understand the impact of compensation on risk-taking – As discussed earlier, compensation is an area requiring increased attention by many companies. The audit committee should plan to collaborate with the compensation committee, risk committee and other board committees, as appropriate, to understand the potential effect of incentive compensation arrangements on the enterprise’s risk-taking and the related effect of that analysis on public disclosures. This may entail the audit committee chair coordinating with other committee chairs or even attending a meeting of other committees when this issue is discussed. While the audit committee may not have direct responsibility for this assessment process, it does have an interest in the proper disclosure of the results.
- Evaluate internal control failure risk – As companies reduce process costs and “rightsize” their organizations, there will be increased pressure on employees to do more with less. This can place stress on the internal control structure, leading to control failures and breakdowns. As management formulates and executes headcount and cost reduction plans, care should be taken to ensure that essential control, compliance and risk management functions remain intact. For example, key control activities essential to financial reporting should not be compromised. New acquisitions, new business activities, and new IT systems can place the control structure under further stress, a possibility that should be carefully considered. Especially in the current environment, management needs to stress and enforce the code of ethics and provide clarity around roles and responsibilities, particularly in the delineation of key control responsibilities. The audit committee’s oversight role should ensure that there isn’t an unacceptable risk of noncompliance with key internal policies or exposure to breakdowns in risk management processes, vital internal controls and other safeguards.
- Evaluate competence, capability and reach of the internal auditor – As costs are reduced, audit committees should make sure the internal audit function (including any co-source partners) has the resources it needs to address the company’s key risks. As noted in our previous issue of The Bulletin, we see organizations recognizing that internal audit should be positioned to play a critical role in helping them manage change.3 As internal audit departments redirect their audit focus away from financial reporting controls compliance to other risk areas, there actually may be a need for additional resources, increased budgets, and/or utilization of outside skill sets to address the enterprise’s risks. This will be tough to obtain in the current operating environment. Using a current risk assessment, audit committees should weigh in on the rebalancing question to ensure that appropriate emphasis is given to the right priorities and risks along with a continued focus on risk-based auditing. In addition, there are still many companies without an internal audit function, and that should be a prime area of inquiry for the audit committees of those companies.
Process and Technology Risk Issues
- Evaluate the company’s ability to manage in the current economy – The audit committee should ensure that the organization is evaluating continuously its ability to manage the impact of unexpected changes in the economy, including market disruptions and other scenarios. While the actions necessary will vary by company, they may include such steps as: evaluating financial condition, liquidity and capital needs in different situations; considering the financial strength of key customers and business partners; incorporating more extreme scenarios, including worst case, into stress-testing routines to better understand liquidity and other exposures; re-examining and challenging business and operating models, including their fundamental value drivers, in light of the current operating environment; and periodically revisiting the critical assumptions underlying strategic and operating plans to determine if adjustments are needed given current circumstances. Many companies with fragmented legacy systems and lacking business intelligence technologies to provide historical, current and predictive views of business operations face challenges in accomplishing these assessments in a cost-effective manner. There needs to be someone or some group in place to do these things and ensure the needed capabilities are in place.
- Assess change readiness of the company to react in a timely manner to regulatory changes – Regulatory reform is a matter of when – not if. Audit committees should understand company readiness in dealing with changes in accounting standards, laws and regulations, and issues raised by regulators. For example, is the company able to react in a timely manner to new releases from accounting standard-setting bodies, pending regulatory changes, regulatory comment letters, bank regulator reviews and other developments? Is the company prepared to deal with convergence to international financial reporting standards (IFRS), including the significant revisions to accounting and reporting processes and the underlying technology systems? Is the company monitoring the regulatory environment for key changes that will necessitate adjustments to policies and processes? Especially in highly regulated industries, audit committees should understand key changes in regulations and how they impact the business so they can provide oversight as management responds to new and emerging regulatory developments and industry issues. For the financial services sector, in particular, significant regulatory changes lie ahead.
- Pay attention to the anti-fraud program – Because of the increased risk of fraud, a fresh look at the anti-fraud program may be warranted. In addition to an elevated alertness to the potential for fraud in this tough environment, an assessment also may be warranted of fraud risk, the effectiveness of the fraud prevention and detection process, and the escalation and response mechanisms in place to react to events (e.g., audit findings, whistle-blowers, new IIA Standards requiring fraud risk assessments).
- Focus on developments affecting external audit – A major function of the audit committee has been, and will continue to be, the oversight of the relationship with, and the competence, capability and reach of, the external auditor. As with the internal audit function, the audit committee should satisfy itself that the external audit team is bringing to bear the experience and skills needed to do the job. Also, as we noted last year, the audit committee should do the following:
- Request information to maximize insights from the attestation process, such as an identification of high-risk areas, an analysis of reserve levels, judgmental issues, the summary of passed adjustments, concerns with respect to the internal control structure, and areas of disagreement with management.
- Inquire as to the audit firm’s litigation exposure and capital levels, as litigation from the financial crisis unfolds.
- Understand the nature, timing and extent of external audit work performed offshore or in remote locations rather than the locations where the audit firm has engagement teams in place and on-site to perform the audit. These inquiries regarding offshoring should be directed to tax work as well. Depending on the extent of offshoring, questions arise as to how the accounting firm manages the quality of work and the confidentiality of company information. Also, the committee should inquire as to the extent to which independent contractors are used by the external audit firm in lieu of the firm’s employees and, if significant, how the firm manages the quality of the contractors’ work.
- Stay in touch with directors and officers (D&O) coverage – Historically, fraud and mismanagement in business have driven up D&O insurance premiums, raised policy limits, and tightened policy terms and restrictions. This is especially the case for financial institutions with the highest litigation risk. In this era of managing costs and shifting markets, boards should ensure adequate D&O coverage is in force. With very high limits, it makes sense to spread coverage among several insurance companies and reduce reliance on a single insurer. Watch out for insurers that have been downgraded by the rating agencies in the prior 12 months.
The year 2010 promises to be one of significant opportunities – and challenges – for most companies. The agenda items listed herein are significant matters warranting audit committee attention. We believe the committee can play an important oversight role in addressing them. Given that the importance of periodically evaluating the business model, managing profitability, controlling costs and managing risk is not only a sign of the times but also is essential to sustaining longer-term performance, the audit committee should evaluate its composition and current charter to ensure it is up to the challenge.
Ask how Protiviti can help your audit committee be more effective in 2010.
The challenges and opportunities highlighted in this edition of The Bulletin are based in large part on our experiences with audit committees and boards of directors during the past year. We have spent 2009 in partnership with audit committees from around the world to help them improve oversight into the key areas of concern for their organizations. Leveraging the knowledge of one of the largest internal audit practices in the world, combined with our deep industry expertise, we have helped these audit committees to establish internal financial control, risk management, compliance and governance programs; improve working capital management; manage the new IIA Standards; and gain confidence in managing risks inherent in targeted business strategies in these uncertain times. In 2010, would your audit committee benefit from a trusted advisor like this? Ask how at protiviti.com today.
1“Why the crisis hasn’t shaken the cost of capital,” Dobbs, Richard, Jiang, Bin, and Koller, Timothy M., McKinsey Quarterly, December 2008.
2Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward, National Association of Corporate Directors, October 2009.
3“Making Internal Audit a Value-Adding Contributor to Economic Recovery,” Issue 11 of
The Bulletin (Volume 3, Issue 12)