Since Protiviti published Issue 1 of Volume 3 of The Bulletin, “Setting the 2008 Audit Committee Agenda,” a year ago, the world has changed – dramatically. This issue of The Bulletin provides observations and ideas for boards and their audit committees regarding matters they should consider to help their organizations get through the trying times in the year ahead.
Last year in Issue 1, we recommended several items for the audit committee agenda. We devoted several issues of The Bulletin to discussing these items in greater detail. The issues considered are still relevant and important in 2009. They are discussed briefly below, along with some updated commentary:
- Focus on the credit ratings process evaluating ERM quality – At a webinar we conducted in January 2009, which was attended by more than 175 executives from companies representing many industries, 40 percent of the participants shared that, with respect to their state of readiness for a credit agency review of enterprise risk management (ERM) quality, they needed to review, or were unsure of, their state of preparedness. Some 33 percent noted they were planning improvements in their risk management capabilities either very soon or within the next two years. Only 27 percent indicated they were fully prepared for the process. In our view, the times strongly suggest a need for an effective ERM process. Issue 2, as reissued for Standard & Poor’s May 2008 final release, outlines how the credit agency is approaching the assessment of ERM in nonfinancial companies.
- Focus on management’s strategy relating to IFRS and U.S. GAAP – With new SEC Chair Mary Shapiro now confirmed, all eyes will be watching the SEC to see if its Roadmap for convergence of U.S. GAAP with International Financial Reporting Standards (IFRS), as defined in the United States under Shapiro’s predecessor, Christopher Cox, will remain intact. One of the challenges companies face in providing commentary on the Roadmap is obtaining a full understanding of the implications of adopting IFRS. Therefore, the SEC has extended the period for commenting on the Roadmap for 60 days to April 20, 2009. Issue 3 of The Bulletin discusses the ramifications for companies adopting IFRS. Regardless of what happens in the United States, IFRS is an issue in other countries.
- Create transparency around large risk exposures – We believe the themes emphasized in Issue 1 around the important oversight role played by directors in understanding the company’s significant risk exposures are still very important. They are: (a) understand why you make money; (b) identify and manage your “trust positions”; (c) understand your risk profile; (d) pay attention to culture; (e) establish accountability for results; and (f) create a process for timely escalation. These themes were discussed in depth in Issue 4. It is clear that many financial institutions did not heed them.
- Understand electronic discovery issues and the related exposures to the company – These matters, discussed further in Issue 5, are still relevant because of the high cost of failure to comply with electronic production obligations and the increase in litigation that accompanies any economic downturn. Companies will benefit from a more proactive approach to reduce costs and risk if their policies and technology related to electronic discovery are outdated and if they are experiencing significant cost, time and burden associated with electronic discovery proceedings.
- Understand management of IT security and changes to the IT environment – As companies implement enterprise resource planning systems and major systems modifications, the risks relating to security and integrity, which are often exacerbated in a down economy, can be significant. These risks warrant attention by management and the audit committee.
- Monitor and understand key changes in regulations and their impact – Audit committees of companies in regulated industries should understand key changes in regulations and how they impact the business so they can provide oversight as management addresses new regulatory developments and industry issues as they emerge. For the financial services sector, in particular, significant regulatory changes lie ahead.
The 2009 Agenda
In addition to the unfinished business in the aforementioned matters, we see several other mandates on the minds of audit committee members. These mandates are based on our interactions with client audit committees, roundtables we have conducted, and discussions with directors at conferences and other forums. They are listed below in the accompanying box and are discussed further in two categories: enterprise-level mandates and process and technology risk issues.
1. Refresh the company’s risk assessment with a different lens.
An important contribution of risk management is to help executives and directors make better choices during the strategy-setting and business-planning processes. Effectively integrated with strategy-setting, risk assessments invigorate opportunity seeking behavior by helping managers develop the confidence that they truly understand the risks and have the capabilities within the organization to manage those risks as they execute the corporate strategy. The result: Management and the board fully understand the downside and how much it might hurt.
They also know what to watch over time, and that perspective provides critical input into defining key metrics and targets driving enterprise performance management.
Without a doubt, the financial crisis has increased uncertainty and created changes to strategic plans, operating budgets and organizations. Uncertainty and change increase the need to identify, understand and manage risk effectively. The pace of change is now proving to be so rapid that it can relegate risk assessments conducted just six months ago to the category of ancient history. The lenses through which risk is assessed can change dramatically over time.
We see our clients addressing many questions as they update their risk profiles to ascertain the potential impact of the crisis on their organizations. For example, with respect to physical assets, companies are looking at whether they should adjust inventory levels based upon reliable leading indicators and adjust capital spending and major maintenance plans in light of current conditions. Depending on the circumstances, they are looking into whether they have assets that they should sell. Also, they are asking whether there are assets they need that could be available now at a more reasonable value than in the past.
The 2009 Mandate for Audit Committees
- Refresh the company’s risk assessment with a different lens – Refresh the company’s risk assessment in light of current operating conditions and the potential for a continued and deep recession.
- Strengthen tone at the top – As companies cut costs and “rightsize” their organizations, increase (a) the volume of management’s communications emphasizing the importance of responsible business behavior and (b) the focus on preventing and deterring fraud.
- Watch out for cracks in the internal control structure – Be alert for signs the internal control structure is under stress as the company pursues cost reduction plans, process streamlining and employee head count reductions.
- Make sure your internal audit function is effective in addressing the key risks – Be certain your internal audit function has the resources, budget and skill sets it needs to address the company’s key risks.
Process and Technology Risk Issues
- Evaluate the company’s ability to weather the storm – Ensure the company is evaluating continuously its ability to (a) manage the impact of the economic crisis and (b) improve its chances of dealing with future market disruptions.
- Focus on key emerging financial reporting issues – Focus on the impact of developments in fair value accounting, mergers and acquisitions (M&A), noncontrolling interests and financial derivative transactions, and determine the effect of current economic conditions on the balance sheet.
- Understand how outsourced/offshored operations are being managed – Understand how the risks associated with outsourced and offshored operations are being managed, particularly if they have a significant impact on financial reporting.
- Understand your external auditor – Request information to draw insights from the attestation process, inquire as to the audit firm’s litigation exposure and capital levels, and understand the audit work performed offshore or at remote locations rather than locations where the audit firm has on-site audit teams in place.
For financial assets, there are many risk factors companies are considering. For example, the question arises as to the reliability of cash flow forecasting. There are the financial fundamentals around collecting receivables, monitoring deteriorating working capital levels, and loosening or tightening credit policies. Issues in the banking sector are driving companies to question whether they will have access to current lines of credit, should they need them. The volatility of the markets raises the need to monitor concentrations and counterparty risk and adjust hedging strategies and/or hedge other exposures. Given the large swings in international currencies over recent months, for example, many companies are taking a closer look at their currency exposures, as they do not expect the volatility to end any time soon. Since all options are on the table, some companies are looking into suspending their dividend and stock repurchases to preserve capital. Conversely, those companies with strong balance sheets and cash flow are accelerating stock repurchases to capitalize on current prices. Other companies are evaluating whether to pursue additional financing options, even if it means higher borrowing costs. Finally, given the current operating environment, all companies should be reviewing the assumptions used in their accounting estimates and models.
In today’s times, staying close to the customer is vital. There are risks associated with preserving customer loyalty and relationships. For instance, companies must ask, how do we maintain customer satisfaction with limited resources? What impact is the crisis having on our customers? Do we have customer concentrations we should be concerned about? Is customer demand for our products changing, and does our demand forecasting consider multiple scenarios and the related impact on our cost structure? Should we change our product mix?
There are also important risks to consider with respect to suppliers and the supply chain. For example, what is the financial condition of our key suppliers? Do we need contingency plans to maintain supply? Could we be sourcing more effectively to reduce costs? Are our business partners capable of meeting their commitments? Should we be monitoring them more closely?
With respect to employees, there are the inevitable questions around whether the workforce is focused and whether management is communicating appropriately with them. Are we prepared to “do more with less”? Have workforce reduction plans been developed in the event that further reductions are necessary? Most important, have compensation structures been evaluated to ensure that they provide incentive for the desired behaviors?
Finally, with respect to other organizational assets, there are risks around the effectiveness of core management processes and other sources of value. For example:
- Is our budgeting process providing us with the information we need? Is reporting available to monitor performance effectively? Do we have transparency into the operations we need to understand how to manage quality, cost and time performance better?
- Is our strategic-planning process able to identify appropriate market opportunities or obstacles in a rapidly changing environment?
- Are we monitoring the status and actions of key competitors? What do we do better than our competitors? How can we capitalize on our differentiating capabilities?
- Do we face reputation risks that need to be carefully monitored as we adjust our strategy?
- Are we efficiently spending our IT dollars?
- Are we investing appropriately in research and innovation?
2. Strengthen tone at the top.
As companies cut costs and rightsize their organizations, there will be increased pressure on employees to perform and achieve results. Employee morale is likely to be affected as layoffs occur and remaining personnel are asked to carry out the same tasks as before, with fewer resources, in an uncertain and unstable environment. This is the time when management must communicate the right messages, which are often around “doing the right thing” from a compliance standpoint, as well as from an ethical, responsible behavior standpoint. The code of ethics should be stressed and enforced. Clarity around roles and responsibilities, particularly in the delineation of control responsibilities, while always important, is vital in this environment. Short-term incentive compensation programs must be in line with the long-term pursuit of shareholder value.
In addition, a fresh look at the anti-fraud program may be warranted. There needs to be an elevated alertness to the potential of fraud in this tough environment and the need for an enhanced fraud prevention/detection process. An October 2008 survey conducted by Compliance Week of 249 compliance, legal, finance and risk executives indicated that nine of 10 executives expect fraud activity to remain steady or increase during 2009. Accordingly, if they have not done so, audit committees should inquire as to where management stands with respect to documenting and evaluating the company’s antifraud program. Audit committees should insist on an effective fraud risk assessment.
3. Watch out for cracks in the internal control structure.
In these times of financial distress, many companies are implementing cost reduction plans, streamlining processes, and pursuing employee head count reductions. As management formulates and executes these plans, care should be taken to ensure that essential control, compliance and risk management functions remain intact. For example, key control activities essential to financial reporting should not be compromised as management demands more with less from the remaining workforce. New acquisitions, new business activities and new IT systems can place the control structure under further stress, and that reality should be carefully considered. In this dynamic environment, the audit committee’s oversight role should ensure that there is not an unacceptable risk of noncompliance or exposure to breakdowns in risk management processes, vital internal controls and other safeguards.
4. Make sure your internal audit function is effective in addressing the key risks.
In recent years, the audit plan in many organizations was redirected to support the Sarbanes-Oxley compliance effort. Many internal audit departments may have gone too far in this regard, diverting attention and resources away from other critical risk areas. This condition suggests a need for rebalancing; an opportunity recognized — and currently emphasized — by many chief audit executives. In the effort to rebalance, many internal audit functions will want to consider adding resources, increasing their budgets and/or utilizing outside skill sets. That will be tough to do in the current operating environment. Audit committees should weigh in on the rebalancing question to ensure that appropriate emphasis is given to the right priorities and risks, along with a continued focus on risk-based auditing. In addition, for those companies without an internal audit function, the audit committee should make the need for this function a prime area of inquiry.
Process and Technology Risk Issues
5. Evaluate the company’s ability to weather the storm.
Given the widespread nature of the financial and economic crisis, companies of all types should be taking steps to evaluate their ability to withstand the crisis and to improve their chances of dealing with future market disruptions. While the actions necessary will vary by company, they may include such steps as:
- Evaluate financial condition, liquidity and capital needs, with emphasis on the related impact of the recession.
- Consider the impact of the crisis on your customers and business partners.
- Undertake a review of risk management practices, governance processes and compensation structures.
- Determine impact of current conditions on debt covenants and the resulting cost of noncompliance.
- Introduce more extreme scenarios, including worst case, into stress testing routines to better understand liquidity and other exposures.
- Re-examine and challenge business and operating models, including their fundamental value drivers, in light of the current operating environment.
- Revisit the assumptions underlying strategic and operating plans to determine if adjustments are needed.
- Explore strategic alternatives, including mergers, acquisitions and restructuring.
- Evaluate options available under government programs.
The above steps are all about formulating a strategic response to the crisis. They are not just another operations review. If the company does not have a group on point – a crisis management team, for example – to coordinate the accomplishment of these steps, it should.
6. Focus on key emerging financial reporting issues.
The audit committee also needs to pay attention to the financial reporting front to be able to understand management’s policies and disclosures as they affect the reliability and fairness of public reports. These issues include the impact of fair value accounting rules on investments, securities, intangibles and fixed assets – an area that is quite susceptible to current economic conditions and is now attracting attention from politicians and policymakers. They also include new accounting rules for M&A and non-controlling interests that will require involvement of valuation experts, changes to the models used by M&A teams and more time for the finance function to understand. Accounting for financial derivative transactions will not get simpler anytime soon. Most important, the effect of current economic conditions on receivables realization, inventory valuation, deferred tax accounts and other balance sheet areas can be significant. Finally, the quality of management’s MD&A disclosures and periodic public reports will certainly be an area of emphasis for the audit committee in 2009, as such disclosures and reports should address the continuing impact of the current economy and operating environment on the company’s performance and financial condition.
7. Understand how outsourced/offshored operations are being managed.
As the Satyam scandal continues to unfold and the eventual impact of the fraud on the Indian company’s operations remains in question, attention has been drawn to the importance of an outsourcing provider’s reputation and reliability. As companies focus on managing their operations in a difficult economic climate, they seek to become leaner and more focused, efficient and effective. Over the last decade, many international companies have offshored work to other countries with a view toward achieving these objectives. Some have set up captive subsidiaries, while others leverage third-party outsourcing service providers. According to Gartner, the entire outsourcing market is projected to grow at an 8 percent clip year over year through 2012. Therefore, the prevalence of outsourcing and, in particular, offshoring and business process outsourcing, is expected to continue.
These activities are not without risk. Outsourcing requires investment, contractual obligations in new – and often remote – locations, as well as structural changes across the outsourcing entity. When outsourced functions and processes have financial reporting implications, public reporting risks may arise. When operational processes are outsourced and, in particular, offshored, customer satisfaction and product failure risks may exist. The next issue of The Bulletin will discuss the advantages, disadvantages and risks associated with outsourcing and offshoring, and how the risks can be managed when decisions are made to outsource and/or offshore business activities.
8. Understand your external auditor.
The audit committee should request relevant information from the external auditor to draw insights from the attestation process, such as an identification of high risk areas, an analysis of reserve levels, judgmental issues, the summary of passed adjustments, concerns with respect to the internal control structure and areas of disagreement with management. If the committee has not done so, it should set the ground rules with the auditor for defining and reporting a “disagreement.”
The committee should understand the litigation exposure and capital levels of the external audit firm. This area will be important in 2009 and beyond because litigation may become more serious than ever as the fallout resulting from the financial crisis continues.
Finally, the committee should understand the external auditor’s sourcing of staff. For example, the committee should understand the nature, timing and extent of external audit work performed offshore or in remote locations (as opposed to locations where the audit firm has on-site engagement teams in place). These inquiries around offshoring should be directed to tax work as well. Depending on the extent of offshoring, questions arise as to how the accounting firm manages the quality of work and the confidentiality of company information. Also, the committee should inquire about the extent to which independent contractors are used by the external audit firm in lieu of the firm’s employees.
The year 2009 promises to be a challenging one for audit committees. In short, the world has changed in a brief period of time, and we can expect more change in 2009 and in years to come. The agenda items we have listed herein are significant matters warranting audit committee attention. We believe that the committee can play an important oversight role in addressing them.
Key Questions for Audit Committees
- Has the audit committee made sufficient progress dealing with the agenda items referred to in this issue as “unfinished business”? If not, should the items be placed on the committee’s 2009 agenda?
- With respect to the new agenda items relating to enterprise-level mandates:
- Is the committee satisfied the company has a current risk assessment? If not, should one be conducted in light of current operating conditions and the potential for continuation of a severe recession?
- Does the tone at the top foster ethical and responsible business behavior, as well as prevent and deter fraud? How is the control environment assessed in this regard?
- Has the committee inquired of management as to whether the company’s cost-cutting and workforce reduction initiatives have placed the internal control structure under pressure? If management believes that the internal control structure is intact, and key controls are performing effectively in all material respects, how do they know?
- Is the audit committee satisfied with the internal audit plan, including its breadth of coverage of the organization’s key risks? Is the function’s emphasis, if any, on Section 404 compliance appropriate? Are additional resources needed to cover all critical risks requiring attention? Does the function’s budget cover those needed resources?
- With respect to the new agenda items relating to process and technology risk issues:
- Has the committee made appropriate inquiries to ascertain whether the company is evaluating continuously its ability to survive the current economic crisis? Is the organization taking steps to ensure it can deal with future market disruptions?
- Is the committee up-to-date on financial reporting developments? Is the committee satisfied that the company has the financial expertise to address these developments? Does the committee have the expertise needed to evaluate management’s responses?
- Does the committee understand how outsourced and offshored operations are being managed, particularly if they have a significant impact on financial reporting?
- Is the committee satisfied with the insights obtained from the attestation process, both in regular meetings with management present and in separate executive sessions with the external auditor?
- Does the committee understand how the external audit firm is staffing the engagement, and is it satisfied with the firm’s ability to manage the quality of work?
The Bulletin (Volume 3, Issue 7)