Audit committees continue to face challenges on multiple fronts. With new accounting standards on the horizon, accounting firms under pressure from the Public Company Accounting Oversight Board (PCAOB) to improve performance, and companies facing an ever-changing business environment, serving on an audit committee can be an adventure, indeed.
Based on interactions with client audit committees, roundtables we have hosted in 2016, discussions with directors at conferences and in other forums, and surveys we have conducted, this issue of The Bulletin suggests agenda items for audit committees to consider in 2017. Our suggested agenda for the next year consists of four enterprise, process and technology risk issues and six financial reporting issues.
The 2017 Mandate for Audit Committees
Enterprise, Process and Technology Risk Issues
The listing standards of the New York Stock Exchange (NYSE) require audit committees to discuss risk assessment and risk management policies and practices. Other listing standards do not include this requirement. Therefore, the extent to which audit committees are involved in the board risk oversight process varies across organizations. In some entities, the board delegates its risk oversight responsibilities to the audit committee. In others, the audit committee takes on only risk oversight responsibilities that mirror those risks inherent in the committee’s chartered activities (e.g., financial reporting, fraud, reputation, and certain compliance, technology and other risks).
Regardless of the risk oversight scope, audit committees need to be aware of business, technology and other risks in the enterprise that could affect financial and public reporting as the business environment is constantly changing. New technologies (think “digital revolution”), global competition, volatile markets, mergers and acquisitions, regulatory developments, a changing political landscape, and unexpected economic developments are generating new emerging and disruptive risks that are altering risk profiles and adding uncertainty about the future.
Because risks are creating pressure on business models and can affect financial reporting, audit committee members need to have an understanding of the company’s risks and their potential to: create significant unusual transactions or events; put pressure on established internal controls; impact accounting estimates, asset valuations, contingent liabilities and risk disclosures; and drive changes in the scope of the external audit process.
For example, over the past year we have seen how reduced oil prices spawned audit issues that affected not only oil and gas companies, but also financial services institutions with loans to oil and gas operators, as well as companies that directly or indirectly are part of the industry’s supply chain or that trade in hedges of those commodities with the supply chain. Relevant financial reporting issues include impairment and valuation issues, going concern questions, collectability of loans and receivables, and valuation of hedge positions.
In addition, digitization investments are accelerating cloud computing adoption, mobile device usage and innovative IT transformation projects. We’re seeing a plethora of advances in intelligent machines, virtual reality systems and apps for streamlining core business processes and improving productivity. These developments are enabling the Internet of Things (IoT) and its smart cities, factories, buildings, logistics, vehicles and grids to take shape. They disrupt established business models by improving customer experiences, engaging targeted communities, creating convenience and expanding markets. They also add new security and privacy risks. The incidents resulting from these risks, in turn, drive increased costs of remediation (e.g., providing notice of breach and credit monitoring services) and the need for advanced security and access controls. Furthermore, they can affect disclosures in U.S. Securities and Exchange Commission (SEC) filings due to potential exposure to revenues, litigation and reputation.
The audit committee should examine the company’s profile of its most significant risks – the critical enterprise risks – at least annually to provide a business context for discharging its specific responsibilities. To illustrate, we include the top 10 global risks for 2017 (shown below) based on a recent survey. This summary shows whether the risk is increasing or decreasing or remains unchanged compared to the prior year’s survey. All of the top 10 risks this year rank higher than they did last year.
Risk assessments may be presented in the form of risk maps, heat maps and risk rankings based on subjective assessments of risk criteria such as severity of impact of potential future events and their likelihood and velocity of occurrence. The company’s risk assessment process should consider changes in existing risks, the emergence of new risks, the adequacy of the organization’s capabilities for managing the risks, and the implications of the critical risks to public reporting and disclosure requirements. Emerging risks need to be incorporated in the organization’s risk assessment process in a timely manner, particularly when significant changes occur.
2017 Top 10 Risks
- Economic conditions in markets we currently serve may significantly restrict growth opportunities for our organization.
- Regulatory changes and heightened regulatory scrutiny may affect the manner in which our products or services will be produced or delivered.
- Our organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage our brand.
- Rapid speed of disruptive innovations and/or new technologies within the industry may outpace our organization’s ability to compete and/or manage the risk appropriately, unless we make significant changes to our operating model.
- Ensuring privacy and identity management and information security and system protection may require significant resources for us.
- Our organization’s succession challenges and inability to attract and retain top talent may limit our ability to achieve operational targets.
- Volatility in global financial markets and currencies may create challenging issues for our organization to address.
- Our organization’s culture may not sufficiently encourage the timely identification and escalation of risk issues that have the potential to affect our core operations and achievement of strategic objectives significantly.
- Resistance to change may restrict our organization from making necessary adjustments to the business model and core operations.
- Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in our existing customer base.
As noted above, the level of involvement audit committees have in overseeing risk management varies from company to company. But regardless of the board risk oversight delegations, one common element across all audit committees that applies to risk management and internal control is the importance of ensuring a strong risk culture. In this, the audit committee at every company should play a significant role.
Audit committees should watch for the warning signs of dysfunctional behavior from a risk management and internal control standpoint. Following are eight examples of these signs:
- Failure to heed established risk limits.
- Fear of repercussions from raising contrarian viewpoints (e.g., a “shoot the messenger” environment).
- Undue organizational complexity, leading to a lack of transparency into the underlying economics of significant transactions and the manner in which an operating unit makes money.
- Conflicts of interest that can compromise established internal controls.
- Operating units, functions and processes not assuming responsibility for the risks their activities create.
- Lack of alignment for managing these risks between the tone in the middle of the organization and the tone at the top.
- Executive management that does not act on risk information on a timely basis when significant matters are escalated.
- A board that is not engaged in a timely manner when necessary (e.g., with significant mergers, acquisitions, litigation and other significant and unusual transactions).
A pattern of these and other signs can be an indicator of a dysfunctional or flawed risk culture, signaling the possibility of trouble ahead if it doesn’t already exist. One regulator has described a weak risk culture as “a root cause of the global financial crisis, headline risk and compliance events.” It is an issue of particular importance to audit committees in any industry because it may mean serious deficiencies in the control environment over external financial reporting exist, but are unknown to senior management and the board.
Traditionally, finance assists the company with maximizing shareholder value over the long term and short term through effective asset allocation, liquidity management, and analysis of strategic alternatives and fresh opportunities. Finance should not be so tied up with the day-to-day transaction processing activities of the business and the month-to-month financial close process that it cannot devote sufficient time to such value-added activities as generating insightful analysis and reports, maintaining margins, forecasting cash flow, managing working capital, and making other contributions to assist operating units, executive management and the board.
To help strengthen overall business performance and strategic planning, and to drive value from the organization’s financial data, finance functions strive for better, more accurate and timelier data collection, data analysis, reporting, budgeting and forecasting capabilities to enable profitability analysis tied to customers, products, operating units and geographies.
Finance’s specific priorities may vary according to the organization’s industry, structure, culture, business performance issues, and internal and public reporting requirements. Audit committees should ensure that finance is resourced appropriately to deliver to the organization’s specific expectations.
Chief audit executives (CAEs) and their functions continue to face increasingly demanding expectations. A study released in 2016 offers insights as to the expectations audit committees have of internal audit and provides a catalyst for taking stock of committee members’ interactions with and use of the internal audit function. These expectations offer opportunities to improve internal audit’s value proposition.
Three broad themes emerged from the study. Audit committees should:
- Enable internal auditors to think more broadly and strategically as they plan for, execute, and report on their work;
- Encourage internal audit to move beyond assurance to enhance its value proposition; and
- Take steps to ensure that CAEs and the internal audit function are effectively positioned to deliver to expectations.
The study offers six imperatives supporting these three themes: elevate the CAE’s stature, assist the CAE with aligning stakeholder expectations, encourage thinking beyond the scope of audit plans and projects, direct internal audit to perform more consulting, challenge the CAE to think strategically, and expect high-quality, effective communication.
Due to the rapid pace of change today, internal auditors must be more anticipatory, change-oriented and highly adaptive. This is particularly true with respect to matters such as cybersecurity, mobile applications, cloud computing, IT standards, the IoT and other aspects of the digital revolution. In addition, to meet expanded expectations, internal audit must move forward with data analysis and technology-enabled auditing capabilities.
Audit committees need to ensure that internal audit receives the support it needs to succeed in executing its risk-based audit plans, meeting expectations and keeping pace with change.
Financial Reporting Issues
Financial reporting issues are at the heart of the audit committee agenda. Following are six issues for audit committee members’ consideration.
The International Accounting Standards Board (IASB) and the Financial Accounting Standards Board (FASB) have introduced a single comprehensive, principles-based model to conform revenue recognition across the globe, eliminate existing industry-specific guidance, and expand revenue-related qualitative and quantitative disclosures.
Public companies must adopt the standard no later than annual reporting periods beginning after December 15, 2017, including interim reporting periods therein (e.g., a calendar-year reporting company must adopt in 2018). Private companies must adopt the new rules no later than annual reporting periods beginning after December 15, 2018, including interim reporting periods therein. Therefore, this change is right around the corner.
Implementation of the standard, which has been out for quite some time, could be a significant undertaking. In the past, the message was to assess its impact fully and implement the necessary changes across the company’s processes, systems and controls, and possibly even to its current contractual relationships. Now, the message is to get busy with sizing the impact and determining the transitional method to use – either retrospective or prospective – and whether to adopt early (in 2017) or just-in-time (2018). Executives and directors therefore need to understand how the standard will impact their companies and how the finance team will meet the deadline for adoption.
Audit committees should assess where management stands with respect to taking the following steps to get on top of the transition process:
- Educate executives and their teams with overall responsibility for the transition.
- Assess the current revenue recognition policy against the standard and identify expected changes.
- Consider the need for involving others to assist in the transitional process, depending on the significance of accounting policy gaps.
- Perform a high-level analysis of any data gaps.
- Develop a high-level approach to the transition method.
- Identify and assess additional resource needs.
- Educate decision-makers.
A prior issue of The Bulletin discusses the above steps in greater detail, as well as several other important topics relating to the new standard, including the potential significant accounting and reporting changes, industry implications, and a transition road map.
The audit committee should focus its inquiries of management and external auditors on sensitive areas in which the propriety of past accounting and disclosure practices can be and are being questioned. For example, audit areas in which significant deficiencies have been found in recent years in PCAOB inspections include auditing internal control over financial reporting, assessing and responding to risks of material misstatement, auditing accounting estimates (including fair value measurements), and deficient “referred” work in cross-border audits in certain countries. The PCAOB’s prior communications have also provided some indicators of potential emerging risks that the board’s inspection process will consider in the upcoming year (e.g., increase in mergers and acquisitions, undistributed foreign earnings, and maintenance of audit quality as the audit firm grows other business lines, such as consulting services). The audit committee should watch for further communication from the PCAOB regarding financial reporting “hot buttons.”
Revenue recognition, income taxes, fair value measurements and other areas involving significant accounting estimates made with a high degree of subjectivity are attracting greater scrutiny by accounting firms, the PCAOB and the SEC. Therefore, they warrant the audit committee’s attention. Beginning with an understanding of the most significant accounting estimates and judgments in the company’s financial statements, the audit committee should inquire of management as to the processes used in making those estimates and judgments, whether there have been any significant changes in those processes or in the significant assumptions underlying the accounting estimates, the reasons for the changes, and the effects of those changes on the financial statements. The audit committee should inquire as to whether there have been any significant changes in trends or facts that may indicate estimates should change. If so, what changes have occurred, and what are the financial statement effects?
The audit committee should expect the external auditor to discuss the quality of the company’s financial reporting, including the reasonableness of accounting estimates and judgments. Specifically, the audit committee should inquire of the external auditor as to the basis for concluding on the reasonableness of the critical accounting estimates and whether there is evidence of bias in management’s judgments related to accounting estimates. The audit committee also should expect the external auditor to provide perspective on how the company’s accounting policies and methods compare with industry trends and leading practices.
Finally, the audit committee should ascertain whether – and how sufficiently – internal audit incorporates the company’s most significant accounting estimates and judgments in its audit plan.
The PCAOB continues to release standards and reports providing direction to the accounting firms on various matters pertaining to how they conduct their audits. In addition, the board has provided recommendations to audit committees regarding their interaction with management and auditors in an effort to enhance audit quality. Finally, the board issues reports on the results of its inspections specifically directed to the audits of individual firms. All of these releases may impact the demands and expectations issuers receive from their external auditors. Accordingly, they warrant the audit committee’s attention.
When the external auditor communicates the overall audit strategy — including the timing of the audit, significant identified risks, key changes from the prior year in the planned strategy, and identified risks and other related matters — the audit committee should inquire whether PCAOB inspections of the firm and recent PCAOB standards and guidance are having a major impact on the audit approach and, if so, how and in which areas. If the PCAOB has included the company’s particular audit in its scope, the audit committee should expect the auditor to outline any specific issues raised and the implications of the resolution of those issues.
Last year, the PCAOB issued a communication to audit committees to provide insights from inspections of audit firms to assist audit committees in their oversight activities. In the first of a series, the communication highlights key areas of recurring concern in PCAOB inspections of large audit firms, as well as certain emerging risks to the audit process, along with targeted questions that audit committee members may want to ask their auditors on each topic.
Once the company implements the revenue recognition standard, it must contend with a new lease accounting standard a year later. For example, public companies must apply the new lease accounting rules in fiscal years beginning after December 15, 2018 (2019 for calendar-year reporting companies), including interim periods therein. As with the revenue recognition standard, the timetable for private companies is delayed another year.
Audit committees should ask management whether the company has addressed the implications of this new accounting standard. The new standard introduces a right-of-use principle for lessees, providing that a lease conveys the right to control the use of an asset, creating both an asset and a liability that must be reflected on the lessee’s balance sheet. Lessee companies therefore must record assets and liabilities on their balance sheets. As with revenue recognition, they also must implement new policies, processes, systems and internal controls. For lessor companies, the good news is there will likely be less change.
The audit committee should watch closely the ongoing developments with the PCAOB’s 2016 reproposed standard requiring communication of critical audit matters arising from the audit of financial statements. Specifically, for each critical audit matter, the auditor would be required to:
- Describe the principal considerations that led to the determination that the matter is a critical audit matter;
- Describe how it was addressed in the audit; and
- Refer to the relevant financial statement accounts and disclosures.
A critical audit matter relates to accounts or disclosures that are material to the financial statements and involves especially challenging, subjective or complex auditor judgment. It must be communicated to the audit committee. If there are no critical audit matters, the auditor would state that point in the auditor’s report.
If the PCAOB were to go forward with this new proposal, the relationship between the auditor and audit clients and their audit committees could be affected. Thus, audit committees should be mindful of fresh developments on this front.
Last year, the SEC issued a concept release exploring possible revisions to audit committee disclosures. The question arises as to whether the audit committee would need to alter significantly the company’s proxy and other disclosures with respect to its oversight activities should the SEC adopt any of its suggested disclosure requirements. (Note: The comment period on the concept release expired in September 2015, and, as of this writing, the SEC had not posted any updates.) The concept release emphasizes disclosure of the audit committee’s oversight of independent auditors, including specific potential changes to committee disclosure requirements related to its process for appointing or retaining the auditor, and its evaluation of the qualifications of the audit firm and engagement team.
Even though this concept release is far from the weight of a final rule, the audit committee should be familiar with its contents and evaluate whether the forthcoming proxy disclosures warrant enhancement. To that end, we are aware that some accounting firms are encouraging their audit clients to voluntarily expand their audit committee reports to include some of the additional disclosures discussed in the concept release. We are also aware that many companies have decided to wait and see if the SEC moves forward with rulemaking before taking any action. If the SEC acts, it will likely do so in the coming year; therefore, audit committees should be aware that the possibility exists for expanded disclosure of their activities.
The year 2017 will pose interesting challenges for audit committees. Even though we do not consider here either audit committee best practices covered comprehensively in the public domain or issues for audit committees responsible for the board risk oversight process, the items we have suggested in this issue of The Bulletin are significant matters warranting consideration by audit committees for inclusion in their coming year’s agenda.
The Bulletin: Volume 6, Issue 5