Audit committees continue to face crowded agendas and increasing complexity as we look forward into 2015. Based on our interactions with client audit committees, roundtables we have conducted, and discussions with directors at conferences and other forums, we have developed an agenda with 10 items for audit committees to consider for the coming year. The first five agenda items relate to enterprise, process and technology issues. The remaining five items relate to financial reporting issues.
Enterprise, Process and Technology Issues
Update the company’s risk profile to reflect changing conditions – Many audit committees retain responsibility for making inquiries regarding the company’s risk assessment process and risk management capabilities. Even committees that do not have this responsibility often desire to see a summary of the organization’s top risks.
There are myriad operational, financial and compliance risks embedded within every organization’s day-to-day operations. Strategic risks of disruptive change have become more evident over time. The question is whether the most recent risk assessment remains current.
The risk assessment process should consider vagaries of existing risks and address the adequacy of risk management capabilities. For example, 2014 seemed to be the year that information security and privacy took center stage with a multitude of breaches. Breaches of high-profile companies are constantly in the news, corporate espionage appears to be on the upswing, and cyber criminals in search of financial gain are playing for keeps. Cyber threats are finding their way onto many companies’ lists of top risks.
Given the changing realities of the business environment, the audit committee should take a look at the company’s risk profile at least annually. Ideally, this evaluation should be supported by an updated risk assessment by management. For the most significant risks, either the audit committee or another committee of the board (depending on how the board is organized for risk oversight) should determine that appropriate action plans are in place to manage them.
To illustrate, we include the top 10 risks for 2015 at left.1 This summary shows whether the risk is increasing or decreasing compared to the prior year’s survey, the risks that are newly added to the 2015 survey that made the top 10 list, and the risks included in the 2014 list that dropped out in 2015. The 2015 top 10 risks list provides an illustration of the risks with which audit committees and boards of directors should be concerned.
A process focused on prioritizing day-to-day risks, however, isn’t likely to identify the key emerging risks. To identify emerging risks, management needs to focus on such things as the implications of changes in the business environment on key assumptions underlying the organization’s strategy and business plan, trends and key risk indicators that signal early warning of disruptive change, and analyzing interdependencies among risks to identify developing risk themes germane to the organization. The audit committee will want to be confident that emerging risks are being identified timely by the organization’s risk assessment process, and even in between annual risk assessment updates.
With respect to significant risks with financial reporting implications, the audit committee should understand them, how they are being managed and their potential impact on the financial statements. With respect to financial institutions and other highly regulated entities, the audit committee should ensure the company understands the evolving regulatory framework and its impact on operations, the compliance infrastructure and public reporting disclosures.
Oversee capabilities of the finance organization and internal audit to ensure they can deliver to expectations – This one has been on our list for some time and remains on it for 2015. The reason is the speed of change and its implications to the finance organization and the evolving complexity of risk and its relevance to internal audit plans and skill sets. Because both the finance function and internal audit are fundamental to the discharge of the audit committee’s oversight responsibilities, the committee should ensure that their skill sets align with expectations. For example, according to the 2015 Finance Priorities Survey from the Financial Executives Research Foundation and Protiviti, the sheer numbers of priorities the finance function is addressing are at an all-time high in our four-year study. What’s more, the number of finance skills and capabilities the survey respondents view to be higher priorities compared to last year’s results has risen dramatically. To illustrate, according to the survey, finance functions are:
- Placing more importance than ever on strategic areas of financial analysis – Strategic planning, risk management, executive dashboards and profitability analysis are examples of this strategic focus. At the same time, finance functions are increasing their vigilance in guarding against lapses that can slip into transactional processes – such as account reconciliations, payroll processes and invoicing/ billing – when organizations are firing on all cylinders.
- Looking for a more holistic approach – Rather than applying patchwork fixes to individual processes, finance functions are seeking to manage and improve related processes in a comprehensive manner. Strategic planning, budgeting and forecasting rank among the highest priorities in the entire study; this demonstrates an intent to strengthen overall corporate performance management. A similar approach is evident in priorities related to working capital management.
- Finding that getting the right talent in the right place is not easy – Finance functions are challenged to find, attract and retain knowledgeable and experienced staff with the technical and analytical expertise to address their expanding priorities effectively. These priorities include complex regulatory compliance requirements and domestic tax laws, new accounting standards, looming changes on the international front (particularly related to transfer pricing), as well as emerging needs to analyze big data.
- Placing greater emphasis on soft skills – Cultivating stronger communications, collaboration and relationship-building skills throughout the ranks is a priority.
While the finance function’s specific priorities may vary depending on the organization’s industry, structure, culture, business performance issues, and internal and public reporting requirements, the above areas are among the consistent themes noted in the survey.
With respect to internal audit, Protiviti’s 2014 Internal Audit Capabilities and Needs Survey noted a focus on chief audit executives (CAEs) and their functions becoming more anticipatory, change-oriented and highly adaptive. Such behaviors are in great demand because internal audit functions must anticipate and respond to a constant stream of new challenges – many of which deliver uncertain and still unfolding risk implications, from emerging technologies and new auditing requirements and standards to rapidly evolving business conditions.
For example, in the past 12 months, the use of mobile and social media applications has presented new challenges, many of which are still emerging, for nearly every company. Organizations’ growing reliance on cloud computing and data, in general, poses similarly complex challenges. Yet these issues represent only two examples of those crowding internal audit’s expanding agenda. Our survey findings show that:3
- Social media applications, mobile applications and cloud computing are critical areas of concern – These technology applications are top priorities for internal auditors to address.
- CAATs and data analysis remain a priority – As indicated in past years of our study, internal auditors plan to strengthen their knowledge of computer-assisted auditing tools (CAATs), and continuous auditing and monitoring techniques. Additionally, internal audit functions intend to leverage more advanced forms of data analysis to support risk management and overall business objectives.
- Fraud management efforts focus more on technology as well as prevention – Auditors are concentrating more time and attention on fraud prevention and detection in increasingly automated business environments and workplaces.
- Regulatory, rules-making and standards changes are increasing in complexity – New standards from The Institute of Internal Auditors and new cybersecurity guidelines from the U.S. government warrant attention. The pace of regulatory change in highly regulated industries such as financial services adds further complexity. In addition, the updated COSO Internal Control – Integrated Framework represents a major change for internal audit, with significant implications on many financial, risk management and compliance activities.
- Internal auditors want to take their collaboration with business partners to a new level – Internal audit’s longstanding desire to improve collaboration with the rest of the business has intensified, as is evident in the priority that CAEs and respondents place on communicating, and even marketing, the expertise and value that internal audit provides to the rest of the enterprise.
In the end, change is the order of the day. Finance and internal audit must keep pace.
Pay attention to risk culture to address the risk of dysfunctional behavior undermining risk management and internal control – Risk culture is the keystone for balancing the inevitable tension between (a) creating enterprise value through the strategy and driving performance on the one hand, and (b) protecting enterprise value through an appropriate risk appetite and managing risk on the other hand. Risk culture is influenced by the tone at the top and in the middle. Senior management, under the board’s oversight, must set and reinforce the “everyone is responsible” mantra, which means that those responsible for the units and processes that create risks must accept the ultimate responsibility to own and manage the risks their units and processes create, as well as establish the proper tone for managing these risks consistent with the tone at the top.
In addition, effective risk management requires an independent, authoritative voice to ensure that an enterprise-wide framework exists for managing risk, risk owners are doing their jobs in accordance with that framework, risks are measured appropriately, risk limits are respected and adhered to, and risk reporting and escalation protocols are working as intended. Internal audit provides assurance that the primary risk owners and independent risk management group are functioning effectively.
The audit committee should ensure that the organization’s culture encourages and enables the above aspects of the organization’s risk culture to function effectively. In addition, the committee should ensure that executive management acts on risk information on a timely basis when significant matters are escalated and that the board is involved timely when necessary.
Understand how new technological developments and trends are impacting the company – Business-to-people (B2P) communications and social media peer groups have provided an alternative model for connecting and interacting with markets, prospects and customers. Social business, cloud computing and mobile technologies are continuing to spawn disruptive change and increased privacy and security risks, including further exposure to cyber threats, as discussed earlier.
Building on the same enabling technologies that make social business possible, the collaborative economy facilitates the marketplace at large engaging in the sharing of idle assets and sale of used goods and services on a peer-to-peer basis (P2P). In effect, larger networks, coupled with more access to technology, are creating more transparency for consumers and, in effect, empowering them by reducing the need for vendor-driven information and reliance on salespeople. More choices arise in making purchasing decisions. As it grows, the collaborative economy creates a new landscape for businesses and marketers and a potentially disruptive change for business models of established companies and brands.4
Technological innovations promise improvements in, and even further disruptive change to, designs, processes and business models. We can expect increasing diversity and capability in mobile devices, ever-expanding mobile apps and applications, and an exponential interconnection of Internet applications supporting smart grids, smart factories and even smart cities in an app-centric world.
The audit committee should understand the implications of technological innovations on the company and how these implications manifest themselves in terms of affecting the ongoing effectiveness of the overall IT entity-level control environment and IT process-level controls (general IT processes and application-specific processes), exposures to cyber threats, as well as impacts on the viability of the business model.
Assess committee effectiveness – The audit committee should evaluate its membership, skill sets and agenda periodically considering the changing business environment. When assessing the committee’s composition, industry knowledge and financial reporting expertise, consider the company’s changing risk profile. Understanding the business is a vital prerequisite for an audit committee to bring to bear the right questions at the right time on the tough issues, either in regular committee meetings or in executive session with the external auditor, CAE or company executives.
Financial Reporting Issues
While financial reporting issues are not among the top risks for 2015 (see page 2), they are nonetheless relevant to the audit committee agenda. Following are five issues for the committee’s consideration.
Pay attention to revenue recognition – The long-awaited Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers, was finally issued earlier this year. This new guidance is the result of a collaborative effort by the Financial Accounting Standards Board (FASB) and International Accounting Standards Board (IASB) to agree on a global standard based on common principles that can be applied across industries and regions.5 In the United States, this new guidance will replace most of the industry-specific GAAP requirements that have become complex and cumbersome to apply in practice. For the rest of the world, it will replace the IFRS standards for revenue recognition that provide limited implementation guidance and can be difficult to understand and apply.
The new guidance establishes a new core principle:
Recognize revenue in a manner that depicts the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.
In applying this principle, the new standard states that revenue-generating arrangements are, in effect, contractual arrangements of some form between two parties. Therefore, revenue would be earned and recognized as the reporting organization satisfies performance obligations or promises within this contractual arrangement. Timing of revenue recognition may vary depending on whether the contract is for the delivery of goods or for the performance of a service. To this end, the standard sets forth five steps to achieve the core principle as outlined above.6
While no industry will be totally exempt, the industries that are likely to experience significant changes are software, telecommunications, asset management, airlines, real estate, aerospace and construction. Changes won’t be limited to these industries, of course, so all companies should consider the need to assess the implications of the new standard and develop implementation plans to address those implications. The new guidance may enable some companies to recognize revenue sooner than they typically do under existing accounting standards. Further, companies with a longer delivery cycle, or those with non-standard and complex contract terms, will be the most affected.
These aspects will require greater resources from systems or processes to provide the necessary information to meet the data requirements to account for and describe revenue recognition. The impact of the new standard could be far-reaching and potentially disruptive as it may also affect processes and reporting associated with: commissions, bonus and compensation structure; key financial performance metrics; partnerships, alliances and joint ventures; M&A activities (working capital adjustments, revenue projections, post-deal multiple earnout provisions, etc.); internal controls and SOX compliance; and loan financial covenant compliance.
The audit committee should ensure the company is undertaking the appropriate steps to transition effectively to the new standard. Accordingly, the committee should ensure there is emphasis on: educating the senior management team, key stakeholders across the organization and the board of directors; organizing the project management structure; resourcing the team needed to plan and execute the transition; analyzing the current revenue policy and process against the proposed standard to identify expected changes; considering the implications to upstream and downstream linked processes such as contract management and revenue assurance; performing a high-level analysis of system and data gaps; and formulating an appropriate transition strategy. Companies should begin with planning and executing the transition, even if the FASB should decide to extend the effective date of the new standard.
Revenue recognition will likely not be the last development by the FASB on the convergence front. Potential changes to accounting for financial instruments and leases may be on the heels of the new revenue recognition standard with “more of the same” relative to impact and need to act.
Inquire if there is an impact of the PCAOB on the audit approach – The Public Company Accounting Oversight Board (PCAOB) inspections activity warrants attention. In addition, the Board’s guidance on rules related to current standards for revenue recognition and going concern have heightened the auditor’s focus on these areas.
The committee should expect the auditor to communicate an overview of the overall audit strategy, including timing of the audit, significant risks identified by the auditor, significant changes to the planned strategy or identified risks, and other matters. The committee should inquire if PCAOB inspections of the firm or recent guidance are impacting the audit approach of the company in any way and, if so, how. If the PCAOB has included the company’s audit in its scope, the committee should expect the auditor to outline any specific issues and the implications of any resolutions.
Understand impact of COSO’s update of the Internal Control – Integrated Framework – Many companies have already transitioned or are in the process of transitioning to the updated COSO framework in conjunction with the company’s internal control reporting, internal audit activities and other affected areas. The audit committee should understand how the updated framework impacted management’s approach to complying with Section 404 of Sarbanes-Oxley. For companies which have elected to defer the transition to the updated framework, the committee should understand management’s transition plan, including how management is complying with Section 404 in the current year and the disclosure ramifications if management intends to use the original 1992 version of the framework. In addition, the framework can be applied to other reporting areas, compliance and operations, and the committee may want to inquire as to whether there are plans to broaden its application.
Understand and evaluate management’s significant accounting estimates – The audit committee should understand the processes underlying those financial reporting areas requiring significant judgment. These areas are typically the ones involving critical accounting estimates, and outside stakeholders ranging from the PCAOB to various regulators are weighing in on the propriety of these estimates. The committee should look to the auditor to comment on such areas with regard to: the accounting policies, practices and estimates involved (and any expected changes as a result of new standards); the quality of the company’s estimates; difficult or contentious matters in dealing with these areas; and any auditor concerns with respect to management’s estimation processes. If the auditor has proposed adjustments as a result of disagreements with management in these areas, the committee should be aware of them, whether corrected or not.
Stay current on audit reform developments – The value of the auditor’s report and the merits of auditor rotation not only remain in the PCAOB’s line of sight in the United States, but they also are being considered in other countries, as well. While the Board may not pursue the significant changes it proposed in 2013 in the auditor’s report, there are no signs it has lost interest in improving its usefulness. In addition, although the Board may have pulled back from forcing mandatory rotation, other options such as mandatory tender may still be on the table. The point is that audit committees should be mindful of these developments as they continue to unfold.
The coming year will pose interesting challenges for audit committees. The items we have suggested in this issue of The Bulletin are significant matters warranting consideration by audit committees for inclusion on their 2015 agenda.
1 This list is based on the results of the annual survey of senior executives and directors conducted by Protiviti and North Carolina State University’s ERM Initiative available at www.protiviti.com.
2 “The Rising Tide of Finance Challenges: Assessing the Results of the Financial Executives Research Foundation/Protiviti 2015 Finance Priorities Survey,” Financial Executives Research Foundation and Protiviti, 2014, available at www.protiviti.com/financesurvey.
3 “Assessing the Top Priorities for Internal Audit Functions: 2014 Internal Audit Capabilities and Needs Survey,” Protiviti, 2014, available at www.protiviti.com.
4 “Is the Collaborative Economy Reshaping Business?” The Bulletin, Volume 5, Issue 8, Protiviti, 2014, available at www.protiviti.com.
5The IASB issued IFRS 15, which is effective for reporting periods beginning on or after January 1, 2017, with earlier application permitted.
6These five steps are discussed further in “It’s Here, Are You Ready? – Transitioning to the New Revenue Recognition Standard,” Protiviti Flash Report, June 2, 2014, available at www.protiviti.com.