While the economic environment has shown signs of stabilizing over the past year, the seas still look somewhat choppy for 2011. This issue of The Bulletin provides observations and ideas for consideration by boards and their audit committees as they continue to navigate uncertainty, while also making and executing appropriate plans for the future. We begin by examining 10 major challenges businesses face as a context for setting the 2011 audit committee agenda.
Ten Major Challenges
Following is a summary of major challenges many companies likely will face over the next 12 months. Different industries face different issues and priorities, of course, so the applicability and prioritization of the challenges included on this list will vary by industry. Our intent is to summarize top-of-mind issues facing many organizations and their boards:
Ten Major Challenges Facing Businesses
- Managing through the economic recovery with emphasis on finding new sources of growth
- Monitoring the competitive environment and adjusting the strategic direction of the company accordingly
- Adjusting to the challenging realities of continued globalization
- Maintaining morale and retaining top talent
- Building customer loyalty
- Protecting sensitive and private information
- Managing in an environment of increased regulatory oversight
- Understanding and responding to a changing risk profile
- Accessing capital and managing cash flow effectively
- Effectively using the data and information available in the organization to make timely and informed decisions
- Managing through the economic recovery with emphasis on finding new sources of growth – Finding new sources of profitable growth is a strategic imperative. New and emerging technologies are having an impact on everything from banks to hospitals, products and services, corporate cultures, and methods for reaching customers and enabling them to access the enterprise’s products. What a CEO often fears most is the disruptive technology that could put his or her company on the ropes unexpectedly – even out of business. As companies seek new sources for growth, they must be careful not to stray too far from their core competencies. The uncertainty in this initial phase of economic recovery has many CEOs carefully balancing short-term demands with long-term objectives, and given the pressure of delivering acceptable quarterly results, this is difficult. Frequently, the challenge is one of finding the courage to invest and hire despite the uncertainty of the future. Thus, many organizations are playing both offense and defense as they plan for a return to growth and increasing shareholder value.
For example, many companies are still finishing work they started in 2009 and 2010, such as streamlining business operations, discarding nonperforming or nonstrategic assets, and ensuring their “break-even” point remains at its reduced level. The last thing a CEO wants is for the company to be vulnerable to another economic downturn.
Therefore, he or she may choose to invest in innovations that will provide a foundation for the future, while also protecting the business from exposure to another severe economic recession. Many companies, for instance, may choose to finance their investments in initiatives that will improve their cost structure or allow them to drive increased revenue as the economy recovers. This includes paring down the organization’s internal cost structure, as well as its upstream supply chain costs and downstream channel distribution costs. To that end, some companies are taking a cautious approach toward hiring by using variable cost labor until confidence is restored in sustainable growth.
- Monitoring the competitive environment and adjusting the strategic direction of the company accordingly – Both management and the board must understand the risks inherent in the corporate strategy and the prevailing business model to deliver that strategy. Once they agree on the significant assumptions underlying the strategy, their mutual understanding sets the foundation for a process to monitor the environment for changes that could alter those assumptions significantly. This is a vital and ongoing process designed to ensure critical assumptions underlying the corporate strategy remain valid. If one or more critical assumptions are no longer valid, the strategy must be either revisited or exited, depending on the circumstances.
- Adjusting to the challenging realities of continued globalization – In a global environment, it is a challenge to keep a competitive cost structure, maintain customer loyalty, increase speed-to-market of innovation, manage the impact of currency fluctuations, and sustain cost-effective access to materials and component parts. Investment in unstable countries and markets should be managed, as well. As time goes on, companies may need to rethink offshore strategies due to political risk, positioning in the BRIC markets, and cost increases in China, India and other countries.
With respect to precious materials, sourcing dependencies can create significant business risk, as competitors and countries can tie up supplies or key vendors could go out of business or decide to raise prices significantly, producing a substantial drag on operating margins.
- Maintaining morale and retaining top talent – The workforce is changing, not just demographically, but also through the ways we interact with each other (e.g., due to changes in technology, globalization, and so on). Companies that think “outside the box” and incorporate full-time workers, seasoned contractors, part-time employees and flexible scheduling options into the human resources mix may enjoy a competitive advantage over those that do not. Expectations between workers and companies have changed fundamentally: Loyalty is no longer a viable expectation. In many businesses, an employee with five or more years of tenure is considered a veteran. The “mobile workforce” phenomenon has significant long-term implications for businesses, as well. In short, the changing workforce – less loyal and more transient – is both a threat and an opportunity.
- Building customer loyalty – Customers have always been the lifeblood of any business. While customer loyalty has long been a staple of marketing programs for airlines, grocers, and both large and specialty retailers, more companies are paying attention to how they can improve customer retention and long-term customer engagement. Because technological advances and increased competition have given customers more choices than ever before, strong relationships and the willingness to be flexible when addressing customer issues are vital to sustaining revenue streams over time. Through relationship marketing, organizations aim to develop strong, long-term connections with customers with an eye toward supporting the company’s growth objectives with a stable of reliable return customers, often resulting in increased word-of-mouth activity, long-term purchasing behavior and a willingness to provide information directly suited to customer needs and interests.
- Protecting sensitive and private information – While the internal and external threats around security and privacy issues involving sensitive data have been long established, the manner in which they are manifested continues to evolve, and likely will continue to do so in ways we can’t even yet imagine. The WikiLeaks phenomenon, for example, was not on anyone’s radar 12 months ago.
Given the rapid pace of change, it is vital that boards of directors and senior management view information security and privacy as a business issue and not just another IT issue. Security threats, vulnerabilities and privacy exposures challenge every organization, creating risks that must be understood and managed. Our experience is that many organizations do not understand fully the risks they face in this space or how they should be managing them. Equally important, good security and privacy practices create revenue growth opportunities by engendering customer confidence and providing customers with personalized support.
- Managing in an environment of increased regulatory oversight – While fulfilling customer needs profitably in global markets where the company operates presents challenges, adjusting the business model to the regulatory environments of different countries is even tougher. And anticipating how governments in various countries might change regulatory guidelines and impact the company’s business model is an even more daunting task. Senior management must pay close attention to the regulatory environment because, as the complexity of this environment increases, the process of staying in compliance and managing the increasing costs of compliance becomes more challenging. Maintaining a strong governance structure is an imperative in light of requirements for increased public disclosures, the Dodd-Frank whistleblower bounty in the United States, and the increased emphasis by regula tory and prosecutorial authorities around the world on dealing with corruption. A strong compliance culture also reduces exposure to headline risk.
- Understanding and responding to a changing risk profile – As the business environment changes, so does the company’s risk profile. The financial crisis has put a number of issues under the microscope of scrutiny – for example, the effectiveness of risk management processes, the impact of incentive compensation on risk-taking behavior, the positioning of CROs and CCOs within the organization, the consideration of risk in strategy-setting and performance management, and the effectiveness of board risk oversight. With these issues clearly in the spotlight, two important realities emerge as companies identify, prioritize and manage their risks. First, the success of risk management will have a huge impact on preserving the company’s reputation. Second, it is impossible for any organization, no matter how well managed it is, to dodge bullets forever. Eventually, every company faces a test, which is why crisis readiness and response is a vital process. It is important to understand the source and severity of threats that have a high velocity and persistence of impact, as well as an inadequate response readiness by the organization. Using new ways to discover and understand the company’s vulnerabilities can improve how risk management and crisis management processes intersect.
- Accessing capital and managing cash flow effectively – A company’s forecasting process must be extremely reliable because no CEO or CFO wants to be caught in another liquidity crisis – especially by surprise. Understanding the company’s cash flow is critical to managing its overall fiscal health. So, too, is maintaining an efficient capital structure to drive the enterprise’s long-term financial performance.
- Effectively using the data and information available in the organization to make timely and informed decisions – Many companies acknowledge that they can do a better job of using available data and information for decision-making. The challenges discussed above have resulted in increased demands on management by boards for more transparency. CEOs are looking to the finance organization to play an active role in planning, measuring and monitoring business performance. Recent surveys have indicated that “measurement-managed” companies are ranked in the top third of their respective industries in terms of leadership, financial results, and the ability to assimilate change in the organization. That reality provides the impetus to improve information for decision-making.
These are 10 significant challenges that companies face as they enter 2011. In light of these challenges and the everchanging business environment, it is essential for the audit committee to formulate an appropriate agenda.
The 2011 Agenda
As in prior issues of The Bulletin, we have summarized an agenda broken down into two categories – enterprise-level mandates and process and technology risk issues. The following agenda is based on our interactions with client audit committees, director roundtables we have conducted, and other discussions with directors at conferences and other forums.
The 2011 Mandate for Audit Committees
- Ensure the company’s risk assessment methodology maximizes its value and use – If necessary, freshen the approach to consider impact, velocity and persistence.
- Update the company’s risk profile to reflect changing conditions – Keep the assessment current in light of existing and expected operating conditions.
- Clarify the committee’s contribution to the board’s risk oversight process – Make sure there is agreement with the full board regarding the committee’s contribution to risk oversight.
- Evaluate competence and capabilities of the finance organization and internal audit – Make sure the CFO organization and internal audit function have the resources, skill sets and reach they need to meet expectations.
- Keep a sharp eye on the overall control environment as the company seeks new sources of growth – Be alert for signs the internal control structure is under stress as the company continues to pursue cost-reduction plans and process streamlining while seeking new sources of growth.
- Pay attention to financial communications quality – Stay focused on financial reporting risk and the quality of financial and public report presentation and disclosures, earnings guidance and earnings releases.
- Oversee the U.S. gAAP convergence process – Oversee the choices made regarding the adoption of new principles.
- Understand the implications of changing laws and regulations – Assess the company’s grasp of the changing environment and its readiness in dealing with new and pending laws and regulatory changes, regulator reviews and other developments.
- Pay attention to new technological developments and trends – Understand the implications of technological innovations to security and privacy, financial reporting processes, and the viability of the company’s business model.
- Utilize external auditors effectively – Determine that the external audit team is bringing to bear the experience and skills needed to do the job.
1. Ensure the company’s risk assessment methodology maximizes its value and use
At least once a year, many companies conduct a risk assessment. The question for any risk assessment approach is whether it provides real insight as to what to do next to impact an action-oriented management plan.
Audit committees should be satisfied that their companies’ assessment methodologies are providing appropriate insights.
The traditional risk assessment includes an evaluation of the likelihood of occurrence of a risk scenario and its impact should it occur. In our experience, the likelihood of many high-impact risks occurring is relatively low, providing very little discriminatory value to the assessment exercise.
Risk scenarios with a high likelihood would, by definition, occur frequently enough to capture management’s attention, resulting in a process to mitigate the risks in the company’s day-to-day operations.
Some high-impact, low-likelihood risk scenarios can be “showstoppers,” particularly if they have a high velocity (i.e., speed between the occurrence of an event and its initial impact on the company) and high persistence (i.e., duration of time and extent of effort that will be required to deal with the impact of a given risk event once it occurs).
Accordingly, we have found it is more relevant to focus the prioritization effort based upon impact, velocity and persistence.
When the conversation turns to high-impact, high-velocity and high-persistence risk scenarios, the dialogue logically moves to the topic of response readiness.
It is at this point that the risk management process begins to intersect with the crisis management process.
2. Update the company’s risk profile to reflect changing conditions
Earlier, we referred to the effects of the competitive environment, globalization, the war for talent, and evolving security and privacy threats. Companies are looking for new sources of growth – and many are sitting on enormous cash reserves that are larger than they have been in half a century.1 While this cash buildup suggests these companies see relatively few opportunities for investment at this time, that picture could change quickly. The uncertainty in the current recovery creates a desire to preserve liquidity and can drive internal alignment issues. As companies try to accomplish more with fewer resources, projects that have been on the back burner for two or more years are being put in play – creating even further demands on the enterprise. These factors point to the potential for dramatic change ahead. This is why keeping the company’s assessment of its risk profile current in light of existing and expected business conditions is essential. In addition to an elevated alertness to the potential for fraud and corruption in this tough environment, an assessment also may be warranted of fraud risk, the effectiveness of the fraud prevention and detection process, and escalation and response mechanisms in place to react to events (e.g., audit findings, whistleblowers).
3. Clarify the committee’s contribution to the board’s risk oversight process
Boards of directors and their audit committees need to be on the same page as to the committee’s contribution to risk oversight. If there is any doubt, now is the time to set things straight. The key question is, “What is the audit committee’s role in the board’s risk oversight process?” A related question is this: “Given the audit committee’s primary job to focus on financial reporting risks, does it have the time, skills and support to do more?” As the board evaluates these questions, it should recognize that the audit committee is the last line of defense for financial reporting risk – a point that should not be taken lightly if the enterprise’s financial reporting issues are complex.
If the company is listed on the New York Stock Exchange, it should be noted that the exchange listing standards require audit committees to include in their charter a responsibility to discuss with management the company’s policies around risk assessment and risk management. Therefore, if the board sees fit to set up a separate risk committee or engage one or more other standing committees other than the audit committee to contribute to risk oversight, the audit committee must inquire and understand the nature of those activities and the results.
4. Evaluate competence and capabilities of the finance organization and internal audit
We listed this area as a mandate for 2010. The past two years have put the CFO organization under significant pressure in many companies. The audit committee should satisfy itself that the skill sets available in the finance function match up with the myriad expectations driven by the organization’s industry, structure, culture, business performance issues, and internal and public reporting requirements and issues. While retention is a priority, it also is important to look for opportunities to hire financial talent. External hires are ideal for obtaining higher or specific levels of expertise, achieving broader perspectives, and building an organization that will attract and retain talent in the future.
With respect to internal audit, the audit committee should make sure the function (including any co-source partners) has the necessary resources to address the company’s key risks. While internal audit can assist with monitoring the effectiveness of financial reporting controls, the function can do so much more in other compliance, operational and reporting areas. Internal audit also can assist the company with evaluating its risk management processes. The question arises as to what is the desirable scope for internal audit to maximize its value to the organization.
If this scope is risk-based, it will articulate the risks the function should address in its audit plan. This leads to a second question: Given the scope, what are the additional resources, budget funding and/or utilization of outside skill sets needed to address the enterprise’s risks? Audit committees should weigh in on these questions and provide appropriate direction.
5. Keep a sharp eye on the overall control environment as the company seeks new sources of growth
Tone at the top has never been more important. Over the past 24 months, most companies have reduced their costs and sized their organizations to market demand. This “surgery” has increased expectations for employees to do more with less, placing stress on the internal control structure, which has sometimes led to control failures.
Now that there is an appetite for growth – and that growth is often being financed by additional pare-downs in the company’s cost structure – it is possible for even further stress to be placed on the internal control environment.
Vigilance is the order of the day. Audit committees should be alert for signs the internal control structure is under stress as the organization continues to pursue cost-reduction plans and process-streamlining efforts while also seeking new sources of growth. The committee also should ensure the company emphasizes responsible business behavior and maintains a strong focus on preventing and deterring fraud and corruption. Essential compliance and risk management functions should be carefully delineated as key control responsibilities while process cost-effectiveness is improved. Key control activities essential to financial reporting must not be compromised. More important, new acquisitions, business activities and IT systems can place an already fragile control structure under further stress. That possibility should be considered, as well.
6. Pay attention to financial communications quality
The audit committee should proceed with caution before straying very far from its core mission to oversee financial reporting risk and the quality of financial and public report presentation and disclosures, earnings guidance and earnings releases. With the increasing complexity of financial reporting, a proactive approach to oversight is warranted. Following are illustrative examples:
- To paraphrase the old saying, “Stuff happens.” When it does, red flags should go up the pole for everyone, including the audit committee. Examples include acquisitions, divestitures, changes in markets and/or the economy, and new or unusual transactions (especially those designed in response to evolving fair value guidance and revenue recognition rules). The audit committee needs to ensure that these matters are accounted for and reported properly.
- From time to time, the audit committee should review management’s assumptions underlying all critical accounting estimates to ascertain whether they remain valid in terms of the current business environment.
- Over the past year in the United States, U.S. Securities and Exchange Commission (SEC) staff has become increasingly aggressive in requesting more information specific to the company. If a company is disclosing a risk, SEC staff members have asserted they want the disclosure to clarify why the risk applies to the company and its business. In annual and quarterly financial statements, as well as proxies, companies are being asked to provide more details about potential problems, including risks tied to credit and liquidity, goodwill impairments, and compensation. In July 2010, SEC chairman Mary Schapiro reported that the Commission is working on recommending changes to its risk factor disclosure requirements. Still another area is the discussion of risk in the proxy statement (in response to rules passed in late 2009). These and other areas raise a question: When SEC comment letters are issued, what role does the audit committee play in the company’s process of responding – that is, do they see management’s drafts in advance, or do they find out after the response is submitted to the SEC?
7. Oversee the U.S. GAAP convergence process
While the adoption of International Financial Reporting Standards (IFRS) may not be imminent in the United States and certain other countries, the convergence of U.S. generally accepted accounting principles (GAAP) and IFRS is under way. This convergence process affects financial reporting in all countries. As it unfolds, the audit committee must oversee the choices to be made about the extent of adoption of new accounting principles, particularly choices concerning their application. It also must oversee changes in important areas such as financial instruments, revenue recognition and lease accounting, which are expected to materialize as the convergence calendar moves forward during 2011. The audit committee should focus on the impact of convergence developments in fair value accounting, mergers and acquisitions accounting, non-controlling interests, and financial derivative transactions. It also must ensure there is an understanding of the effect of current economic conditions on the balance sheet.
8. Understand the implications of changing laws and regulations
Regulatory reform is a global phenomenon. There are regulations that have been passed in some countries that companies may not fully understand in terms of their implications. The Dodd-Frank legislation in the United States is an example of comprehensive reform legislation for which both regulators and companies are still seeking clarification – particularly in the financial services industry. In this environment, audit committees should understand company readiness in dealing with new and pending laws and regulatory changes, regulator reviews and other developments. For example, is the company monitoring the regulatory environment for key changes requiring adjustments to policies and processes? Especially in highly regulated industries, audit committees should provide oversight as management responds to new and emerging regulatory developments and industry issues.
9. Pay attention to new technological developments and trends
As the pace of technological innovation continues to escalate, it is imperative to understand the implications of such innovations to both the business and financial reporting. For example, as we noted earlier, security threats, vulnerabilities and privacy exposures continue to evolve. Because technology impacts the quality of financial reporting processes, the effectiveness of the overall IT entity-level control environment and IT process-level controls (general IT processes and application-specific processes) continue to warrant attention. In addition, cloud computing, mobile communications, collaborative computing and other technological innovations are transforming the way companies are doing business. For instance, advancements in technology are setting the stage for (a) engaging customers and suppliers in sourcing innovative ideas and co-producing products, (b) enabling consumer-to-consumer content sharing, (c) facilitating new forms of B2B commerce, and (d) laying the groundwork for cooperative consumption by groups of end consumers, among other things. As globalization continues, many organizations are focusing on how to exploit these market forces to their strategic advantage. For audit committees, the effects of new technology are pervasive, affecting financial reporting, as well as the viability of the business model.
10. Utilize external auditors effectively
A major function that is central to the core mission of the audit committee has been, and will continue to be, the oversight of the relationship with, and the competence, capability and reach of, the external auditor(s).
The audit committee should satisfy itself that the external audit team is bringing to bear the experience and skills needed to do the job. As we have noted in prior years, the audit committee should:
- Request information to maximize insights from the attestation process, such as an identification of high-risk areas, an analysis of reserve levels, judgmental issues, the summary of passed adjustments, concerns with respect to the internal control structure, and areas of disagreement with management.
- Inquire as to the audit firm’s litigation exposure and capital levels, as litigation from the financial crisis continues to unfold.
- Understand the nature, timing and extent of external audit work performed, including work performed by contractors, or performed offshore or in remote locations rather than the locations where the audit firm has engagement teams in place and on-site to perform the audit. Depending on the extent of the use of contractors and offshoring by the organization, questions arise as to how the accounting firm manages the quality of work and the confidentiality of company information.
As we begin 2011, what can we expect in the year ahead: a time of steady but moderate growth or another wild ride? No one knows for sure. The agenda items we have listed herein are significant matters that suggest continued vigilance on the part of the audit committee, as it can play an important oversight role in addressing these challenges.
1“Companies Cling to Cash,” The Wall Street Journal, December 10, 2010.
The Bulletin (Volume 4, Issue 5)