The complexity and velocity of change in an increasingly interdependent world are altering the dynamics of doing business. As the business environment continues to change, so does the risk landscape that companies and their audit committees face. Given the uncertainties of the environment, this issue of The Bulletin provides observations and ideas for consideration by boards and their audit committees. We begin by describing 10 major challenges businesses face as a context for suggesting matters to consider when setting the 2013 audit committee agenda.
Ten Major Challenges
The purpose of the following summary of major challenges is to provide a context for many of the top-of-mind issues companies across the globe are facing in these dynamic times as they move forward into 2013. This list is derived from a survey of more than 200 corporate leaders (who are predominantly board members and C-level executives), a majority of whom represent multinationals, to identify the most significant risks their companies face.1 While different industries face different issues and priorities and the applicability and prioritization of the following challenges will vary by industry, we ranked the risks in order of priority on an overall basis:
1. Regulatory changes and increased regulatory scrutiny may affect operations
2. Economic conditions in current markets may not present significant growth opportunities
3. Volatile global economic and political conditions
4. Succession challenges and the ability to attract/ retain top talent may constrain efforts to achieve operational targets
5. Organic growth through existing customers presents a significant challenge
6. Ensuring privacy/identity management and information security protection could require resources the organization may not have; cyber threats could significantly disrupt core operations
7. Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations
8. The organization may not be able to meet performance expectations as well as its competitors can
9. An unexpected crisis would likely have a significant impact on reputation given the organization’s existing preparedness
10. Inability to utilize data analytics and “big data” to obtain needed market intelligence and increase operational efficiency
- Regulatory changes and increased regulatory scrutiny may affect operations – The participants ranked this risk high on the list because regulatory change can overwhelm organizations and distract employees from focusing on customers. Even small doses of regulatory change can add tremendous cost to a corporation. The mere threat of change can create significant uncertainty that can hamper investment decisions. The pace of regulatory and legislative change has been significant in recent years, even to the point of affecting the manner in which a company produces or delivers its products or services.
- Economic conditions in current markets may not present significant growth opportunities – Growth is the name of the game. Survey participants appear to be suggesting that areas for growth are becoming more difficult to identify and exploit in current markets.
- Volatile global economic and political conditions – Political uncertainties in current and prospective markets could limit growth opportunities. Geopolitical dynamics present a complex picture and are very difficult to anticipate directionally, as is also the case with political gridlock. These uncertainties are interrelated with concerns over the global economy and anticipated volatility in global financial markets, which may create significant financial risk in the form of emerging market, credit, currency and other financial risks. Few organizations are immune to the vagaries of the global economic and financial markets and the related impact on demand, rates, credit availability and currencies.
- Succession challenges and the ability to attract and retain top talent may constrain efforts to achieve operational targets – As a company is no better than the quality of its people, recruiting and retaining the best and brightest talent are essential for success. As the so-called baby boomer generation approaches retirement, succession is being placed front and center on the agenda.
- Organic growth through existing customers presents a significant challenge – As customers have the advantage of more choices through increased market transparency, technological advances and increased competition, leveraging customer loyalty into increased revenues continues to be of paramount importance.
- Ensuring privacy/identity management and information security protection could require resources the organization may not have; cyber threats could significantly disrupt core operations – Technological innovation is a powerful source of disruptive change, and no one wants to be on the wrong side of it. There is so much change taking place, with cloud computing, social media, mobile technologies, and initiatives to use technology as a source of innovation and an enabler to strengthen the customer experience. Advances in technology present new challenges with managing privacy and security risks.
- Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations – In these uncertain times, it makes sense to increase the organization’s ability to change and adapt to a rapidly evolving business environment. Therefore, response readiness is important, as are the agility and resiliency of the organization.
- The organization may not be able to meet performance expectations as well as its competitors can – Improving quality, time, innovation and cost performance is as important today as it always has been.
- An unexpected crisis would likely have a significant impact on reputation given the organization’s existing preparedness – In today’s risky times, crisis management is an essential component of effective reputation management. Astute observers know that even the most respected organizations can be tested at any time. Supply chain disruptions or rogue employees choosing to violate laws are examples of the unexpected.
- Inability to utilize data analytics and “big data” to obtain needed market intelligence and increase operational efficiency – An important topic for CFOs and CIOs is “big data” and how to deal with it. Representing the ever-expanding collection of data sets of such sheer size, variety and speed of generation, “big data” makes it more difficult to manage and harness essential information needed to run the business. Sources of electronic data vary, being as simple as transactions in a banking system or as complex as non-structured content, such as Twitter pictures and file postings. The challenges faced by CIOs when dealing with “big data” have changed dramatically over the years, from needing to address overall physical storage costs to now needing to deal with the explosion of stored content due to the abundance of cheap drive space.
These are significant challenges identified in our survey that companies across the globe face as they approach 2013. In light of this ever-changing business environment, audit committees must formulate an appropriate agenda.
The 2013 Agenda
Based on changes in the business, technological and regulatory environment, and our interactions with client audit committees, roundtables we have conducted, and discussions with directors at conferences and other forums, we have summarized below a suggested audit committee agenda with 12 items for 2013. The first six items relate to enterprise, process and technology risk issues. The remaining six items relate to financial reporting issues.
ENTERPRISE, PROCESS AND TECHNOLOGY RISK ISSUES
- Update the company’s risk profile to reflect changing conditions – Given our discussion of major challenges, it is apparent that company risk profiles continue to change over time. Therefore, companies need to take a fresh look at their risks and evaluate how well they are managing them. Depending on how the board organizes itself to provide risk oversight, audit committees should be satisfied that action plans are in place to manage the most important existing risks, as well as those that could emerge in the near future. For risks that may have financial reporting implications, this understanding may be particularly important.
- Oversee the capabilities of the finance organization and internal audit – Because both the CFO organization and internal audit continue to face a rapidly changing environment, the audit committee should ensure that the skill sets available in both are aligned with the myriad expectations driven by the organization’s industry, structure, culture, business performance issues, and internal and public reporting requirements and issues. With respect to the finance organization, Protiviti’s 2012 Finance Priorities Survey identified the following priorities, capabilities and key areas of focus for many companies2:
- Competitive intelligence and financial risk management
- Enhancing the scope of business services and increasing overall efficiency of shared services organizations
- Making traditional, transaction-heavy processes as efficient as possible, thus managing costs and freeing up more time for high-value strategic contributions such as financial analysis and business decision support activities
- Improving personal and organizational skills, such as negotiation, Six Sigma and dealing with confrontation
With respect to internal audit, the audit committee’s oversight should ensure the function (including any co-source partners) has the resources, skill sets and tools it needs to address the company’s key risks. According to Protiviti’s 2012 Internal Audit Capabilities and Needs Survey report3:
- When it comes to general technical knowledge, social media applications and cloud-based computing are the top two business priorities and areas where internal audit skills are most in need of improvement
- There is significant potential for improvement via technology-enabled audits
- In looking at the use of technology in auditing business process controls, “IT asset management” is a top area for improvement
- Sixty percent of organizations do not leverage data analysis or technology-enabled audits to prevent fraud, while more than half of all organizations deploy audits to detect, monitor and investigate fraud
- Consistent with findings from previous years of the study, survey respondents said the audit process they most need to brush up on is the use of continuous auditing and computer-assisted auditing tools
- Continue to provide oversight for significant changes in the control environment – Tone at the top, culture, and commitment to ethical and responsible business behavior continue to be vitally important. The audit committee should be alert for red flags indicating the internal control structure is under stress in significant risk areas as the company responds to a changing environment. Essential compliance and risk management functions should remain intact, requiring careful delineation of key control responsibilities as process cost-effectiveness is improved. Key control activities essential to financial reporting must not be compromised if the company chooses to cut costs or downsize any part of its workforce.
- Understand how new technological developments and trends are impacting the company – A new era of business-to-people communications and social media peer groups has emerged, providing an alternative model for connecting and interacting with markets, prospects and customers in the digital age – a model that places the customer in the driver’s seat in terms of dictating the conversation. Taken forward, this convergence of social technologies is potentially a game changer that cannot be ignored. Social business, cloud computing and mobile technologies are spawning disruptive change and increased privacy and security risks, including exposure to cyber threats. Because technology impacts the quality of financial reporting processes, the effectiveness of the overall IT entity-level control environment and IT process-level controls (general IT processes and application-specific processes) continue to warrant the audit committee’s attention.
- Take a fresh look at the compliance infrastructure – As laws, regulations and internal policies continue to evolve, the audit committee may want to inquire as to whether the company has internalized lessons from recent actions of regulators with respect to enforcement actions and offering clarifying guidance. For example, the U.S. Department of Justice’s (DoJ) extraordinary declination to bring any enforcement action against a global financial services company related to an employee’s violation of the Foreign Corrupt Practices Act (FCPA) provides an insightful benchmark for companies in all industries to use in evaluating their own compliance practices.4 In addition, for the first time since enactment of the FCPA, the Criminal Division of the DoJ and the Enforcement Division of the U.S. Securities and Exchange Commission (SEC) released guidance on complying with the Act.5
Finally, there have been changes to guidance issued by the Serious Fraud Office in the United Kingdom.6 While these examples focus on corruption risk, they nonetheless illustrate the point that they present opportunities to take a fresh look at the compliance infrastructure.
- Assess audit committee effectiveness – There should be a periodic assessment of the committee’s composition, industry knowledge and financial reporting expertise in view of the growing complexity of the business environment, the company’s risk profile and the continued convergence of U.S. Generally Accepted Accounting Principles (GAAP) and International Financial Reporting Standards (IFRS). Understanding the business is a vital prerequisite for any audit committee to bring to bear the appropriate questions at the right time on the tough issues, either in regular committee meetings or during executive sessions with the external auditor or company executives.
FINANCIAL REPORTING ISSUES
While financial reporting issues were not included among the top risks in our survey, they are nonetheless relevant to the audit committee agenda. Following are six issues for consideration, which we discuss more in-depth than the agenda items presented above.
- Work with the external auditor to upgrade the communications process – The audit committee should have higher expectations of communications with the auditor, both this year and in the future. For example, the audit committee should expect the auditor to discuss why key accounting policies and practices are considered critical, and how current and anticipated future events might affect the determination of whether certain policies and practices are considered critical. The committee should expect the auditor to communicate an overview of the overall audit strategy, including timing of the audit, significant risks identified by the auditor, significant changes to the planned strategy or identified risks and other matters.
To illustrate, in August 2012, the U.S. Public Company Accounting Oversight Board (PCAOB or “the Board”) adopted Auditing Standard No. 16 (AS16), Communications with Audit Committees, to enhance the relevance and timeliness of constructive dialogue between the auditor and the audit committee on significant audit and financial statement matters. These matters might include (1) significant risks, (2) critical accounting policies, practices and estimates, (3) the quality of the company’s financial reporting, (4) difficult or contentious matters, (5) significant unusual transactions that either are outside the normal course of business or unusual in timing, size or nature, and the business rationale for such transactions, (6) going concern issues, and (7) the auditor’s concerns with respect to significant accounting or auditing matters when the auditor is aware that management consulted with other accountants about such matters. While the aforementioned issues are not necessarily complete in terms of all of the issues the auditor might communicate, situations in which the auditor concludes there is bias in management’s judgments about the amounts and disclosures in the financial statements are of particular significance.
In addition, the PCAOB requires the auditor to provide the audit committee with the schedule of uncorrected misstatements related to accounts and disclosures that the auditor presented to management and to discuss with the committee (1) the basis for the determination that the uncorrected misstatements were immaterial, including the qualitative factors considered, and (2) whether the uncorrected misstatements or matters underlying those uncorrected misstatements could potentially cause future-period financial statements to be materially misstated, even though they are immaterial to the financial statements currently under audit.
- Be aware that the auditor’s report may expand in the near future – It is possible the expanded report may incorporate many of the topics the auditor addresses to the audit committee, as discussed above. In the United States, the PCAOB has on its agenda an evaluation of the auditor’s report to transition it from the current boilerplate report to a more informative format that could mirror issues identified by AS16, as discussed above. If the Board proceeds with this transition, it could spill over into other countries.
To illustrate, in addition to the standard scope and the company’s accounting policies and practices, and difficult or contentious issues, including close calls. This expansion of the auditor’s report will likely be addressed by an exposure draft issued by the PCAOB during 2013 with a final statement issued either later in the year or in 2014. While the final statement may not be effective until audits conducted in the following year, some audit firms may elect to adopt it earlier in the year in which the final statement is released. With the expanded use of emphasis paragraphs guiding investors in navigating disclosures and identifying management’s most significant judgments and estimates, this development will be new ground for auditors, management and audit committees. In the end, however, the dialogue driven by this expanded reporting model will likely facilitate improvement in the quality of financial reporting.
- Inquire whether PCAOB inspections impact the audit approach – In the United States, the PCAOB inspection process evaluates registered public accounting firms to assess their compliance with the Sarbanes-Oxley Act, the rules of the Board, the rules of the SEC, and professional standards in connection with the firms’ performance of audits, issuance of audit reports, and related matters involving U.S. public companies. With Sarbanes-Oxley requiring the Board to conduct its inspections annually for the larger firms, the Board prepares two written reports on each inspection and provides them to the SEC and to certain state regulatory authorities. The Board also makes one of these reports available to the public on its website insofar as they relate to deficiencies on the firms’ individual audits. The other report deals with deficiencies in the firms’ overall quality control systems and is restricted from public disclosure so long as the firms remediate the deficiencies within one year. Therefore, the PCAOB inspection reports are partly public and partly private. Because inspection findings could have implications for auditing procedures and quality control standards for audit firms on a global basis, audit committees should take note of these developments.
In 2012, the PCAOB reported that it continued to find “serious audit deficiencies where auditors are simply not doing adequate work in very important audit areas.” These areas include, among others, revenue recognition, related party transactions, business combinations, going concern considerations, loans and accounts receivables, independence, fair value, internal controls, and judgments and estimates. During 2012, the Board issued guidance to audit committees describing how its inspections of audit firms work and how the committees can gather information from audit firms about those inspections.7 In its guidance, the PCAOB provided questions audit committees should consider asking their auditors. With respect to the PCAOB audit inspection report describing audit deficiencies (i.e., the public report summarizing where the inspection staff found that the auditor failed to gather enough evidence to support an opinion on audits of specific issuers), the Board recommended the following questions:
- Was the company’s audit selected for PCAOB inspection?
- Did the PCAOB identify deficiencies in other audits that involved auditing or accounting issues similar to issues presented in the company’s audit?
- What were the firm’s responses to the PCAOB findings?
With respect to the PCAOB audit inspection report describing inspection findings that are privately communicated to the audit firm, the Board recommended audit committees ask questions such as:
- What changes is the firm making to address quality control deficiencies?
- What is the progress of the quality control remediation process, and what submissions has the firm made to the PCAOB as part of that process?
- For which years has the PCAOB made a final determination about the firm’s remediation efforts, and what was the nature of that determination?
- Has the PCAOB provided initial indications that the audit firm may not have sufficiently remediated any items?
The PCAOB’s guidance sets an implicit expectation that audit firms be responsive if audit committees inquire about their respective inspection results. Auditor responses to the above inquiries asserting that the inspection results only cover documentation issues or are just a matter of differences in professional judgment may not reflect the PCAOB’s view. In addition, as audit firms react to these results, their audit hours and fees are likely to increase.
- Keep an eye on developments with respect to mandatory auditor rotation – Auditor rotation is a topic being either implemented or explored across the globe. Led by Internal Markets Commissioner Michel Barnier, the European Commission proposed new rules in November 2011 that could require companies to change their outside auditors every six years and could require Big Four accounting firms to separate their audit and consulting arms.8 Since 1975, Italy has required mandatory audit firm rotation of listed companies in which the audit engagement may be retendered (a process by which the firms recompete to provide audit services) every three years, and the same public accounting firm may serve as the auditor of record for a maximum of nine years with a minimum lag of three years for a predecessor auditor to return.9 The Brazilian Securities Commission and the Central Bank of Brazil require that independent auditors be rotated every five years.10 In India and Singapore, mandatory rotation is required only for domestic banks and certain insurance companies.11 These are a few examples.
In the United States, the debate continues. The PCAOB has on its agenda an objective to enhance auditor independence, objectivity and professional skepticism, including thorough consideration of audit firm term limits. The Board has conducted several roundtables involving various panels of investors and investor advocates, senior executives and audit committee chairs of major public companies, chief executive officers of audit firms, academics and other interested parties to obtain their input and arguments on both sides of the issue. While there isn’t anything conclusive to report in terms of action items, audit committees should monitor developments on this issue because of the potentially significant impact auditor rotation could have on many public companies. While the Board has not tipped its likely direction, it would not be a surprise if the likely course of action was to strengthen the audit committee’s oversight of the external auditor. Accordingly, audit committees should be mindful of these developments.
- Expect action on convergence to IFRS – As of the end of 2012, IFRS is required for all companies in more than 90 countries and for some companies in at least six countries, and is permitted in at least 25 countries. In the United States, IFRS has been addressed through a process of “convergence” as the U.S. Financial Accounting Standards Board (FASB) and International Accounting Standards Board progress in cooperation toward a single set of global regulations and standards by converging U.S. GAAP and IFRS. While the buzz around convergence in the United States has fluctuated at various levels, the next couple of years are likely to get more interesting as three projects make headway: financial instruments, revenue recognition and leasing. As the revised standards are developed through the convergence process, the impact on U.S. companies will become clearer. Audit committees of U.S.-listed companies should inquire as to the status of these developments and ascertain whether management is positioning the company to comply with the new standards once they are effective.
- Consider other issues – Following are two additional issues that may be worthy of the audit committee’s attention for domestic and foreign filers of U.S.-listed companies:
- Conflict minerals disclosure – During 2012, the SEC adopted a new rule requiring companies to publicly disclose whether they use conflict minerals that originated in the Democratic Republic of Congo or adjoining countries. The purchase of so-called “conflict minerals” allegedly benefits armed rebel groups in these countries. The conflict minerals include tantalum, tin, gold, tungsten or other minerals if they are deemed necessary to the functionality or production of a product manufactured by the company. If this rule applies to an issuer’s supply chain, management needs to work out its compliance process to exercise due diligence on the source and chain of custody of their conflict minerals, ensure appropriate disclosure and arrange for an independent audit of the disclosure.12
- New Internal Control Framework – The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is expected to release an updated Internal Control – Integrated Framework (ICIF) during the first quarter of 2013. While the ICIF may be used for a wide variety of purposes, it is used by many companies as a suitable framework in conjunction with the evaluation of the effectiveness of internal control over financial reporting in accordance with Section 404 of the Sarbanes-Oxley Act. For companies using the ICIF in this manner, the question arises as to when the updated framework will become effective. As a regulator, the SEC is likely to be the authoritative voice in responding to that question. We expect the transition period to be somewhat flexible.
The 2013 agenda items we have suggested are significant matters warranting audit committee consideration. They consist of enterprise, process and technology risk issues, as well as financial reporting issues. Given the dynamic economic, business, regulatory and political environment, committee members should be mindful of developments during the next 12 months that may drive emerging issues requiring the committee’s attention.
1Protiviti and North Carolina State University’s ERM Initiative partnered to conduct this survey, the results of which will be published in 2013.
2Protiviti’s 2012 Finance Priorities Survey is available at www.protiviti.com/Finance-Survey.
3Protiviti’s 2012 Internal Audit Capabilities and Needs Survey report is available at www.protiviti.com/IAsurvey.
4“Is Department of Justice Dismissal of Morgan Stanley Case a Litmus Test for Corruption Risk Compliance?,” Protiviti Flash Report, November 1, 2012, available at www.protiviti.com.
5The joint guidance is entitled FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act.
6“Update Following Enactment of the U.K. Bribery Act,” Protiviti Flash Report, November 15, 2012, available at www.protiviti.com.
7See Information for Audit Committees About the PCAOB Inspection Process, available at www.pcaobus.org.
8“European Auditor Rotation Debate Hits Cost-Benefit Concerns,” Emily Chasan, CFO Journal, July 9, 2012.
9Public Accounting Firms: Required Study on the Potential Effects of Mandatory Audit Firm Rotation, Jeanette M. Franzel, Appendix V, January 3, 2004, page 83.
10International Accounting and Reporting News: 2006 Review, United Nations Publications, October 1, 2007, page 22.
11Corporate Governance Matters: A Closer Look at Organizational Choices and Their Consequences, David F. Larcker and Brian Tayan, April 2011, page 352.
12Protiviti’s SEC Flash Report, “SEC Adopts New Rule Requiring Disclosure of Conflict Minerals in Supply Chains,” August 24, 2012, available at www.protiviti.com.
The Bulletin (Volume 5, Issue 1)