#2The profile of macroeconomic, strategic and operational risks continues to evolve in terms of significance and complexity for many organizations. The risks companies face in today’s global business environment create uncertainty for executive management and the board of directors. This issue of The Bulletin provides observations regarding these risks and ideas for consideration by audit committees as they formulate their 2014 agendas.
Ten Major Challenges
- Regulatory changes and increased regulatory scrutiny may affect operations (1) – Although not rated as high as last year, this risk once again tops the list. The pace of regulatory and legislative change has been significant in recent years, affecting the operating model used by a company to produce or deliver products or services, altering its costs of doing business and its positioning relative to its competitors. Even marginally incremental regulatory change can add tremendous cost to a corporation. The mere threat of change can create significant uncertainty that can hamper hiring and investment decisions.
- Economic conditions in current markets may not present significant growth opportunities (2) – While ranked second again on our list, this risk is not rated as highly as it was last year. Economic growth makes business planning easier. Growth across the globe has been somewhat mixed and uneven from region to region. The survey participants appear to be expressing concern that prospects for growth in 2014 present a challenge for them in selected markets. Needless to say, the economic dynamics of the past several years also suggest that the pace of economic growth could shift, dramatically and quickly, in any region or all regions of the global market.
1. Regulatory changes and increased regulatory scrutiny may affect operations.
2. Economic conditions in current markets may not present significant growth opportunities.
3. Uncertainty surrounding political leadership may limit growth opportunities.
4. Succession challenges and the ability to attract and retain top talent may constrain efforts to achieve operational targets.
5. Organic growth through existing customers presents a significant challenge.
6. Ensuring privacy/identity management and information security protection (in response to social business, cloud computing, mobile computing and other developments) could require resources the organization may not have; also, cyber threats could significantly disrupt core operations.
7. Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations.
8. Uncertainty surrounding costs of complying with healthcare reform legislation will limit growth.
9. Anticipated volatility in global financial markets and currencies may create challenges.
10. Other challenges: The organization’s operations may be unable to meet performance expectations as well as its competitors; new technologies may disrupt the organization’s business model; and the organization could be impacted by an unexpected crisis.
- Uncertainty surrounding political leadership may limit growth opportunities (3) – Political uncertainties remain important. Divided government in the United States and geopolitical dynamics continue to present a complex and uncertain environment.
- Succession challenges and the ability to attract and retain top talent may constrain efforts to achieve operational targets (4) – Acquiring, developing and retaining the best and brightest has been elevated as a priority, driving companies to focus on their processes for hiring, training, evaluating and rewarding their people. Executives are finding that motivating and equipping the growing number of younger workers – the so-called “millennials” – may require different tactics. With members of the baby boomer generation already entering retirement, succession planning is now front and center on the agenda.
- Organic growth through existing customers presents a significant challenge (5) – Participating executives see challenges in 2014 with respect to increasing their organization’s overall customer base, increasing output per customer or generating new sales. This could be due to a number of factors, such as increased competition, the challenge of retaining customers, or reduced consumer spending due to lower disposable income.
- Ensuring privacy/identity management and information security protection (in response to social business, cloud computing, mobile computing and other developments) could require resources the organization may not have; also, cyber threats could significantly disrupt core operations (6) – These risks continue to be top-of-mind. Together, they present a moving target in terms of changing technology that makes security and privacy more complex and tougher to manage and control. While new developments (e.g., social business, cloud computing, mobile computing, new platforms and devices, workplace virtualization) present opportunities for companies to create new markets and business models, they also present fresh venues for cyber attacks and mischief that can harm an organization significantly.
- Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations (7) – Yet another issue that has risen in importance for 2014, this risk points to the priority executives are placing on positioning the organization as agile, adaptive and resilient in the face of change in the marketplace. Early movers to exploit market opportunities and respond to emerging risks are more likely to survive and prosper in a rapidly changing environment.
- Uncertainty surrounding costs of complying with health care reform legislation will limit growth (NR) – This risk ended up on our global top 10 list on the strength of the assessments of companies based in the United States and companies headquartered outside the United States with operations in the United States. With the delay of the employer mandate, as well as other uncertainties around the implementation of healthcare reform in the United States, companies are unsure of the operational impact at this time. These uncertainties are impacting hiring plans and investment decisions for all sizes of companies. Not surprisingly, companies domiciled outside of the United States with no U.S. operations did not consider this risk to be relevant.
- Anticipated volatility in global financial markets and currencies may create challenges (3) – On the economic front, central bank policies, most notably the policies of the Federal Reserve in the United States, create risk of sudden and dramatic volatility in financial markets, which could adversely affect rates, credit availability and currencies. Last year, we combined this risk with political uncertainty (see No. 3 on this list); this year, we broke it out.
- Other challenges: The organization’s operations may be unable to meet performance expectations as well as its competitors (8); new technologies may disrupt the organization’s business model (NR); and the organization could be impacted by an unexpected crisis (9) – In tenth place are three risks that were rated at the same level by the survey participants. First, there is the risk the organization’s operations may not be able to meet performance expectations as well as its competitors. Improving quality, time, innovation and cost performance continue to be a priority. Second, there is the risk of disruptive innovation and/or new technology within the industry outpacing an organization’s ability to compete without making significant changes to the business model. Finally, there is the risk of an unexpected crisis having a significant impact on the organization’s reputation due to its lack of preparedness.
Note that the inability to utilize data analytics and “big data” to obtain needed market intelligence and increase operational efficiency was ranked tenth last year and fell out of the top 10 risks this year. That said, the impact of big data and business intelligence is implicit in many of the risks that make up the top 10 list this year.
The survey results show that the ranking of the first seven risks did not change from last year. However, all of the risks in our top 10 list were rated lower than last year, except for the risks related to succession and talent retention, resistance to change and an unexpected crisis, which were rated at the same level as last year, and the risk of disruptive technologies, which was rated higher than last year.
The challenges identified in our survey that companies across the globe face as they approach 2014 are significant and merit board attention. They frame the environment within which audit committees must formulate an appropriate agenda.
The 2014 Agenda
Below, we have summarized an audit committee agenda with eight items for 2014 based on our interactions with client audit committees, roundtables we have conducted, and discussions with directors at conferences and other forums. The first four items relate to enterprise, process and technology risk issues. The remaining four items relate to financial reporting issues.
ENTERPRISE, PROCESS AND TECHNOLOGY RISK ISSUES
- Update the company’s risk profile to reflect changing conditions – Given the changing environment, as illustrated through our discussion of major challenges above, the audit committee should take a close look at the company’s risk profile at least annually. Ideally, this evaluation should be supported by an updated risk assessment by management. For those organizations with a formal risk appetite statement, the annual risk assessment provides an opportunity for using that statement to evaluate the current risk profile in light of changing markets and conditions. For the most significant risks, either the audit committee or another committee of the board should determine that appropriate action plans are in place to manage them. With respect to significant risks with financial reporting implications, the audit committee should understand them, how they are being managed, and their potential financial impact. For financial institutions and other highly regulated entities, the audit committee should ensure the company understands the evolving regulatory framework and its impact on the company’s operations.
- Oversee the capabilities of the finance organization and internal audit – The CFO organization and internal audit face a demanding and changing environment. Because both are fundamental to the discharge of the audit committee’s oversight responsibilities, they require support from the committee to ensure the skill sets they need to meet expectations are in place. With respect to the finance organization, new and changing regulations, evolving international and domestic tax laws, and ongoing demands to deliver strategic contributions to the organization in the form of business intelligence, data analysis and effective forecasting frame the landscape. Key findings from the results of our latest “Finance Priorities Survey”3 include the following priorities, capabilities and key areas of emphasis for many companies:
- Managing cash flow and working capital efficiently and effectively
- Streamlining the financial close process
- Harnessing business intelligence and “big data” for strategic planning, forecasting, budgeting and profitability analysis
- Managing the impact of regulations – for example, in the United States, managing the effect of changes to healthcare regulations, looming major changes to U.S. tax laws and other business regulations.
While the finance function’s specific priorities may vary according to the organization’s industry, structure, culture, business performance issues, and internal and public reporting requirements, the above areas are consistent themes for many organizations.
With respect to internal audit, change is also the order of the day. Transformational technologies such as social media, as well as regulatory and rulemaking bodies, are creating complexities for internal auditors to address.
Protiviti’s “Internal Audit Capabilities and Needs Survey”4 is our annual study that assesses competency levels and areas of improvement for chief audit executives and internal audit professionals.
The 2013 study reveals a number of notable trends and priorities that are shaping the internal audit landscape into 2014. Among the key takeaways:
- Social media remains a top concern.
- Changes from regulatory and rulemaking bodies are garnering attention.
- The nature of fraud risk is changing – as are the ways internal auditors address it.
- There is continued interest in leveraging technology-enabled auditing.
- Internal auditors aim to think more strategically and collaborate more effectively.
The audit committee’s oversight should ensure the internal audit function (including any co-source partners) has the resources, skill sets and tools necessary to address the above trends and priorities, as well as the company’s key risks, in accordance with a risk-based audit plan.
- Contribute to board oversight of the five lines of defense – Essential to managing risk, the multiple lines-of-defense model provides assurance to the board of directors, as the elected representatives to oversee the organization’s operations on behalf of its shareholders, that risks are reduced to a manageable level as dictated by the organization’s risk appetite statement.
Much more than “segregation of incompatible duties” and “checks and balances,” the lines-of-defense model emphasizes a fundamental concept – from the boardroom to the customer-facing processes, managing risk is everyone’s responsibility.
The 2014 Mandate for Audit Committees
Enterprise, Process and Technology Risk Issues
1. Update the company’s risk profile to reflect changing conditions – Are there emerging risks or changes in existing risks requiring improvement in risk management capabilities?
2. Oversee the capabilities of the finance organization and internal audit – These capabilities must be aligned with the company’s changing needs, both internal and external.
3. Contribute to board oversight of the five lines of defense – Watch for the warning signs that the tone of the organization, risk management, internal control and escalation processes are not functioning effectively.
4. Understand how new technological developments and trends are impacting the company – Understand the implications of technological innovations to security and privacy, financial reporting processes, and the viability of the company’s business model.
Financial Reporting Issues
5. Continue to enhance the external auditor’s communications with the audit committee – Inquire whether PCAOB inspections are having an impact on the audit approach and manage the external auditor relationship so that the company receives value for its audit fees through enhanced communications from the audit process.
6. Pay attention to the PCAOB initiative to expand the auditor’s report – A new auditing standard and related amendments have been proposed to enhance the auditor’s reporting model.
7. Understand the impact of COSO’s 2013 update of the Internal Control – Integrated Framework – Understand the effect of the update on the company’s internal control reporting, internal audit activities and other affected areas.
8. Provide oversight on efforts to comply with new reporting requirements – Inquire about the impact of new accounting standards (e.g., revenue recognition and accounting for leases in the United States) and the status of the company’s due diligence with respect to the conflict minerals disclosure, if applicable.
A common view of the lines-of-defense model is from the vantage point of executive management and the board of directors (i.e., three lines of defense, where business unit management and process/risk owners comprise the first line, independent risk and compliance functions are the second line, and internal audit is the third line). While this point of view has considerable merit, we also see a broader perspective from the vantage point of shareholders and other external constituencies (an external stakeholder’s view) – that is, five lines of defense that support the execution of the organization’s risk management and compliance management capabilities:
- Senior management, under the board’s oversight, must set and reinforce the “everyone is responsible” tone by positioning each of the lines of defense to function effectively. The other lines of defense reinforce this tone of the organization.
- Those responsible for the units and processes that create risks must accept the ultimate responsibility to own and manage the risks their units and processes create, as well as establish the proper tone for managing these risks consistent with the tone at the top.
- Effective risk management and compliance management require independent, authoritative voices to ensure an enterprisewide framework exists for managing risk and compliance; process and risk owners are doing their jobs in accordance with that framework; risks are measured appropriately; risk limits are respected and adhered to; and risk reporting and escalation protocols are working as intended.
- Internal audit provides assurance that other lines of defense are functioning effectively and should use the lines-of-defense framework as a way of sharpening its value proposition by focusing its assurance activities more broadly on risk management.
- Under the oversight of the board of directors, executive management must manage the inevitable tension between market-making activities and control activities by ensuring these activities are appropriately balanced such that neither one is too disproportionately strong relative to the other. This means executive management must align the governance process, risk management and internal control toward striking the appropriate balance to optimize the natural tension between value creation and value protection. More important, they must act on risk information in a timely manner when significant matters are escalated to them; they also must involve the board in a timely manner when necessary.
The five-lines-of-defense model is an integrated approach through which an organization responds to risk. It provides direction to executive management and the board as to how the organization should approach risk management. The audit committee should watch for the warning signs that these lines of defense are not functioning effectively.
- Understand how new technological developments and trends are impacting the company – Last year, we pointed to the emergence of a new era of business-to-people communications and social media peer groups providing an alternative model for connecting and interacting with markets, prospects and customers in the digital age – a model that places the customer in the driver’s seat in terms of dictating the conversation. Social business, cloud computing and mobile technologies are continuing to spawn disruptive change and increased privacy and security risks, including further exposure to cyber threats.
On the horizon, other technological innovations promise improvements in and even further disruptive change to designs, processes and business models: increasing diversity and capability in mobile devices, ever-expanding mobile apps and applications, and an exponential interconnection of Internet applications supporting smart grids, smart factories, and even smart cities in an app-centric world.
As these developments unfold, audit committees must understand the implications for security and privacy, financial reporting processes and the viability of the company’s business model. The ongoing effectiveness of the overall IT entity-level control environment and IT process-level controls (general IT processes and application-specific processes) continue to warrant the audit committee’s attention.
FINANCIAL REPORTING ISSUES
While financial reporting issues were not included among the top risks in our survey, they are nonetheless relevant to the audit committee agenda. Following are four issues for consideration:
- Continue to enhance the external auditor’s communications with the audit committee – The audit committee should look to the auditor to comment on matters such as: the company’s significant risks; its critical accounting policies, practices and estimates (and any expected changes that might be looming due to standard-setting activity); the quality of the company’s financial reporting; difficult or contentious matters; significant unusual transactions that either are outside the normal course of business or unusual in timing, size or nature, and the business rationale for such transactions; going concern issues, if any; and the auditor’s concerns with respect to critical accounting and auditing matters
The committee should expect the auditor to communicate an overview of the overall audit strategy, including timing of the audit, significant risks identified by the auditor, significant changes to the planned audit strategy or identified risks, and other matters. The committee should inquire whether Public Company Accounting Oversight Board (PCAOB or the “Board”) inspections of the firm are having an impact on the audit approach in any way.
Note that the PCAOB requires the auditor to provide the audit committee with the schedule of uncorrected misstatements related to accounts and disclosures the auditor presented to management. The committee should discuss with the auditor and management the basis for the determination that the uncorrected misstatements were immaterial, including the qualitative factors considered. It also should discuss whether the uncorrected misstatements or matters underlying those uncorrected misstatements could potentially cause future-period financial statements to be materially misstated, even though they are immaterial to the financial statements currently under audit.
Another important matter is the auditor’s communications regarding non-audit services performed. Given the audit committee’s ultimate responsibility to oversee the qualifications, independence and performance of the external auditors of public companies in the United States, the committee must approve in advance the nature of non-audit services and the related fees, using no less than the U.S. Securities and Exchange Commission’s (SEC) criteria for evaluating auditor independence.5 Directors also should pay attention to the activities of the PCAOB insofar as they relate to ensuring auditor independence.
- Pay attention to the PCAOB initiative to expand the auditor’s report – This year, the Board proposed a new auditing standard and related amendments to enhance the auditor’s reporting model. Among other things, the proposals would require:
- Communication of critical audit matters as determined by the auditor, including a description, the reasons the matter is considered “critical,” and the relevant financial statement accounts and disclosures relating to the critical audit matter;
- Addition of new elements to the auditor’s report related to auditor independence, auditor tenure, and the auditor’s responsibilities for, and the results of, evaluating other information outside the financial statements;
- Enhancements to existing language in the auditor’s report related to the auditor’s responsibilities for fraud and notes to the financial statements;
- Reporting on the auditor’s evaluation of information beyond the financial statements for potential errors or misstatements that conflict with information obtained during the audit. when he or she is aware that management consulted with other accountants about such matters.
The Board’s proposed changes represent significant change. In a survey of 74 corporate directors of public company boards, 45 percent did not think the Board’s proposed changes will improve the usefulness of the auditor’s report, 27 percent believed the changes will improve the auditor’s report and the remaining 28 percent were not sure. Almost eight of 10 directors are in favor of the report disclosing the length of the external auditor’s tenure, whereas 67 percent are opposed to the auditor’s report evaluating information beyond the financial statements, and 52 percent are opposed to the report containing a discussion of critical audit matters.6
Audit committees should be mindful of these developments as they unfold, particularly if the company is faced with issues likely to be considered “critical audit matters” by the auditor. With the comment period for this proposed auditing standard expiring in December 2013, look for the Board to schedule a public roundtable to discuss the proposal and the comments received in early 2014 before finalizing a new standard.
- Understand the impact of COSO’s 2013 update of the Internal Control – Integrated Framework – While the new framework may be used for a wide variety of purposes, it is likely to be used by many (if not most) companies as a suitable framework in conjunction with the evaluation of the effectiveness of internal control over financial reporting in accordance with Section 404 of the Sarbanes-Oxley Act. For companies planning on using the framework in this manner, the audit committee should understand the following:
- The major changes COSO has made to the Internal Control – Integrated Framework
- How the 2013 New Framework impacts management’s approach to complying with Section 404
- Management’s transition plan to the 2013 version, including how management is complying with Section 404 in 2013 and the disclosure ramifications if management intends to use the 1992 version in 2013
The new updated internal control framework is important as it will impact the company’s internal control reporting, internal audit activities and other areas. Protiviti has published a frequently asked questions guide to assist executives and directors in understanding the updated framework and the related transition requirements.7
- Provide oversight on efforts to comply with new reporting requirements – Understanding the financial reporting impact of new accounting standards is a necessary function of an audit committee. For example, in the United States, final revenue recognition standards are imminent, requiring significant planning and implementation issues for many companies. Companies will need to assess the impact and plan for transition during 2014. And if that isn’t enough, significant new leasing rules aren’t far behind.
There also may be new disclosure requirements requiring consideration. In the United States, for example, the SEC conflict minerals disclosures begin in 2014.8 The audit committee should inquire about the pending and new standards in the pipeline, their effective dates and financial statement impact, and management’s implementation plans (including, for conflict minerals, any plans for addressing applicable audit requirements).
The 2014 agenda items we have suggested are significant matters that warrant audit committee oversight. In addition to these agenda items, the audit committee should assess its composition, industry knowledge and financial reporting expertise from time to time in view of the growing complexity of the business environment, company risk profile, and continued evolution of financial reporting standards. Understanding the business and industry is critical for the audit committee so it can be positioned to ask the appropriate questions on tough issues, either in regular committee meetings or during executive sessions with the external and internal auditors, chief financial officer, or other company executives.
1Protiviti and North Carolina State University’s ERM Initiative partnered to conduct this survey, available at www.protiviti.com in January 2014.
2See “Setting the 2013 Audit Committee Agenda,” The Bulletin, Volume 5, Issue 1, Protiviti, 2012.
3Further information about Protiviti’s “2014 Finance Priorities Survey,” including the survey report.
4Further information about Protiviti’s “2013 Internal Audit Capabilities and Needs Survey,” including the survey report.
5We use the phrase “no less than” here because we are aware of audit committees applying more restrictive criteria.
6“Public Company Boards Skeptical of PCAOB Auditor’s Report Proposal,” Jason Bramwell, AccountingWEB, October 9, 2013. This article cited results from a study conducted by BDO USA.
7The Updated COSO Internal Control Framework: Frequently Asked Questions, Second Edition, September 2013.
8“SEC Adopts New Rule Requiring Disclosure of Conflict Minerals in Supply Chains,” SEC Flash Report, Protiviti, August 24, 2012.
The Bulletin (Volume 5, Issue 5)