In Issue 7 of our recently completed Volume 2 of The Bulletin, we discussed the audit committee’s agenda. Since that issue was published just over a year ago, we have continued to see additional issues warranting the audit committee’s attention. This issue of The Bulletin provides observations and ideas for boards and their audit committees regarding matters they should consider during the coming year.
Updating the audit committee agenda
Audit committees have another crowded agenda over the next 12 months. Many aspects of the audit committee charter continue to require ongoing attention, including the myriad of committee activities around the rules issued by the U.S. Securities and Exchange Commission (SEC) and the listing standards promulgated by the exchange to which the company is subject. Obviously, audit committees must continue to address these important requirements, as they provide the minimum standards by which they must operate.
In Issue 7 of Volume 2, we recommended eight items for the audit committee agenda. Most of the subsequent issues of Volume 2 discussed many of these areas. While we hope that progress has been made on these items since Issue 7 was released, we recognize that focused efforts may continue. Because we believe these eight items remain important considerations for the agendas of many audit committees, they are listed below:
- Drive sustainability, cost-effectiveness and value-add of Sarbanes-Oxley compliance
- Take a fresh look at the anti-fraud program
- Learn from enterprise risk assessments
- Monitor internal audit rebalancing
- Inquire as to internal audit quality assurance reviews
- Insist on a cost-effective and transparent attestation process
- Evaluate the organization’s financial reporting risk profile
- Clear up remaining significant deficiencies
If any of these items remain unaddressed, we recommend they stay on the committee agenda.
We also recommend that the audit committee consider expanding its 2008 agenda to consider the following additional items:
- Review preparations for emphasis on enterprise risk management (ERM) quality in the credit ratings process
- Focus on management’s plan for dealing with changes in the financial reporting model
- Create transparency around large risk exposures
- Understand the issues around electronic discovery and how management is addressing them
- Manage IT security and changes to the IT environment
- Monitor and understand key changes in regulations and how they impact the business
Each of these new agenda items is discussed herein, along with updated commentary regarding the prior agenda items.
Review preparations for emphasis on ERM quality in the credit ratings process
For years, nonfinancial companies have debated the merits of ERM. The dialog often has focused on the value proposition of doing something differently in the risk management space than what has been done in the past. For many nonfinancial companies, the verdict often ends up in the same place: ERM does not translate into hard-enough, measurable benefits that justify – to executive management’s satisfaction – the cost of taking action.
The dynamics of this debate may be changing. In November 2007, Standard & Poor’s (S&P) issued its Request for Comment: Enterprise Risk Management Analysis for Credit Ratings of nonfinancial Companies (RFC), reflecting the agency’s intention to assign scores of ERM quality to all companies it reviews. This move by S&P would affect thousands of public and private companies in dozens of industries by expanding the use of ERM into nonfinancial sectors. The move also creates a risk of reduced debt ratings if the agency’s analysts ﬁnd gaps in the risk management capabilities of the nonfinancial companies they cover.
Reading between the lines of the RFC, we can expect more explicit criteria by sector once S&P decides to go forward. While S&P has stated it will introduce ERM analysis into the ratings process by the end of the first quarter of 2008, the good news is that analysts will refrain from assigning ERM quality scores to individual companies until a sufficient number of companies have been reviewed to allow for comparability across the applicable sector. Therefore, we can expect S&P to benchmark companies within each sector for a period of time before “going live” with an ERM quality score. S&P has said that the actual implementation of the ERM quality score could take place in “as little as a few months” and may not occur for “at least one year” with respect to speciﬁc sectors. This period gives companies time to improve their processes – if they act soon to prepare.
Those who believe that this will be a superficial “ﬂy by” assessment should think again. In the aftermath of Katrina, the recent massive product recalls and, of course, the subprime mess, the ratings process has never been under closer scrutiny. The safe bet is that the rating agencies will play this one carefully and tough. The principal objective in evaluating ERM is to drive companies to implement practices that will limit the frequency and severity of losses that potentially could affect ratings. The next issue of The Bulletin will explore how consideration of ERM quality can impact the ratings process and what nonfinancial companies can do to prepare for this added dimension of the process.
Focus on management’s strategy relating to IFRS and U.S. GAAP
Much of the world has declared that International Financial Reporting Standards (IFRS), as published by the International Accounting Standards Board (IASB), is the standard of choice for financial reporting. For example, Europe has mandated IFRS for all public companies as of 2005. Under current rules, public companies with U.S. listings that are domiciled in other countries often use IFRS.
Now all heads are turned to the United States. The SEC currently allows foreign companies the choice of whether to use IFRS or U.S. generally accepted accounting principles (U.S. GAAP). However, that choice is not available to domestic U.S. issuers, which currently are required to use U.S. GAAP.
Now that U.S. investors must deal with these two competing accounting systems, the SEC is obtaining feedback on the ramifications of potentially permitting – or requiring – U.S. companies to report their financial statements to the Commission in accordance with IFRS. The SEC’s decision in November 2007 to eliminate the GAAP reconciliation requirement for foreign issuers filing with the Commission is a clear sign toward convergence of financial reporting standards. Convergence would impact all aspects of the financial reporting model, including business combinations, consolidations, fair value measurement, liability and equity distinctions, performance reporting, revenue recognition, income taxes, joint ventures, earnings per share, asset impairments and leases.
This issue extends beyond the United States. In other countries, there are so-called “as is” adoption or “country ﬂavors” of IFRS. If there is convergence to a global financial reporting standard over time, companies within these countries also will be impacted.
With the SEC setting the proverbial northbound train of convergence squarely on the rails and starting it rolling toward its inevitable destination, it is now a matter of “when” rather than “if.” Accordingly, management is well-advised to begin understanding now the impact of a change from GAAP to IFRS. The ﬁrst step is to develop a point of view around the perceived benefits and costs of implementing IFRS, if given the choice to adopt it. For example, companies having a majority of their operations in countries requiring IFRS and/or whose principal competitors are using IFRS might decide the benefits exceed the costs. If companies conclude that the benefits outweigh the costs, then they must understand the impact of the change on their people, processes and technology so they can begin planning for implementation.
There are practical issues surrounding the possible future use of IFRS. Companies are advised to apply the lessons of Sarbanes-Oxley Section 404 adopters. For example, initially the Section 404 compliance projects did not draw sufficient management attention and resources. There was a general lack of planning, understaffing and overwork. Activities were largely ad hoc and chaotic. Many companies were caught ﬂat-footed because they waited too long to begin. As a result, estimates to complete these projects were grossly underestimated. Overall, there was a lack of appreciation of the initial effort by senior management and the audit committee.
If the SEC allows a choice and companies decide to switch to IFRS, the appropriate training, head count and external resources need to be taken into account. Consideration also
must be given to the appropriate design of processes and system enhancements, along with the need for ERP and financial systems modifications and/or upgrades. The transition to IFRS will require strong, focused project management discipline.
Because the competition for talent among companies and their auditors and other companies’ auditors could drive up costs and create shortages in the talent pool, the companies least prepared will pay the highest price.
While the odds of the SEC mandating IFRS are low, we believe that within a year or two, U.S. issuers may be given the alternative to select IFRS over GAAP. Clearly, this is an issue that bears understanding, monitoring and strategizing. The audit committee should take the appropriate steps to educate itself on the principal differences between GAAP and IFRS and the implications to financial reports. In addition, they should ask management to assess the perceived benefits and costs of IFRS convergence to the company, as well as the potential impacts on people, processes and technology. A future issue of The Bulletin will address this topic further.
Create transparency around large risk exposures
The lessons learned from the subprime crisis are more general in nature and apply to all companies. As the crisis unfolded, it was interesting how many financial institutions and asset managers simply didn’t know the extent of their exposure.
Transparency around large exposures and/or complicated business activity is critical in managing any business. When one global investment banking and securities ﬁrm reported a short position in the subprime mortgage market and that it would not take any significant charges to write off losses, its assessment was the ﬁrst report of good news about credit exposure in the financial services industry.
What set this firm apart from all others?
According to the ﬁrm’s CEO at a conference in November 2007, its success is due to three main principles:
- Escalation refers to the management of problems before they start, with individuals within the ﬁrm contacting those above them in order to warn them of the problem.
- Accountability refers to being responsible for one’s business practices and holding senior management responsible for the final outcomes of those business practices.
- Culture refers to the acceptance of people challenging one another.
Simply stated, the fundamental reason for the institution’s success in navigating through the subprime maze was the importance of risk management and the checks and balances that kept executives on track. Interestingly, the ﬁrm in question rotates its executives through the risk management functions as part of their career development, which is equivalent to what the CEO called “painting a bridge” – going from one end of the ﬁrm to the other, and when you ﬁnish, going back to the beginning and starting over again.
We believe that these three principles of escalation, accountability and culture are vital to successful management of large risk exposures. Uneven application of risk management typically leads to transparency in some parts of the organization and obscurity elsewhere in the organization. Call it whatever you want, but that end state is not an effective implementation of ERM. Furthermore, if a company is overdosing on risk, knows it is doing so and continues to do so anyway, that is a failure in the governance structure, not just in ERM. The successful prevention of severe losses from the inevitable unexpected events and surprises begins and ends with an effective risk management infrastructure that the company uses and acts upon. The notion of transparency is important because every organization has executives who are willing to take risky bets. Because taking the best bets to create enterprise value is inevitable in managing any business, it is prudent and important that the sun is shining, for all to see, on the bets undertaken.
Directors can play an important oversight role by understanding the company’s significant risk exposures and by rejecting anecdotal treatment of risk and risk management in the boardroom as insufficient. Reporting is integral to this oversight role when it drives transparency about risk and risk management throughout the organization, including the risks undertaken by different units and activities.
Our advice: If you do not understand the risks, ask the necessary questions until you do. Good governance facilitates implementation of ERM because ERM is built on transparency. Conversely, an effectively functioning ERM infrastructure would provide greater confidence to the Board and to management that the truly signiﬁcant risks and opportunities are being systematically identified, rigorously analyzed and effectively managed on an enterprisewide basis. The two go hand-in-hand.
A future issue of The Bulletin will explore how companies can design and implement a practical approach for building increased transparency into their significant risk exposures and the management of those exposures.
Understand electronic discovery issues and the related exposures to the company
Studies indicate that a $10 billion company spends, on average, $25 million to $40 million per year just to locate, retrieve and produce required documents and electronically stored information. In a changing legal and regulatory environment impacting discovery, organizations are often unsure how to respond, and are ﬁnding that the cost of compliance and the harsh consequences of noncompliance with applicable laws and regulations around records retention and discovery are growing exponentially.
The vital signs of this issue are not difﬁcult to spot. Following are just some of these indicators:
- Challenges dealing with backup tapes and e-mail
- The absence of a deﬁned records retention policy (leading to “pack rat” retention behavior, where everything is kept
- Increasing storage and retrieval costs
- Recent or ongoing investigations or litigation
- Adverse experience or outcomes in litigation or investigations
- Lack of deﬁned roles and responsibility around keeping and deleting records
Most importantly, if the company has outdated policies and technology and is experiencing signiﬁcant cost, time and burden associated with electronic discovery, the moment may have arrived to adopt a more proactive approach to reduce costs and risk.
A future issue of The Bulletin will discuss how companies can design and implement a practical discovery risk management solution in proportion to their risk exposure and routine operations. The objective is to reduce signiﬁcantly the cost, time and burden associated with records retention and electronic discovery, as well as to ensure compliance with internal policies and applicable legal and regulatory requirements.
Manage IT security and changes to the IT environment
While certainly not a new topic, the management of IT security and changes to the IT infrastructure or applications systems is important to audit committees for two reasons:
- First, the potential risks are signiﬁcant and warrant attention. The primary risks relating to security involve unnecessary, unauthorized, conﬂicting or excessive access resulting in unauthorized transactions and/or a degradation of the integrity of the underlying application data. The integrity of application changes also directly impacts the accuracy, consistency and completeness of transaction processing, as well as the accurate and timely accumulation, summarization and reporting of transactions. For applications supporting processes that are critical to the business and ﬁnancial reporting, these risks can be signiﬁcant.
- Second, opportunities exist to improve the efﬁciency around the management and control of security, change management and other IT risks, especially for larger global companies. IT risk management is often approached in a fragmented, reactive and bureaucratic manner, resulting in unintended consequences for IT professionals (e.g., lack of adaptability and speed to market) as well as unclear accountability. The costs of IT risk management are increasing for many companies, yet executives often have limited input into investment decisions, including establishing appropriate risk tolerances. This environment is not sustainable. Audit committees of large organizations should inquire whether management is taking a closer look at how IT risks are managed.
Monitor and understand key changes in regulations and their impact
Audit committees of companies in regulated industries should monitor and understand key changes in regulations and how they impact the business. Industry issues continue to emerge. For example, a number of trade-related laws and regulations in the United States and in other countries affect manufacturing, distribution and technology companies. Growing interest in the “green movement” affects energy companies and even the ﬁnancial services industry (e.g., carbon trading). In the United States, the subprime debacle could drive enhancements to the fair lending and other consumer protection laws and regulations. There is also the possible extension of the Markets in Financial Instruments Directive (MiFID) to energy companies in the European Union. These are just a few examples.
If unaddressed, the agenda items raised in Issue 7 remain relevant (past issues of The Bulletin are available at www.protiviti.com). Following is updated commentary:
- Drive sustainability, cost-effectiveness and value-add of Sarbanes-Oxley compliance – Several of the lessons learned that we shared in Issue 7 still apply:
- Deploy a top-down approach to focus on what’s important – Even though management fraud most often has been perpetrated at the company level and in the period-end ﬁnancial reporting process, most of the Section 404 compliance work is still targeted to the detailed process-level controls. This incongruity needs to be addressed, and further improvement opportunities still remain.
- Optimize IT controls to increase the cost-effectiveness of the controls portfolio – Extensive reliance on manual controls in sophisticated ﬁnancial reporting processes continues in many companies. Management must assess the controls portfolio to balance the mix of automated and manual controls and increase controls cost-effectiveness.
- Apply continuous process-level testing techniques to improve reliability of results – For data-intensive, high-volume transaction processes, management should deploy automated monitoring tools and data analytics to evaluate processing results on a more comprehensive and reliable basis than sample-driven manual testing. Use of these tools can eliminate the need for performing labor-intensive manual tests of controls.
- Improve operational effectiveness and efﬁciency of upstream ﬁnancial reporting processes – Many companies have expressed, and continue to express, the view that Section 404 compliance costs need to be reduced by making the compliance process more cost-effective. Companies must transform the focus of the internal dialogue from “pass-fail and managing external audit costs” to “process capability and managing total compliance costs.”
Often, the person asked to make the decision whether to improve and streamline the compliance process is the Sarbanes-Oxley compliance lead. That person has neither the authority to improve the quality, time and cost performance of the upstream business processes and internal controls nor the incentive to act if the company is achieving a “passing grade” from its auditor.
- Take a fresh look at the anti-fraud program – The audit committee should inquire as to where management stands with respect to documenting and evaluating the company’s anti-fraud program. Audit committees also should insist on an effective fraud risk assessment.
- Learn from enterprise risk assessments – An important contribution of risk management is to help executives and directors make better choices during the strategy-setting process. To achieve and sustain high conﬁdence that all potentially signiﬁcant risks are identiﬁed and managed in today’s rapidly changing environment, boards and management need an effective enterprise risk assessment (ERA) process. The audit committee should encourage management to implement such a process.
- Monitor internal audit rebalancing – In recent years, the audit plan in many organizations was redirected to support the Sarbanes-Oxley compliance effort. Many internal audit departments may have gone too far in this regard, diverting attention and resources away from other essential risk areas. This condition suggests a need for rebalancing, an opportunity recognized by many chief audit executives. In the effort to rebalance, many functions will consider adding resources to their audit plans, increasing their budgets and utilizing specialized skill sets from outside service providers. Audit committees should weigh in on the rebalancing question to ensure that appropriate emphasis is given to the right priorities along with a sharper focus on risk-based auditing.
- Inquire as to internal audit quality assurance reviews – Under The Institute of Internal Auditor’s (IIA) International Standards for the Professional Practice of Internal Auditing, internal auditors are required to evaluate formally how they operate within their organization and report the results of the evaluation to the board and/or audit committee. The purpose is to improve the value and effectiveness of the internal audit activity. The IIA standards require a periodic external review considering the expectations of various stakeholders, including the audit committee. Therefore, the audit committee should inquire as to the status of, approach to and results from such reviews.
- Insist on a cost-effective and transparent attestation process – Integration of the two audits of internal control over ﬁnancial reporting (ICFR) and the ﬁnancial statements remains a priority. The audit committee should inquire of the external auditor as to the status of and plan for consummating this integration and the speciﬁc impact it will have on the audit process and costs. The committee also should request relevant information from the external auditor, such as an identiﬁcation of high-risk areas, an analysis of reserve levels, judgmental issues, the summary of passed adjustments, concerns with respect to the internal control structure and areas of disagreement with management.
- If the audit committee has not done so, it should set the ground rules with the auditor for deﬁning and reporting a “disagreement.”
- Evaluate the organization’s ﬁnancial reporting risk proﬁle – The audit committee should obtain an understanding of the company’s ﬁnancial reporting risk proﬁle and the risks arising from historical application of accounting principles and standards, as well as the degree to which accounting estimates are sensitive to management decisions and changes in operations. The ultimate objective is to improve the overall quality of ﬁnancial reporting and establish the appropriate oversight and control to efﬁciently and effectively evaluate and manage ﬁnancial reporting risk over time. A robust ﬁnancial reporting risk proﬁle creates awareness of the drivers of earnings variability, provides a sensitivity assessment of ﬁnancial estimates and the underlying data, identiﬁes ﬁnancial reporting exposures and regulatory trends within the industry, proactively evaluates the reliability of estimation processes and ensures consistency in the application of accounting standards.
- Clear up remaining signiﬁcant deﬁciencies – If there are unremediated signiﬁcant deﬁciencies, the audit committee should inquire as to management’s plan to ﬁx them. If there isn’t a plan, the committee should understand why.
The next 12 months promise to be another active period for audit committees. The agenda items we have listed herein are signiﬁcant matters warranting audit committee attention. We believe that the committee can play an important oversight role in addressing these items.
Key Questions to Ask
Key questions for board members:
- Has the audit committee made sufﬁcient progress in dealing with the agenda items referred to in this issue as “unﬁnished business”? If not, should the items be placed on the committee’s 2008 agenda?
- With respect to the new agenda items introduced in this issue of The Bulletin:
- Does the committee understand management’s plan to prepare for emphasis on ERM quality in the credit ratings process (especially for nonﬁnancial companies) and for dealing with changes in the ﬁnancial reporting model?
- Has the committee requested and reviewed management’s assessments of the perceived benefits and costs of IFRS convergence to the company, as well as the potential impacts on people, processes and technology?
- Is there an effective process for reliable reporting around large risk exposures? How do you know?
- Does the committee understand the issues around electronic discovery and how management is addressing them?
- Does the committee periodically focus on the management of IT security and changes to the IT environment (e.g., infrastructure and applications)?
- Does management have a process for monitoring and understanding key changes in regulations and how they impact the business (especially for companies in regulated industries)?
Key questions for management:
- Do you have the appropriate level of management focused on the opportunities to improve the sustainability, cost-effectiveness and value-add of your Sarbanes-Oxley compliance? For example, are you deploying a top-down approach to focus on what’s important, as well as improving operational effectiveness and efficiency of upstream business processes affecting financial reporting?
- Have you considered how ERM quality can impact the ratings process for your company? Would an assessment of the current state of the company’s existing ERM process and infrastructure and a gap analysis facilitate identification of appropriate action steps to be taken over the next 12 months?
- Have you developed a point of view around the perceived beneﬁts and costs of implementing IFRS, if given the choice to adopt it? Have you discussed it with the audit committee? Have you evaluated the impact of a change to IFRS on people, processes and technology, and the program needed to be put in place to manage and control the change process?
- Does the organizational structure you have in place support the risk management reporting process? Is it effective in creating transparency around large risk exposures?
- Do any of the vital signs regarding discovery risk (as noted in this issue) exist within the company? If so, should management evaluate practical responses in proportion to the risk to reduce signiﬁcantly the cost and burden associated with records retention and electronic discovery, as well as to ensure compliance with internal and external requirements?
Bulletin (Volume 3, Issue 1)