Audit committees continue to face challenges on multiple fronts. With new accounting standards on the horizon, accounting firms under pressure from the Public Company Accounting Oversight Board (PCAOB) to improve performance and companies facing an ever-changing business environment, serving on an audit committee can be an adventure, indeed. Based on interactions with client audit committees, roundtables we have conducted in 2016 and discussions with directors at conferences and in other forums, including surveys we have conducted, this article suggests agenda items for audit committees to consider in 2017 related to enterprise, process and technology issues. Next month, we will suggest agenda considerations around financial reporting issues.
Understand the Business, Technology and Other Risks that Could Affect Financial/Public Reporting
The listing standards of the New York Stock Exchange (NYSE) require audit committees to discuss risk assessment and risk management policies and practices. Other listing standards do not include this requirement. Therefore, the extent to which audit committees are involved in the board risk oversight process varies across organizations. In some entities, the board delegates its risk oversight responsibilities to the audit committee. In others, the audit committee takes on only risk oversight responsibilities that mirror the risks inherent in the committee’s chartered activities – e.g., financial reporting, fraud, reputation and certain compliance, technology and other risks.
Regardless of the risk oversight scope,[1] audit committees need to be aware of the enterprise’s business, technology and other risks that could affect financial and public reporting, as the business environment is constantly changing. New technologies (think “digital revolution”), global competition, volatile markets, mergers and acquisitions, regulatory developments and the threat of emerging and disruptive risks are altering risk profiles and adding uncertainty about how to confidently face the future. Because risks are creating pressure on business models and can affect financial reporting, audit committee members need to have an understanding of the company’s risks and their potential to create significant unusual transactions or events; put pressure on established internal controls; impact accounting estimates, asset valuations, contingent liabilities and risk disclosures; and drive changes in the scope of the external audit process.
For example, over the last year, we have seen how reduced oil prices spawned audit issues affecting not only oil and gas companies, but also financial services institutions with loans to oil and gas operators, as well as companies that directly or indirectly are part of the industry’s supply chain or which trade in hedges of those commodities with the supply chain. Relevant financial reporting issues include impairment and valuation issues and going-concern questions, as well as collectability of loans and receivables and valuation of hedge positions.
In addition, digitization investments and the exponential increases in computer power they spawn are driving acceleration of cloud computing adoption, mobile device usage and innovative IT transformation projects. We’re seeing a plethora of advances in intelligent machines and virtual reality systems, as well as apps for streamlining core business processes and improving productivity. These developments have created the Internet of Things (IoT) and its smart cities, factories, buildings, logistics, vehicles and grids. They are disrupting established business models by improving customer experiences, engaging targeted communities, creating convenience and expanding markets. As they do so, they add increased and diverse security and privacy risks. These risks and the incidents they cause, in turn, drive increased costs of remediation (e.g., providing notice of breach and credit-monitoring services) and the need for advanced security and access controls. Furthermore, they can affect disclosures in filings with the U.S. Securities and Exchange Commission (SEC) due to potential exposure to revenues, litigation and reputation.
Ideally, the audit committee should take a look at the company’s risk profile at least annually to provide a business context for discharging its specific responsibilities. A summary of the most important risks – the critical enterprise risks – highlights the risks about which audit committees should be most concerned. To illustrate, at right, we include the Top 10 Risks for 2017 based on a recent survey.[2] This summary shows whether each risk is increasing or decreasing.
The company’s risk assessment process should consider changes in existing risks, the emergence of new risks, the adequacy of the organization’s capabilities for managing the risks and the implications of the critical risks to public reporting and disclosure requirements. Emerging risks need to be incorporated in the organization’s risk assessment process in a timely manner, particularly when significant changes occur in the business environment.
Risk assessments should involve the appropriate stakeholders. Surveys we have done over the past five years indicate, without exception, that different senior executives and operating unit and functional leaders often have different perspectives and viewpoints regarding risk. The aggregated assessments of stakeholders across the C-suite and vertically into the organization may be presented in the form of risk maps, heat maps and risk rankings based on subjective assessments of such risk criteria as severity of impact of potential future events and their likelihood of occurrence. These assessments provide an overall picture of the enterprise’s most significant risks.
Watch the Warning Signs Related to the Tone of the Organization
As noted above, the involvement of audit committees with overseeing risk management varies from company to company. But regardless of the board risk oversight delegations, one common element across all audit committees that applies to risk management and internal control is the importance of ensuring a strong risk culture. In this, the audit committee should play a significant role at every company.
Audit committees should watch for the warning signs of dysfunctional behavior from a risk management and internal control standpoint. Following are eight examples of these signs:
- Failure to heed established risk limits.
- Fear of repercussions from raising contrarian viewpoints (e.g., a shoot-the-messenger environment).
- Undue organizational complexity, leading to a lack of transparency as to the underlying economics of significant transactions and how an operating unit makes money.
- Conflicts of interest that can compromise established internal controls.
- Operating units, functions and processes not assuming responsibility for the risks their activities create.
- Lack of alignment between the tone in the middle of the organization for managing these risks with the tone at the top.
- Executive management that does not act on risk information on a timely basis when significant matters are escalated.
- A board that is not engaged timely when necessary.
A pattern of these and other signs can be an indicator of a dysfunctional or flawed risk culture, signaling the possibility of trouble ahead. One regulator has described a weak risk culture as “a root cause of the global financial crisis, headline risk and compliance events.”[3] It should be an issue of importance to audit committees in any industry, because it may mean there could be serious unknown deficiencies in the control environment over external financial reporting.
Consider Whether the Finance Organization Is Contributing the Value Expected
Traditionally, finance assists the company with maximizing shareholder value over the long term and the short term through effective asset allocation, liquidity management and analysis of opportunities. Finance should not be so tied up with the day-to-day transaction processing activities of the business and the month-to-month financial close process that it cannot devote sufficient time to such value-added activities as generating insightful analysis and reports, maintaining margins, forecasting cash flow and managing working capital and other contributions to the operating units, executive management and the board. To help strengthen overall business performance and strategic planning, and to drive value from the organization’s financial data, finance functions desire to develop better, more accurate and timelier data collection, data analysis, reporting, budgeting and forecasting capabilities to enable profitability analyses tied to customers, products, operating units and geographies.
Finance’s specific priorities may vary according to the organization’s industry, structure, culture, business performance issues and internal and public reporting requirements. Audit committees should ensure that finance is appropriately resourced to deliver to the organization’s specific expectations.
Assist the Internal Audit Function in Maximizing Its Potential
Chief audit executives (CAEs) and internal audit functions continue to face increasingly demanding expectations. A study released last year offers insights as to audit committee expectations for internal audit, providing a catalyst for taking stock of committee members’ interactions with and use of the internal audit function. These expectations offer opportunities to improve internal audit’s value proposition.[4]
Three broad themes emerged from the study. Audit committees should:[5]
- Enable internal auditors to think more broadly and strategically as they plan for, execute and report on their work.
- Encourage internal audit to move beyond assurance to enhance its value proposition.
- Take steps to ensure that CAEs and the internal audit function are effectively positioned to deliver to expectations.
The study offers six imperatives supporting these three themes:[6]
- Elevate the CAE’s stature.
- Assist the CAE with aligning stakeholder expectations.
- Encourage thinking beyond the scope of audit plans and projects.
- Direct internal audit to perform more consulting.
- Challenge the CAE to think strategically.
- Expect high-quality, effective communications.
With the pace of change, internal auditors must be more anticipatory, change-oriented and highly adaptive, particularly with respect to such matters as cybersecurity, mobile applications, cloud computing, IT standards, the Internet of Things and other aspects of the digital revolution. In addition, to meet expanded expectations, internal audit must move forward with data analysis and technology-enabled auditing capabilities.[7]
Audit committees need to ensure that internal audit receives the support it needs to succeed in executing its risk-based audit plans and in meeting expectations for keeping pace with change.
Summary
This article summarizes four topics warranting consideration by audit committees for inclusion on their coming year’s agenda. To keep this discussion focused and generic, we do not consider here either audit committee best practices covered comprehensively in the public domain or issues for audit committees responsible for the board risk oversight process. Next month, we will discuss six financial reporting issues for audit committee members’ consideration.
[1] In a 2010 Protiviti study of board risk oversight (Board Risk Oversight: A Progress Report – Where Boards of Directors Currently Stand in Executing Their Risk Oversight Responsibilities, Protiviti, commissioned by the Committee of Sponsoring Organizations, 2010, available at www.protiviti.com/UK-en/insights/board-risk-oversight-progress-report, we noted that nearly six of 10 public company audit committees have a more expansive role in the board’s overall risk oversight process, as opposed to being limited to the risks germane to the committee’s normal ongoing activities. Looking back, this disparity in practice is not a surprise, as there are significant demands on audit committees in dealing with myriad public and financial reporting requirements. Since this study, we’ve seen audit committees shed their expansive role in the overall risk oversight process to more fully embrace their traditional responsibilities. Accordingly, we would expect that the percentage of public company audit committees with a more expansive role in the board’s overall risk oversight process has declined in recent years. But there remains a disparity in practice.
[2] This list is based on the results of the annual survey of 2017 risks of senior executives and directors conducted by North Carolina ERM Initiative and Protiviti, available at www.protiviti.com/toprisks.
[3] Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture, Financial Stability Board, April 2014: www.fsb.org/wp-content/uploads/140407.pdf.
[4] Six Audit Committee Imperatives: Enabling Internal Audit to Make a Difference, Jim DeLoach and Charlotta Lostrand Hjelm, based on the Common Body of Knowledge (CBOK) 2015 Stakeholder Study conducted by The Institute of Internal Auditors and Protiviti, available at theiia.mkt5790.com/CBOK_2015_Six_Audit_Committee/?sessionGUID=4d93b6c1-c3b8-2adb-a55c-9dae8b8073c4&webSyncID=a503e647-a39a-1579-8502-034ac6e26c8d&sessionGUID=4d93b6c1-c3b8-2adb-a55c-9dae8b8073c4.
[5] Ibid.
[6] Ibid.
[7] Arriving at Internal Audit’s Tipping Point Amid Business Transformation: Assessing the Results of the 2016 Internal Audit Capabilities and Needs Survey – and a Look at Key Trends over the Past Decade, Protiviti, 2016, available at www.protiviti.com/IAsurvey.