Audit Committees: 2015 Mid-Year Issues Update

Rick E. Hansen is Assistant Corporate Secretary and Managing Counsel, Corporate Governance, at Chevron Corporation.

Board audit committee agendas continue to evolve as companies are faced with a rapidly-changing global business landscape, the proliferation of standards and regulations, increased stakeholder scrutiny, and a heightened enforcement environment. In this post, I summarize current issues of interest for audit committees.

The Audit Committee And Oversight

During her remarks at the Stanford Directors’ College in June 2014, SEC Chair Mary Jo White observed that “audit committees, in particular, have an extraordinarily important role in creating a culture of compliance through their oversight of financial reporting.” [1] Since then, various Commissioners of the SEC and its Staff have reinforced this message by reminding companies of the audit committee’s duties under federal securities laws to:

  • oversee the quality and integrity of the company’s financial reporting process, including the company’s relationship with the outside auditor;
  • oversee the company’s confidential and anonymous whistleblower complaint policies and procedures relating to accounting and auditing matters; and
  • report annually to stockholders on the performance of these duties.

Working with the Independent Auditor

Audit committees select a company’s independent auditor. This selection is coupled with a committee’s ongoing oversight of the auditor’s provision of audit and non-audit services.

The Public Company Accounting Oversight Board (PCAOB) continues to engage with audit committees as part of its oversight of auditing firms. The PCAOB’s goal is to equip committees with relevant and timely information about recent inspection findings, audit trends and risks, and other important audit quality topics.

Audit Quality Indicator (AQI) Project. The PCAOB’s AQI Project is intended to establish a portfolio of quantitative measures of audit quality that audit committees can use to evaluate auditors. The concept release that will include a list of potential quality indicators is expected to be issued later this year. In addition, the Center for Audit Quality issued a paper (available at http://www.thecaq.org) on audit quality indicators that is being field tested by audit firms and select audit committees. A key objective of both projects is to give audit committees valuable information about matters that contribute to an audit firm’s delivery of a high quality audit. Committees can incorporate these AQI’s as part of an annual evaluation and selection of the independent auditor.

Audit Committee Dialogue (ACD) Project. In the first of what is promised to be a series of communications directed to audit committees, the PCAOB issued an ACD (available at http://www.pcaobus.org) to highlight key recurring areas of concern in PCAOB inspections, as well as emerging risks to audits. The first edition of ACD highlighted PCAOB concerns regarding:

  • auditing internal control over financial reporting;
  • assessing and responding to risks of material misstatements;
  • auditing estimates, including fair value measurements, and disclosures; and
  • referred work in cross-border audits.

The PCAOB also reported that it has found a high rate of deficiencies in audits of internal controls, specifically that some auditors are not performing sufficient procedures to test the effectiveness of such controls. Even in cases where auditors have found deficiencies in controls, the PCAOB found that some auditors did not sufficiently evaluate whether the identified deficiencies constituted a material weakness.

The ACD also covered new risks the PCAOB is monitoring, including:

  • the increase in mergers and acquisitions;
  • falling oil prices; and
  • undistributed foreign earnings.

For all the topics covered in the first ACD, the PCAOB has included questions that it encourages audit committees to ask their auditor. Committees can use the ACDs as a resource for discussing critical matters with the independent auditor.

Auditor Tax Planning Advice. The PCAOB is reviewing tax services that auditors perform for their audit clients. This review was prompted, in part, by an April 2014 inquiry from Senator Carl Levin, asking the PCAOB to consider whether its rules ought to be strengthened to prohibit an auditor from auditing a company’s tax obligations when those obligations rely on a tax strategy developed by the audit firm.

The PCAOB’s rules currently provide that an auditor is not independent of a public company audit client if the auditor provides any services to the client related to marketing, planning, or opining in favor of a tax transaction that is either “confidential” or “aggressive.” “Aggressive,” tax transactions are defined in PCAOB Rule 3522 to mean transactions that were recommended by the auditor and “a significant purpose of which is tax avoidance, unless the proposed tax treatment is at least more likely than not to be allowable under applicable tax laws.”

The PCAOB’s review is at a very early stage. However, audit committees whose engagement is inspected in 2015 or beyond can anticipate that the PCAOB may question their auditor concerning advice the firm has provided regarding tax strategy. Committees should periodically discuss with their independent auditor tax related services.

Non-Audit Services, “Scope Creep,” and Auditor Independence. During remarks at the December 2014 AICPA National Conference, Brian Croteau, Deputy Chief Accountant at the SEC, reminded audit committees and management of the importance of having appropriate policies in place to evaluate the non-audit services provided by the company’s auditor. [2] Croteau cited the need to monitor “the provision of non-audit services for the risk of ‘scope creep’ that could result in a service becoming impermissible and impairing the auditor’s independence.” To illustrate, he described a situation where “a large accounting firm resigned from an issuer audit engagement because a purportedly permissible non-audit service was found to have deviated from its intended scope causing the auditor to impair its independence for the current period.” The negative consequences of gradual “scope creep,” can be severe, including an unplanned change in auditors and potential re-audits.

Even in situations where an outside auditor renders a permissible non-audit service for its audit client, neither the nature of a particular service or the manner in which it is provided can be at odds with certain basic principles contained in the auditor independence rules. Specifically, a relationship or a service provided by the auditor must not:

  • create a mutual or conflicting interest with the audit client;
  • place the auditor in the position of auditing its own work;
  • result in the auditor acting as management or an employee of the audit client; or
  • place the audit firm in the position of being an advocate for the audit client.

Committees should routinely receive updates on and annually approve the independent auditor’s provision of non-audit services and can use these discussions as an opportunity to discuss any potential “scope creep” that may affect the auditor’s independence.

Internal Audit: General Trends

Audit committee’s should oversee the scope and plan of work to be done by the company’s internal auditing department.

PricewaterhouseCoopers recently released the results of its annual survey, State of the Internal Audit Profession (available at http://www.pwc.com). This year’s report surveyed more than 1,300 internal audit managers, members of senior management, and board members, and focused on four issues:

  • how internal audit functions must evolve to meet the needs of ever changing and often transforming businesses;
  • how internal audit skills and capabilities must advance in order to contribute value;
  • the growing importance of data analytics and strategies for advancing their use; and
  • collaboration of internal audit with other lines of defense to strengthen overall risk management.

PwC’s survey identified four key areas seen by respondents as top enablers for internal audit to add more value:

  • focusing on the right risks at the optimal time in the process;
  • finding and keeping the talent and business acumen to be relevant and offer valuable insight;
  • collaborating with enterprise risk management functions and business partners; and
  • using data analytics to provide insights into the business.

Committees should routinely receive reports from and meet separately with the manager of internal audit and can use these opportunities to discuss any areas of concern and top enablers noted in PwC’s annual survey.

Reporting And Disclosure

The audit committee has primary responsibility for overseeing management’s preparation of the company’s financial statements, periodic reports and related disclosures. This includes oversight of how the company addresses and manages the implementation of new accounting standards and regulations.

International Financial Reporting Standards (IFRS) and Generally Accepted Accounting Principles (GAAP) Convergence. James Schnurr, Chief Accountant at the SEC, recently indicated that SEC is likely to abandon its decade-long effort to fully converge IFRS and GAAP. [3] Schnurr has stated that, following his current project review, he is unlikely to recommend to the Commission that it mandate use of IFRS or, as had been alternatively proposed, that the SEC give U.S. companies a choice between GAAP and IFRS when preparing their financial statements.

Revenue Recognition. In 2014, the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) jointly issued a new revenue recognition standard. The new standard provides that an entity should recognize revenue to align with the transfer of promised goods or services to customers in an amount that reflects the consideration the entity expects to be entitled to receive in exchange for those goods or services, and it provides a five-step model for recognition of revenue, guidance on the accounting for certain costs of obtaining or fulfilling contracts with customers, and specific disclosure requirements. Transition guidance permits either retrospective application or presentation of the cumulative effect at the adoption date.

Company management should be periodically briefing the audit committee on the new revenue recognition standards and management’s implementation plans. The committee can continue to oversee management’s activities by periodically reviewing implementation plans and the expected impact of the new standards. Ernst & Young’s Center for Board matters suggests that key questions a committee should ask management include:

  • What is management’s expected method of adoption of the new standards?
  • How is management interpreting the new revenue recognition standard and its application to its customer contracts?
  • Will the timing of revenue recognition be impacted and will it be more volatile?
  • How are the company’s internal controls affected by the new standard, and what changes will need to be made to company policies and practices?
  • Will the new standards impact the company’s business model? [4]

As a related matter, the SEC’s Enforcement Division has shown a renewed interest in financial reporting enforcement, particularly for matters involving revenue recognition practices that result in material revenue misstatements. In Fall 2014, the PCAOB issued a Staff Practice Alert on Auditing Revenue (available at http://www.pcaobus.org) and highlighted the fraud risks associated with revenue recognition. The committee can exercise oversight in this area by asking the auditor what it views as the principal risks of financial reporting fraud as it related to revenue recognition, and how it has addressed those risks in its audit.

Internal Controls. Regulators are devoting significant attention to issues related to internal control over financial reporting. Over the past few years, a sizable percentage of the PCAOB’s auditor inspection reports’ findings have pertained to internal controls. In reviewing issuers’ filings, SEC staff members continue to focus on whether issuers are properly identifying and disclosing material weaknesses in internal control over financial reporting, particularly with respect to immaterial restatements. In 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated its internal control framework. The audit committee can oversee management’s and the independent auditor’s activities in this area by staying abreast of general regulatory concerns and their applicability, if any, to the company’s internal controls.

Center for Audit Quality (CAQ) Transparency Barometer. Expanded audit committee reporting in the proxy statement, i.e., reporting—voluntarily or otherwise—beyond the SEC’s current requirements, has received increased attention lately.

In late 2014, the CAQ released the Audit Committee Transparency Barometer (available at http://www.thecaq.org), which presents the results of their analysis of 2014 audit committee disclosures in proxy statements. The report is “focused on measuring the content of proxy statement disclosures in certain key areas, including auditor oversight and audit committee scope of duties.” The report analyzes proxy statement disclosures made by S&P 500 companies and found, among other things, that:

  • 83 percent of companies discussed how non-audit services may impact auditor independence;
  • 47 percent of companies disclosed the length of time their auditor has been engaged;
  • 13 percent of companies discussed factors the audit committee considered in appointing the auditor; and
  • 13 percent of companies discussed audit fees and their connection to audit quality.

The CAQ has also issued its own Enhancing the Audit Committee Report: a Call to Action (available at http://www.thecaq.org), which includes examples of emerging, voluntary practices of strengthened audit committee disclosures.

Most recently, SEC Chair White has directed the SEC’s Office of the Chief Accountant to reexamine the audit committee reporting requirements with a view to determining whether these requirements—which have not been updated since 1999—should be improved.

Auditor’s Report. In early 2015, the International Auditing and Assurance Standards Board (IAASB) released revised standards on the content of the auditor’s report to be included in a company’s annual report. While the IAASB’s standards—which govern most audits performed outside the United States—do not affect audits of financial statements included in SEC filings, the PCAOB has had a similar initiative underway since late 2013. The PCAOB has proposed changes to the content of the auditor’s report, including a requirement that the lead audit partner be named in the report and that the report discuss “critical audit matters,” i.e., those matters addressed during the audit that, in the auditor’s judgment, involved the most difficult, subjective, or complex judgments or posed the most difficulty in obtaining sufficient appropriate audit evidence or in forming an opinion on the financial statements. The PCAOB has indicated that it will revise and republish its proposals later this year.

Sustainability Accounting Standards Board (SASB) and “ESG” Reporting. The SASB is a U.S.-based non-profit organization attempting to establish industry-specific standards for the recognition and disclosure of material environmental, social and governance (ESG) impacts by U.S. public companies. The SASB is not a governmental body, and its standards have no legal effect; however, as the SASB states in its Conceptual Framework, “SASB standards are designed for disclosure in mandatory filings to the [SEC], such as the Form 10-K and 20-F.” [5]

For the purpose of the SASB’s standards, “sustainability” encompasses more than the environmental and resource usage impacts of a company’s activities. Sustainability refers broadly to the “environmental, social and governance dimensions of a company’s operation and performance” and “includes both the management of a corporation’s environmental and social impacts, as well as the management of environmental and social capitals necessary to create long-term value.

The SASB’s sustainability disclosure topics are organized under five headings—environment, social capital, human capital, business model and innovation, and leadership and governance. The SASB has divided public companies into 88 industries into 10 industry sectors. It develops standards by establishing working groups for each industry, including companies in that industry, investors, analysts, auditors, and consultants. To date, the SASB has released standards for roughly 25 industries in four sectors—technology and communications, financials, healthcare, and non-renewable resources (i.e., oil and gas).

Even if the standards are not or do not become “legal” requirements, widespread voluntary acceptance or use within the marketplace could render the SASB standards as functionally obligatory for many companies, particularly with regard to MD&A disclosures. Committees should periodically discuss with management the SASB’s activities, the evolving market treatment of its standards, and the SEC’s position on the SASB’s work.

New Auditing Standards

The scope of an audit committee’s oversight responsibilities has been effectively expanded by the recent adoption of additional standards imposed upon auditors by the PCAOB.

Auditing Standard No. 18 and Related Amendments. In June 2014, the PCAOB adopted a new auditing standard, AS 18, Related Parties, and amendments to other auditing standards, to require auditors to heighten their attention to related party transactions, significant unusual transactions, and financial relationships and transactions with executive officers, including executive compensation arrangements.

  • Related-Party Transactions. AS 18 requires the auditor to perform specific procedures to understand related party relationships and transactions, including the nature, terms and business purposes of the transactions, whether the company has properly identified its related parties and company relationships and transactions with them, and communicate to the audit committee the auditor’s evaluation of the transactions. These procedures include reviewing the committee’s understanding of and concerns regarding such matters. For this purpose, the definition of “related party transaction” is expansive and includes significant intercompany related party transactions, in addition to transactions with directors, officers, and external affiliates already disclosable in the proxy statement under SEC rules.
  • Significant Unusual Transactions. Amendments to AU Section 316, Consideration of Fraud in Financial Statement Audits, require the auditor to identify significant unusual transactions and understand and evaluate the business purpose of such transaction. These procedures include reading the underlying documentation relating to the transaction and evaluating whether the terms and other information about the transaction are consistent with explanations of management about the business purpose of the transactions. In addition, the auditor is required to determine whether the transaction has been properly authorized and approved in accordance with the company’s established policies and procedures, and, among other things, communicate to the audit committee, the auditor’s understanding of the business purpose of such transactions. For this purpose, a “significant unusual transaction” is a transaction that is outside the normal course of business for the company or that appear to be unusual due to their timing, size, or nature. These transactions would likely reach company transactions with off-balance-sheet and joint venture affiliates.
  • Executive Officer Relationships and Transactions. Amendments to AS No. 12, Identifying and Assessing Risks of Material Misstatement, require that the auditor follow procedures designed to help uncover incentives or pressures for a company to achieve a particular financial position or operating result by virtue of executive officer compensation and incentives. Specifically, the auditor must perform procedures to understand the company’s financial relationships and transactions with its executive officers, given the influence these officers have on the company’s financial results. In practical terms, it is likely that the auditor will now need to make inquiry of the board’s compensation committee and the audit committee as to the structure, incentives, and risks associated with executive compensation.

Given the scope of AS 18 and the related amendments described above and their effects on the work of the independent auditor and management, it is appropriate for audit committees to request a briefing by the auditor and management as to implementation of the new standards.

Financial Activism

In recent years, the frequency and intensity of financial activism initiatives has increased. According to audit firm PwC, an average of 25 new activist hedge funds have launched each year for the past 10 years, and their assets under management have grown to more than $110 billion. [6] Nearly one in five S&P 500 companies were targets of some form of financial activism in 2014. [7]

Although financial activism may return immediate wealth to some stockholders, evidence is mounting that this may be at the expense of the longer term corporate interests. A July 2014 paper by Yuan Allaire and Francois Dauphin, “Activist” Hedge Funds: Creators of Lasting Wealth? (available at http://www.igopp.org), concludes that “the most generous conclusion one may reach” is that activist funds “create some short-term wealth for some shareholders.” Allaire’s and Dauphin’s research further finds that hedge funds tend to be focused on the short term, with half of interventions not lasting more than nine months. Moreover, financial activism has been associated with increased debt and cuts in capital spending, long-term corporate health, innovation, and job creation.

Some companies have found it useful to conduct a vulnerability assessment to proactively identify and address typical indicators of financial activist interest (e.g., undervalued assets, potential spinoffs, poor market or financial performance against peers, suboptimal capital structure, turnover in leadership, corporate governance failures, and perceived lack of transparency) and develop a plan, or “playbook,” for responding to activist activity.

The current level of activism is not expected to dissipate any time soon. An audit committee can assist the board in this area by discussing with management company vulnerabilities that relate to performance, strategy, operations, and governance as viewed by activists. Specifically, the board, the committee, and management can:

  • monitor investor activist activity and trends;
  • identify areas in which the company may be subject to activism;
  • consider the company’s defense profile and develop a response plan;
  • identify the team of advisors that the board would retain in an activist situation; and
  • invest in building relationships with the company’s large long-term shareholders.

Cybersecurity

Rapid changes in technology and the attendant risks highlighted by recent incidents (e.g., Sony, Target, etc.) demonstrate the increasing importance of understanding cybersecurity as a substantive, enterprise-wide business risk. The risks associated with intrusions can be severe and pose systemic economic and business consequences that can significantly affect stockholder value. The Commerce Department’s National Institute of Standards and Technology (NIST) cyber security framework is a risk-based compilation of guidelines designed to help companies assess the current capabilities and draft a roadmap toward improved cyber security practices.

An audit committee can continue to assist the board in overseeing management’s activities by periodically reviewing implementation and refreshing of a comprehensive cybersecurity plan. Mary Galligan at Deloitte & Touche LLP suggests that there are three foundational lines of questioning that an audit committee and board may wish to keep in mind in overseeing a company’s cybersecurity efforts:

  • Secure: are controls in place to guard against known and emerging threats?
  • Vigilant: can we detect malicious or unauthorized activities?
  • Resilient: can we act and recover quickly to minimize the impact of an incident? [8]

Whistleblowing

In a recent speech, SEC Chair White reflected on the success of the SEC’s whistleblower program. [9] The number of tips the SEC receives has increased to almost 10 per day, with most tips relating to corporate disclosures and financial statements, offering fraud, and market manipulation. Chair White also focused on the SEC’s concerns about employment and other agreements that could stifle whistleblower reporting. Her comments related to the April 2015 announcement by the SEC’s Division of Enforcement of its first enforcement action against a company—KBR, Inc.—for using language in a confidentiality agreement that the SEC concluded had the potential to discourage use of the whistleblower process established under Dodd-Frank. During her speech, Chair White emphasized the importance of strong internal compliance programs and encouraged boards and senior management to promote these priorities.

An audit committee should routinely receive reports from and meets with their company’s compliance officers and can use these opportunities to discuss the scope and quality of the company’s whistleblower protections and compliance program.

Conclusion

Changes in the business, regulatory, and risk landscape require audit committees to be nimble and set a strong tone at the top. An audit committee’s ability to do so may depend upon, among other things:

  • Controlling its Agenda: critically evaluating meeting agendas to ensure a focus on key matters and risks.
  • Building Relationships: interacting robustly and openly with management and the internal and external auditors.
  • Understanding the Business: knowing the organization and its strategies, markets, competitors, and risks.
  • Getting the Right Information: identifying what information the committee needs and asking the right questions to make informed decisions
  • Assessing Performance: completing an annual performance evaluation to drive continuous improvement and focus. [10]

Endnotes:

[1] Mary Jo White, A Few Things Directors Should Know About the SEC (Stanford University Rock Center for Corporate Governance, Twentieth Annual Stanford Directors’ College, June 23, 2014) (available at http://www.sec.gov/News/Speech/Detail/Speech/1370542148863, discussed on the Forum here).
(go back)

[2] Brian T. Croteau, Remarks Before the 2014 AICPA National Conference on Current SEC and PCAOB Developments (2014 AICPA National Conference, December 8, 2014) (http://www.sec.gov/News/Speech/Detail/Speech/1370543616539).
(go back)

[3] David M. Katz, SEC’s Chief Accountant Signals End to Convergence Efforts (CFO.com, May 8, 2015) (available at http://ww2.cfo.com/gaap-ifrs/2015/05/secs-chief-accountant-signals-end-convergence-efforts/).
(go back)

[4] EY Center for Board Matters, 2014 Year-End Issues for Audit Committees to Consider (December 2014) (available at http://www.ey.com/GL/en/Issues/Governance-and-reporting/EY-2014-year-end-issues-for-audit-committees).
(go back)

[5] Sustainability Accounting Standards Board, Conceptual Framework of the Sustainability Accounting Standards Board (October 2013) (available at http://www.sasb.org/approach/conceptual-framework/).
(go back)

[6] PricewaterhouseCoopers, Key Considerations for Board and Audit Committee Members, 2014-2015 Edition (2015) (available at http://www.pwc.com/us/en/corporate-governance/publications/assets/pwc-key-considerations-for-board-and-audit-committees-2015.pdf)
(go back)

[7] Id.
(go back)

[8] For Audit Committees, a Growing Role in Cybersecurity (Risk & Compliance Journal: From the Wall Street Journal, June 16, 2014) (available at: http://www2.deloitte.com/content/dam/Deloitte/us/Documents/regulatory/us-aers-growing-role-%20in-cybersecurity-021115.pdf).
(go back)

[9] Mary Jo White, The SEC as the Whistleblowers Advocate (Ray Garrett, Jr. Corporate and Securities Law Institute, Northwestern University School of Law, April 30, 2015) (available at http://www.sec.gov/news/speech/chair-white-remarks-at-garrett-institute.html, discussed on the Forum here).
(go back)

[10] PricewaterhouseCoopers, Point of View: Audit Committee Evolution, 2014 and Beyond (December 2014) (available at http://www.pwc.com/en_US/us/cfodirect/assets/pdf/point-of-view-audit-committee-evolution.pdf).
(go back)

Both comments and trackbacks are currently closed.