COVID-19: Navigating Core Audit Committee Responsibilities

Paula Loop is Leader, Paul DeNicola is Principal, and Stephen G. Parker is Partner at the PricewaterhouseCoopers LLP Governance Insights Center. This post is based on their PwC memorandum.

As businesses confront the profound operational, financial and workforce disruption brought on by the COVID-19 pandemic, there’s no such thing as business as usual. That’s as true for corporate boards as it is for frontline workers. In particular, audit committees will have a lot on their plates in the coming months to provide critical oversight of financial reporting in this environment (for a detailed discussion of financial reporting considerations see PwC’s COVID-19: Audit committee financial reporting guidebook). At the same time, audit committees will need to continue to focus on their other core responsibilities in areas like risk oversight, oversight of internal and external audit, and ethics and compliance.

Risk oversight

In its role overseeing risk, audit committees will want to understand how management is evaluating the effects of COVID-19 on the business operations and the way people work, and whether those effects trigger an event-driven reassessment of business risk, control risk and the effectiveness of the related controls. As examples, the company might be entering into new or different business contracts or the operating environment might have dramatically changed due to social distancing and different working practices.

Audit committee considerations:

  • Has the company considered whether the impact of COVID-19 has resulted in new or different risks and how those risks are being addressed?
  • Is there a need to review management’s risk appetite framework to ensure it is appropriate in this rapidly evolving environment?
  • What risks have emerged that need to be addressed, and are there protocols in place to report, aggregate, and analyze emerging risks as this situation evolves?
  • Has the company considered leveraging internal audit or other resources to provide assurance related to new or different internal controls?
  • Does management have the tools and resources to update and present its risk information in a manner that is digestible for the audit committee?

Internal audit oversight

Internal audit has a crucial part to play given its role of providing independent, objective assurance related to the operating effectiveness of risk management, governance, and internal control processes. Audit committees should make it a priority to understand if the impact of the disruptions caused by the pandemic indicate that an event-driven reassessment of audit risk is needed. Whether it is or not, they should ask management to take a fresh look at their internal audit annual plan and determine if it is still fit for purpose. They will also want to focus on ways to optimize internal audit’s contributions in this new environment.

Audit committee considerations:

  • Has the internal auditor reviewed their audit plan and determined which projects might need to be cancelled, postponed or accelerated in this new environment? Do changes impact external audit’s plan to use internal audit’s work? In addition, was the internal audit function able to effectively work remotely? Were there any lessons learned from working remotely in the past few months that could improve how they work remotely going forward?
  • How has internal audit helped to ensure the completeness of risk identification and its related response?
  • How can the internal auditor provide assurance to management and/or the audit committee that the control environment is addressing any new risks identified? Examples might be particular testing or other procedures related to changes to the financial close process, changes in the supply chain, IT security related matters, etc.
  • Are there ways that internal audit can support the company in ensuring that it is addressing new regulatory requirements related to economic assistance received under the CARES Act and other government assistance programs?

External audit oversight

While the current environment has changed the way in which the external auditor is conducting its planning, interim reviews and audit procedures, as well as the way in which they engage with management, the audit committee’s responsibility for oversight of the external auditor has not changed. The audit committee will want to understand how the external auditor’s audit procedures will change. Additionally, they will want to understand the external auditor’s perspective regarding potential changes in audit risk, management’s process for developing significant estimates related to the impact of COVID-19 and the related impacts on internal control over financial reporting. Furthermore, the audit committee will want to understand the audit work that may have been and will be performed over significant transactions or accounting judgments during the interim reporting period.

Audit committee considerations:

  • How has working remotely impacted the way the external auditor executed its interim review, including obtaining evidence of the company’s internal controls procedures?
  • Has the external auditor’s annual audit plan been updated to address new risks and how does that impact the audit procedures?
  • Are the form and frequency of communication and engagement working satisfactorily for both management and the external auditor? And does the auditor have sufficient access to personnel and documents to complete their work?
  • What are the significant audit risks and how have they changed given the current conditions?
  • What audit procedures were performed and will be performed by the external auditor over significant transactions and accounting judgments made by management during the interim reporting period? What areas of judgment did the auditor pay particular attention to (e.g., asset impairments, fair value determinations, liquidity, debt repayment issues, going concern)?
  • Has the external auditor identified any concerns regarding the company’s internal control over financial reporting?
  • Was it necessary for the external auditor to perform extended audit procedures over going concern and, if so, did that require consultation outside the engagement team (for example, with the firm’s national office)?
  • How has the external auditor’s perspective on materiality changed due to management’s revised projections and what impact has that had on the audit scoping?
  • As it relates to certain audit work generally performed on location (e.g., physical inventory observations), what alternatives are being planned?

Whistleblower, ethics, and compliance oversight

It is important for the audit committee to continue to focus on the culture of the organization and their role in deterring fraud. Some companies may see a reduction of ethics-and-compliance-related matters as more employees are working from home and practicing social distancing. However, employees at other companies in essential businesses may have concerns about their safety and what they are being asked to do at work. Similarly, as companies begin to emerge from working virtually and workplaces reopen, individuals may have differences in opinion regarding their personal safety in the workplace or about traveling for business. These matters might cause a spike in ethics-related complaints.

Audit committee considerations:

  • Should the level (e.g., frequency, reporting criteria) of whistleblower reporting to the board change?
  • Is there a plan in place to perform virtual investigations should there be matters raised that warrant an investigation?
  • Has the company begun to prepare for a potential increase in whistleblower or ethics and compliance matters as it transitions back to the workplace?
  • Has management updated the fraud risk assessment?
  • Has management communicated to the audit committee the COVID-19 factors that increased financial reporting fraud risks and how management plans to address those risks?

Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>