2018 Year-End Issues for Audit Committees

Steve W. Klemash is Americas Leader and Jennifer Lee is Senior Manager at the EY Center for Board Matters; and John F. Schraudenbach is Americas Assurance Senior Client Service Partner at EY. This post is based on their EY Center for Board Matters memorandum.

In the current year, audit committees have played a vital role in navigating evolving oversight challenges and stakeholder expectations related to a number of developments, including new accounting standards, tax reform implementation, trade policy shifts, technology’s impact on the company’s risk profile and finance function, and regulatory developments concerning cybersecurity disclosures and the auditor’s reporting model.

Going forward, ongoing changes in the political and regulatory environment, as well as increasing stakeholder interest in topics such as data privacy, strategy and corporate culture, will continue to shape the audit committee’s critically important work.

In our annual review of developments affecting audit committees, we consider these and other key developments related to financial reporting, tax, regulatory matters and risk management. This report can be useful to audit committee members as they prepare for discussions with the board, management and the external auditors.

Audit committee effectiveness

“Companies and directors should carefully choose who serves on their audit committee, selecting those who have the time, commitment, and experience to do the job well. Just meeting the technical requirements of financial literacy may not be enough to understand the financial reporting requirements fully or to challenge senior management on major, complex decisions.”

Wes Bricker, Chief Accountant at the U.S. Securities and Exchange Commission (SEC)

The audit committee has always played a critical role in corporate governance. Boards and audit committees, in particular, have experienced tremendous changes and expanding agendas to address issues such as: the evolving cybersecurity landscape, strategic disruption and the future sustainability of business models; the digitization and automation of the finance function; new demands on external reporting with upcoming accounting and auditing standards; and how auditors are using technology in their audits to increase audit quality, drive efficiency and provide greater insight.

Investors continue to have high expectations of audit committees for promoting confidence in the audit and improving transparency in financial reporting and company disclosures. This is challenging boards to make sure their audit committees not only have the right balance of skills and competencies in place, but that they are properly focused on fulfilling their core responsibilities despite the increasing demands placed on audit committees. We also observe continued growth in the level of voluntary disclosure around the work and responsibilities of audit committees in the proxy statement as companies respond to the continued growth of investor interest in this area.

We can expect continued strong focus on the audit committee’s role, and many of them may be looking for ways to enhance their effectiveness and operations.

Effective audit committees leverage multiple resources including management teams, internal audit, the external auditor and other third parties for fresh perspectives and insights. While audit committee meeting agendas are filled with required topics, leading audit committees are also carving out time on the agenda for emerging, strategic and disruptive risks while also fostering a boardroom culture “that is centered on open discussion, constructive challenge, and active self-reflection.” [1]

Financial reporting

Regulators and governments are requiring businesses to provide more disclosures for a variety of reasons, including on the effects of continued global economic uncertainty and volatile geopolitical developments on the company. In the US, new accounting standards and the SEC’s scrutiny of the related disclosures pose particular challenges, raising questions about whether management is prepared to comply with these requirements.

The number of restatements of previously issued financial statements has steadily decreased in recent years and hit a 17-year low in 2017. [2] The accounting areas with the most restatements were debt and equity, revenue recognition, income taxes and cash flows statement classification. Still, audit committees should remain focused on maintaining high-quality financial reporting. The SEC staff continues to encourage audit committees to maintain the right “tone at the top” to create an environment and culture that supports the integrity of the financial reporting process and promotes management’s successful implementation of the new standards.

“In your roles as board members … each of you can play a vital role in supporting management to run the companies you serve in a manner that will promote long-term shareholder value without compromising the integrity of the company’s reputation for high-quality financial reporting. This gives management the courage to make right decisions.”

Wes Bricker, Chief Accountant at the SEC

Gearing up for the leases standard

With the effective date of the new leases standard nearing (effective January 1, 2019 for calendar-year public business entities or PBEs), calendar-year PBEs and certain other entities should be implementing new accounting policies, processes and controls, including controls over any new or modified information technology (IT) systems they will use to account for leases.

In an effort to reduce the cost and complexity of implementation, the Financial Accounting Standards Board (FASB) added a transition option for all entities and a practical expedient for lessors. The new transition option allows entities to not apply the new guidance in the comparative periods they present in their financial statements in the year of adoption. The practical expedient allows lessors to not separate non-lease components from the associated lease components, if certain criteria are met.

While the transition option may mitigate some of the costs and complexities associated with the adoption of the new leases standard, the effective date of the new leases standard has not changed. The level of effort necessary to apply the new standard by the effective date may be significant. Audit committees should encourage management teams to remain focused on their implementation efforts, regardless of whether they plan to elect the new transition option.

As lessees prepare to adopt the new standard, audit committees should discuss with management the status of their implementation plans, key accounting policies the company elects, the impact on their processes and controls, and how management intends to communicate these to its stakeholders (e.g., SAB Topic 11.M disclosures).

Credit losses

The new credit losses standard affects entities in all industries, not just those in financial services, and makes significant changes to the accounting and disclosures for credit losses on a wide variety of financial instruments, including trade receivables. Financial services organizations should already be working on implementing the standard while nonfinancial services entities should start planning around implementation efforts. The standard is effective for PBEs that are SEC filers beginning in 2020.

Accounting transition disclosures under SAB Topic 11.M

With registrants preparing to adopt new standards on leases and credit losses, SEC officials have continued to emphasize the importance of providing robust accounting transition disclosures as required under Staff Accounting Bulletin (SAB) Topic 11.M about the anticipated effects of the new accounting standards on a registrant’s financial statements. The SEC staff expects a registrant’s disclosures to evolve as the effective date of a new standard nears and the registrant makes progress on its implementation plan.

SEC comment letter trends

The number of comment letters issued by the SEC staff continued to decline in 2018, but the adoption of new accounting standards could slow or reverse that trend. Over the next year, the SEC staff is expected to focus on accounting under the new revenue standard, disclosures about how companies will be affected by new standards on leases and credit impairment, disclosures about cybersecurity and accounting for income tax reform. The SEC staff continues to comment most often on accounting areas that require significant judgments and estimates. The following chart summarizes the top 10 most frequent comment areas in the current and previous years:

SEC staff focuses on ASC 606 (Revenue from contracts with customers) disclosures

Comments issued by the SEC staff in the Division of Corporation Finance (DCF) to companies that adopted Accounting Standards Codification (ASC) 606, Revenue from Contracts with Customers, about their disclosures under the new standard are public and may provide an indication of where companies may have the opportunity to improve their disclosures. The SEC staff recently said that it is monitoring the new disclosures mandated by ASC 606 and encouraging companies to refine and supplement their annual disclosures included in their subsequent quarterly filings in the year of adoption. Identification of performance obligations and the application of principal vs. agent guidance have been the most frequently discussed topics in consultations with the Office of the Chief Accountant. As expected, the SEC staff’s comments on the application of ASC 606 have focused on areas of judgment.

Audit committees should continue to evaluate the adequacy of the company’s disclosures required by the new revenue standard. We believe this evaluation should include the consideration of disclosures by peer companies, industry practice and other best practices as they evolve over time.

SEC amends rules to eliminate redundant and outdated disclosures

The SEC issued a final rule that eliminates or revises a number of disclosure requirements that are redundant or outdated in light of changes in US GAAP, IFRS, technology or the business environment.

The rule changes are not expected to significantly alter the total mix of information provided to investors. Although the rule is generally expected to have a limited effect on disclosures, registrants should carefully review the changes made by the rule and address them as necessary.

Questions for the audit committee to consider:

  1. Has the company’s management sufficiently challenged the adequacy of its disclosures required under the new revenue standard, particularly in areas that require significant judgment or estimates (e.g., disaggregated revenue disclosures, identification of performance obligations)?
  2. What changes to internal control over financial reporting have been implemented and what key actions have been taken by management to implement the lease, credit loss and other FASB standards in process? What key actions are needed to improve readiness for implementation and disclosure?
  3. How is technology changing the company’s finance function and what sort of assurance is the audit committee getting that financial information integrity is preserved during and after any transition (including during implementation efforts)?
  4. What is the company’s plan for periodically updating the disclosures under SAB Topic 11.M on the effect of new accounting standards?
  5. Are control deficiencies being adequately evaluated as possible material weaknesses? Are there any material changes in internal control over financial reporting (ICFR) requiring disclosure?

Additional reference

* These rankings are based on topics assigned by research firm Audit Analytics for SEC comment letters issued to registrants about Forms 10-K from July 1, 2016 through June 30, 2018. In some cases, individual SEC staff comments are assigned to multiple topics if the same comment covers multiple accounting or disclosure areas.
** This category includes comments on MD&A topics, in order of frequency: (1) results of operations (20%), (2) critical accounting policies and estimates (10%), (3) liquidity matters (8%), (4) business overview (6%) and (5) contractual obligations (2%). Many companies received MD&A comments in more than one category.
*** This category includes SEC staff comments on fair value measurements under ASC 820, Fair Value Measurement, as well as fair value estimates, such as revenue recognition, stock compensation and goodwill impairment analyses.

Tax

Boards and audit committees have to address substantial tax policy changes as businesses continue to implement the Tax Cuts and Jobs Act (TCJA). The Treasury Department and IRS have issued administrative guidance on some of the more complex areas of the new tax law, and more guidance and clarification are expected.

Boards and audit committees should also stay focused on US trade activity. Tariffs imposed by the US and other countries could have substantial implications for US businesses, the economy and consumers. With continued uncertainty in both US trade and tax policy, and a significant Supreme Court opinion that has state tax implications for remote sellers, modeling alternative tax and supply-chain scenarios has become more important than ever.

“The world continues to change as a result of developments in globalization, demographics, technology and regulation. These disruptive forces require organizations to respond rapidly—accordingly, we all need to be agile and adaptable to that change now and for many years to come.”

—Marna Ricker, EY Americas Vice Chair—Tax

Tax reform implementation

The TCJA significantly changed US income tax law, and companies accounted for the effects of these changes in the period that includes the December 22, 2017 enactment date. The SEC staff issued SAB 118 to provide companies that had not completed their accounting for the income tax effects of TCJA in the period of enactment with a measurement period of up to a year. As the SAB 118 measurement period cannot extend beyond one year, calendar year-end companies are required to finalize any provisional balances by December 31, 2018.

The Treasury Department and IRS began releasing major TCJA-related proposed regulations during the summer of 2018 and are expected to continue through spring of 2019. Key proposed regulations addressed the law’s transition tax, the new global intangible low-taxed income (GILTI) regime, qualified business income (QBI) deduction, additional first-year depreciation deduction, and the new provision to encourage investment in Opportunity Zones. [3] The proposed regulations will be finalized after comment periods for those interested in sharing suggested changes or other observations. Companies trying to plan in the near term face some risk as they await the release of anticipated further TCJA guidance, especially around some of the complex international provisions of the law.

Further TCJA clarification is also expected by year-end from the Joint Committee on Taxation’s Blue Book—a general explanation of the new law. And while there have been calls for technical corrections legislation to resolve drafting errors in the final legislative language, it is unlikely that this type of legislation will move forward in Congress in 2018.

In late September, the House of Representatives advanced three bills as a follow-up effort on tax reform, or “Tax Reform 2.0,” aimed at three areas: (1) making the individual and small business tax cuts permanent; (2) promoting savings for families and retirement; and (3) spurring innovation. It is unlikely that the Senate will take the measures up this year. As with technical corrections legislation, the outcome of this effort will depend on the political composition of Congress after the mid-term elections.

With so many avenues of clarification around the new tax law and the potential for additional tax legislation in the years ahead, audit committees must stay up-to-date with tax policy developments in real time.

Trade policy

Recent US trade policy shifts could have significant implications for US companies. Actions such as the use of targeted tariffs and renegotiation of the 24-year-old North American Free Trade Agreement (NAFTA) indicate that the current Administration prioritizes reducing the US trade deficit over free trade flows to a greater extent than its predecessors.

The shift in approach to trade policy can have a real impact on businesses. For example, the Administration has imposed various tariffs on imported intermediary goods, or parts, used by US businesses to make finished products. Tariffs on these parts can increase costs for businesses and could lead them to cut other expenses, including labor costs, among other options. Further impacting US businesses, many countries have retaliated against the tariffs by imposing their own tariffs on US exports, making US products less attractive to overseas purchasers.

The current trade policy environment is very fluid now, and the possibility of additional rounds of tariffs is quite high. For this reason, it is critical that businesses understand the issues associated with the Administration’s trade policy, examine the potential impacts to their operations and consider expressing their views. Boards need to understand management’s approach to addressing this and other potential geopolitical and regulatory developments, including impacts on strategy and risk management.

Wayfair and evolving digital tax policies

On June 21, the US Supreme Court held in South Dakota v. Wayfair that physical presence in a state was not necessary to create taxable nexus for sales and use tax purposes. As a result of the Court’s decision, additional states may now begin requiring remote sellers to register, collect and remit taxes on transactions with in-state customers regardless of the seller’s physical presence within the state, provided that they do not impose undue burdens on interstate commerce.

States have already begun to respond by revising their sales and use tax rules, and companies will need to track issues such as retroactivity and prospective tax liability on a state-by-state basis. A company’s facts and circumstances should be reviewed with respect to each jurisdiction in which it may have a state tax filing obligation, regardless of physical presence.

Around the world, the focus on digital tax policies has evolved quickly, mirroring the rapid integration of digital into the business landscape. Tax policymakers are trying to keep pace with this growing trend, with some countries and supranational groups exploring different digital taxation models. A current lack of agreement on how to proceed, however, threatens to create a confusing tax landscape, with a patchwork of different proposals for businesses to navigate. Increasingly, audit committees will need to verify that the company’s tax strategy supports its digital ambitions while also protecting the organization from tax uncertainty.

Boards and audit committees should begin discussing their companies’ existing digital activity and pipeline projects in new ways and assess the related tax implications. This effort will require knowledge of the digital tax approach of countries and states in which they do business, and committing resources to measuring and addressing any resulting tax risks. These risks need to be weighed against the company’s digital goals to determine whether tactics, strategy, structures or business models may need modifying.

Boards and audit committees should assess the completeness of their companies’ investor communications. Investors need to know about tax risks related to digital activities that may reduce profits if these taxes go into effect. Boards should be informed about the possibility and potential impact of restructuring parts of a digital strategy and the potential need to exit lines of business or markets depending on how tax proposals advance.

While the complex issues of how to tax digital activity are not likely to be resolved anytime soon, the debate has implications for all businesses that have digital assets. As such, boards and audit committees will want to closely monitor the evolving discussion and related digital tax developments.

The future of the tax operating model

Tax operating models are at an inflection point. External pressures including technology disruption and talent availability are significantly challenging current tax operational strategies. Companies are looking at their short- and long-term requirements to efficiently and effectively manage their tax operations. Audit committees should inquire of management as to whether their tax operating model is meeting the organization’s needs. Leading organizations are reconsidering their tax functions (e.g., fully internally sourced, outsourced or a hybrid model) to design a more efficient operating model by leveraging lower-cost resources and emerging technologies, such as robotic process automation and artificial intelligence.

Tax Questions for the audit committee to consider

  1. How is the company staying abreast of the latest developments in both tax and trade policy matters?
  2. Has the company performed any modeling on the impact of tax reform changes or trade policy changes such as tariffs?
  3. Has the company modeled different scenarios related to its digital activity and considered the potential tax implications of recent regulatory developments? How is this information communicated to the board?
  4. Does the company have sufficient resources to track and analyze recent changes in regulations and legislation at the state level?
  5. How is the organization attracting, retaining and developing the talent (e.g., scientific, technology, engineering and math skills) needed in today’s and tomorrow’s tax and finance functions?
  6. Does the tax organization have a sustainable model to address challenges, such as new tax reform requirements, a digital tax administration, and evolving global tax reporting obligations?
  7. How does the board effectively communicate changes in tax strategy to shareholders and the public? Are disclosures and related risk factors in the company’s public filings updated and appropriate given the company’s planned digital activity and recent regulatory tax developments?
  8. Does the company have a strategy for engaging on tax policy issues?

Additional reference

Regulatory developments

The SEC, under Chairman Jay Clayton’s leadership, remains committed to a strategic agenda to promote capital formation in public markets that balances investor protections. Clayton’s capital formation agenda has particularly focused on reducing the regulatory burden on small businesses. With Elad Roisman sworn in as a new SEC commissioner in September 2018 (replacing former Commissioner Piwowar), the SEC is temporarily back to a full slate of commissioners. Although Commissioner Kara Stein must step down as of January 1, 2019, this is not expected to hinder SEC rulemaking, as the Commission will still have a quorum.

“[Registrants] should consider whether their publicly filed reports adequately disclose information about their risk management governance and cybersecurity risks, in light of developments in their operations and the nature of current and evolving cyber threats.”

—Jay Clayton, SEC Chairman

SEC outlook

Clayton continues to focus SEC efforts on enhancing the attractiveness of raising capital in the US public capital markets. Clayton intends to reduce the regulatory burden on SEC registrants, while still providing material information to investors, to attract more companies to public markets.

Recently, the SEC amended the definition of a smaller reporting company to allow more companies to provide scaled disclosures in SEC filings. Additionally, the SEC finalized a rule that eliminates redundant and outdated disclosures as discussed above. The Commission also proposed a rule to streamline reporting requirements for certain registered debt offerings.

In an effort to promote capital formation, SEC officials continue to encourage companies to consider requesting waivers or modifications of their financial reporting requirements under Rule 3-13 of Regulation S-X.

Looking ahead, the SEC announced that the staff is working on a rule proposal that would reduce the number of companies that are subject to Section 404(b) of the Sarbanes-Oxley Act, which requires an auditor attestation on internal control over financial reporting. The staff may also recommend seeking comment on ways to reduce the regulatory burden associated with earnings releases and quarterly reporting.

Also high on the SEC’s agenda is keeping pace with the technological changes in cybersecurity and distributed ledger technology, including cryptocurrency and initial coin offerings (ICOs). The SEC staff continues to remind market participants that offerings of digital tokens in ICOs must be registered with the SEC or qualify for and comply with an available exemption from registration. The SEC’s Division of Enforcement has been actively pursuing federal securities law violations involving distributed ledger technology and ICOs.

In 2018, the SEC streamlined its short-term regulatory agenda to include only those rulemaking actions that the SEC actually expects to complete within a year. The agenda issued in October 2018 includes pending rulemaking required under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) related to hedging by employees, officers and directors. It does not address other executive compensation matters (e.g., clawback, pay vs. performance), although those are included on the SEC’s long-term agenda.

Boards should also be aware that another item on the SEC’s long-term agenda is consideration of the proxy process. The SEC staff will hold a roundtable to discuss the proxy process in November 2018 to solicit input in light of changes in the market. Topics covered will include the voting process, retail shareholder participation, shareholder proposals and proxy advisory firms.

Audit committees and SEC registrants should keep abreast of the evolving SEC agenda and the impact that such changes have on the organization.

SEC’s continued focus on cybersecurity disclosures

As cybersecurity threats evolve and risks become more complex and widespread, focus on corporate disclosures in public filings on the subject will likely intensify. The SEC issued guidance on February 21, 2018, which reinforces and builds on the SEC’s 2011 cybersecurity staff guidance, clarifying companies’ obligations to disclose cybersecurity risks, material breaches and the potential impact of the breaches on business, finances and operations. The new Commission guidance also addresses company disclosure on how the board of directors oversees the management of cybersecurity risk, among other things. This publication is a clear indication that regulators and stakeholders want to better understand a company’s efforts around cybersecurity planning, incident response and notification procedures.

Also high on the SEC’s agenda is keeping pace with the technological changes in cybersecurity and distributed ledger technology, including cryptocurrency and initial coin offerings (ICOs).

A recent EY analysis of cybersecurity-related disclosures noted that 70% of Fortune 100 companies disclosed that their audit committees oversee cybersecurity matters. The EY report also showed that the depth and company-specific nature of cybersecurity disclosures varied widely, suggesting room for improvement consistent with the SEC’s 2018 interpretation. Boards and audit committees should re-examine management’s disclosure controls and procedures around cybersecurity and review the company’s cybersecurity disclosures in light of the new guidance and the evolving landscape of cyber risks and cybersecurity.

Recently, the SEC issued an investigative report alerting registrants to carefully assess and calibrate their internal accounting controls in response to emerging risks related to cyber frauds (e.g., spoofed emails or manipulated email communications). The SEC report discussed the findings of its investigation into nine issuers, which were victims of unsophisticated cyber scams (primarily involving emails from fake executives and emails from fake vendors), and whether those companies may have violated their obligation to have designed and implemented a sufficient system of internal accounting controls.

The pervasive use of electronic forms of communications and the general expectation that such communications are trustworthy creates risks for organizations that need to be considered. Organizations may need to revisit their controls related to the authorization of the transfer of funds and changes to vendor master file data and their training for employees.

Public Company Accounting Oversight Board (PCAOB) outlook and developments

Five new PCAOB members have been sworn into office since January 2018, including new PCAOB Chairman William (Bill) D. Duhnke III. The PCAOB is expected to maintain its focus on promoting high audit quality through its inspection program, among other things. One of the new Board’s first acts was to seek public input on priorities to include in the PCAOB’s 2018–2022 strategic plan, the first time the PCAOB has done so. In October, Chairman Duhnke gave a speech outlining the results of the Board’s strategic review. He indicated that there will be changes in the Board’s approach to inspections, standard setting and enforcement, including to provide more timely, relevant and useable reports to the market. The Board also plans to work and communicate more closely with audit committees to promote audit quality.

Auditor’s reporting model

Companies should already be taking steps to prepare for changes in auditor reporting. In the second phase of changes required under the revised PCAOB standard on the auditor’s report (in annual reports for fiscal years ending on or after June 30, 2019 for large accelerated filers), auditors will be required to disclose information about matters that were communicated or required to be communicated to the audit committee that are material to the financial statements and involved especially challenging, subjective or complex auditor judgment (i.e., critical audit matters). For each critical audit matter (CAM), auditors are required to:

  • Identify the matter
  • Describe the principal considerations in determining that the matter was a CAM
  • Describe how the matter was addressed in the audit
  • Refer to the relevant financial statement accounts or disclosures

Management and audit committees are encouraged to work with their auditors to understand the requirements related to CAMs, including the process of determining and describing CAMs, and any expected changes to the audit process. This will help management prepare for questions it may receive from investors, regulators and others.

Management should consider involving personnel from other departments (e.g., legal, investor relations) in discussions about disclosures and communications the company will make in response to CAMs. Audit committee members should also understand any changes the company makes to its processes and disclosures.

Enhancing audit committee reporting

The 2018 proxy season saw continued growth in audit committee transparency. Continuing the trend of the past years, proxy disclosures in 2018 continue to show year-over-year growth in voluntary audit-related disclosure based on our annual review of Fortune 100 companies.

A US survey of investors indicates high degrees of confidence in the audited financial information disclosed by public companies. Yet, at the same time, for the reviewed companies, there was a slight increase in average votes against ratifying the external auditor in the 2018 proxy season.

This increase suggests that some investors are taking a stricter approach to reviewing the company-auditor relationship. This could encourage companies to provide additional disclosure around the audit committee’s selection of an auditor. Enhancing audit committee transparency can increase investors’ confidence in financial reporting and their confidence in the role of the audit committee in overseeing the audit process and promoting audit quality.

Meaningful disclosure about what audit committees do and how they oversee auditors would provide a window into the important work audit committees perform, as well as the processes in place to protect auditor independence and professional skepticism and further the alignment among auditors, audit committees and investors.

A US survey of investors indicates high degrees of confidence in the audited financial information disclosed by public companies.

Regulatory developments—Questions for the audit committee to consider

  1. How will the SEC cybersecurity guidance and investor interest impact 2019 cybersecurity disclosures, including information about risk management governance, cyber risks, disclosure controls and procedures, and insider trader protocols?
  2. How does management periodically assess and calibrate the company’s internal accounting controls in response to emerging cyber threats?
  3. Does the board have regular briefings on the evolving cybersecurity threat environment and how the cybersecurity risk management program is adapting? How is the board actively overseeing the company’s investments in new cybersecurity technologies and solutions?
  4. How has the role of the audit committee evolved in recent years (e.g., oversight of enterprise risk management, cybersecurity risk), and to what extent are these changes being communicated to stakeholders via the proxy statement?
  5. What impact will new auditor reporting requirements have on audit committee disclosures?
  6. What additional voluntary disclosures might be useful to shareholders related to the audit committee’s time spent on certain activities, such as cybersecurity, business continuity, mergers and acquisitions, and financial statement reporting developments?

Additional references

Risk management

Disruption in the business environment has taken on many forms, including political instability fueled by economic uncertainty across the world, digital transformation and business model disruptions, greater scrutiny of corporate behavior, and regulators that are under increasing pressure to develop frameworks that foster growth but curb short-termism and unfair practices.

The pace and scale of disruption will continue to present a number of challenges to companies; however, opportunities to harness new technology and trends will undoubtedly emerge to reshape business models, improve companies’ performance and value creation, and focus on and address emerging risks. In this continually changing environment, boards and audit committees need more than ever to focus on risk management.

“Most of the recent drivers of advancement and growth are technological advances that undermine security. Boards need to help companies balance the need to grow and be profitable with securing the business.”

—Larry Clinton President and CEO Internet Security Alliance

The next generation of Enterprise Risk Management (ERM)

Rather than avoiding risk, evolved companies will focus on mitigating risk to a tolerable level and, ultimately, optimizing it to drive competitive advantage. Boards have a role to play in challenging organizations to embed risk management in their strategic decision-making and leverage digital capabilities to harness risk intelligence across their enterprises. Such an approach strives to balance upside, downside and outside risks; instill a digital risk mindset and culture; digitize risk intelligence, monitoring and reporting; and consider embedded risks in strategy and operations. That means evaluating business risk drivers, prioritizing opportunities and remediation activities, designing risk response plans to optimize value and return on investment, and keeping risk within acceptable levels of risk tolerance and appetite.

To further facilitate this shift in ERM focused on strategy and operating performance, audit committees are expecting the internal audit (IA) function to go beyond controls auditing to provide assurance over governance and emerging risks. Leading audit committees are also encouraging companies to perform their risk assessments more frequently than once a year with IA adopting the “six-plus-six” approach to audit planning and risk assessments (i.e., a risk-based rolling plan of IA work that is updated every six months). Such a flexible and dynamic approach allows organizations to better meet the changing needs and priorities.

Driving digital trust and overseeing data privacy

The cyber threat environment alone is such that it is only a matter of time before all businesses will suffer a cyber breach. And as consumers become more aware of (and potentially alarmed by) the extensive sharing of their data in the digital economy, and as global data protection laws and regulations proliferate, data privacy risks are growing in number and scope. More than ever, organizations need to be confident that their complex and evolving digital platforms are safe and secure. The boundless possibilities, efficiencies and conveniences of digital are bundled with evolving and emerging risks and challenges, from business disintermediation, cybercrime, data loss and technology outages to third-party risks.

With the EU’s General Data Protection Regulation (GDPR) now legally enforceable and the passing of the California Consumer Privacy Act (which provides the most sweeping, comprehensive consumer privacy rights in the United States), organizations must bolster their cyber defenses to be certain that the personal data collected in each jurisdiction are properly maintained and managed.

Boards and audit committees should view GDPR and data privacy legislation as an opportunity to evaluate, streamline and standardize data processes and procedures, so that risk management controls are primed for the increasingly stringent regulatory requirements that are expected to come.

While the boards’ obligation extends to ensuring regulatory compliance, all stakeholders across the organization are responsible for working together to create resilience.

Some key board considerations include:

  • How cybersecurity and personal data risks are featured in the organizational risk assessment
  • Whether controls relating to the collection, processing and use of personal data and its security are compliant with data protection requirements
  • In the event of a personal data breach, whether there are established response procedures that are built into the business continuity plans
  • How often the board will be updated on data protection and cyber matters
  • How data protection policies will be communicated internally and externally to build buy-in and assurance for all stakeholders.

Audit committees should assess whether compliance with data protection and privacy laws is a process that is continually evaluated and evolving within the organization.

The cyber threat environment alone is such that it is only a matter of time before all businesses will suffer a cyber breach.

Third-party risk management

Boards also must exercise vigilance in confirming that organizations are properly monitoring the heightened risk presented by third-party service providers in a digital world. These providers often have access to a company’s data and its internal systems, which raises concerns and serious potential risks related to fraud, cybersecurity and the company’s reputation. It is paramount that effective governance structures be put into place to manage these risks. Companies may opt for a centralized third-party risk management structure, a decentralized model that provides oversight at the business unit level, or some combination of the two approaches.

Regardless of which model an organization adopts, the board can challenge the company to construct a clear profile of all third-party partners and the potential risks they pose. This means insisting on proper due diligence, strong contracts that protect the company, and methods to consistently evaluate and monitor each service provider (including the third parties’ compliance with stipulated codes of conduct). Companies must have a fundamental understanding of their business processes: how their data is being secured by hosts who are managing their information in the cloud, clarify with clients or customers whether employees with whom they are working are client employees or third party, as well as how their data is being managed through robotic process automation and artificial intelligence.

The future of compliance and board oversight of culture

In a world of changing business models, the explosion of data, and increased regulation and enforcement, integrity remains a critical foundation for driving the ethical and compliance-oriented behaviors needed to protect businesses and business reputations. EY’s 15th Global Fraud Survey found that fraud and corruption remain among the greatest risks to businesses today, and a significant level of unethical conduct is ongoing, with junior professionals more likely to justify fraud. How an organization brings integrity into its culture will become increasingly important.

In this environment, board oversight of corporate culture, controls and governance through an integrity lens is a growing priority. Audit committees should work hand-in-hand with the board and other committees to create and define a culture of ethics and integrity that is modeled by the board, executives and other management and expected of all employees and other members of the workforce—even as the workforce is radically changing. The cultural values should also apply to third parties with which the company regularly does business, including key suppliers and business partners. Audit committees will also need to work ever more diligently to help make sure that company codes of conduct and ethics, compliance programs, whistle-blower policies and procedures, and related employee engagement and training programs are effective in defining and enforcing ethical behaviors.

In this environment, board oversight of corporate culture, controls and governance through an integrity lens is a growing priority.

Overseeing whether the compliance function is effective and appropriately evolving through advances in governance practices and technology is also critically important. Clear assessments of the effectiveness of compliance and ethics policies and programs can lead to more effective risk management, a stronger culture of compliance, ethics and integrity, and increased transparency. With the introduction of digital compliance tools, such as predictive analytics and real-time risk alerts, forensic data analytics can significantly improve the effectiveness and efficiency of monitoring and reporting. Along with providing better data insights, leveraging new technologies may also better optimize resources, which can be critical with budget restraints. Leading companies are also using artificial intelligence technology to replace classroom and web-based training with individualized risk-based communications in real time.

Boards and audit committees should set the right tone at the top by clearly and consistently communicating and demonstrating a clear culture of compliance, ethics and integrity, and by verifying that ethics and compliance policies and procedures (backed by effective training and consistently applied enforcement) are working to maintain the culture and deliver effective compliance.

Risk management Questions for the audit committee to consider

  • Does the organization’s ERM practices incorporate forward-looking insights and use of data analytics to determine trends and predictive indicators?
  • Has management clearly articulated the key individual risks and aggregate risk to achieving its strategic goals and properly applied the organization’s risk tolerance to determine risk management priorities?
  • Is the organization continually scanning the risk landscape and responding? Is its risk mitigation approach shifting from reactive to predictive response strategies?
  • Is the organization harnessing emerging technology to better mitigate downside risk?
  • Is the organization’s talent pool equipped to meet the changing needs of the risk function?
  • How does the company incentivize executives, as well as lower-level employees and third parties, to act ethically? And how does it instill the concept of employees taking individual responsibility for the integrity of their own actions?

Additional reference

25 questions for audit committees to consider

Financial reporting

  1. Has the company’s management sufficiently challenged the adequacy of its disclosures required under the new revenue standard, particularly in areas that require significant judgment or estimates (e.g., disaggregated revenue disclosures, identification of performance obligations)?
  2. What changes to internal control over financial reporting have been implemented and what key actions have been taken by management to implement the lease, credit loss and other FASB standards in process? What key actions are needed to improve readiness for implementation and disclosure?
  3. How is technology changing the company’s finance function and what sort of assurance is the audit committee getting that financial information integrity is preserved during and after any transition (including during implementation efforts)?
  4. What is the company’s plan for periodically updating the disclosures under SAB Topic 11.M on the effect of new accounting standards?
  5. Are control deficiencies being adequately evaluated as possible material weaknesses? Are there any material changes in internal control over financial reporting (ICFR) requiring disclosure?

Tax

  1. How is the company staying abreast of the latest developments in both tax and trade policy matters?
  2. Has the company performed any modeling on the impact of tax reform changes or trade policy changes such as tariffs?
  3. Has the company modeled different scenarios related to its digital activity and considered the potential tax implications of recent regulatory developments? How is this information communicated to the board?
  4. Does the company have sufficient resources to track and analyze recent changes in regulations and legislation at the state level?
  5. How is the organization attracting, retaining and developing the talent (e.g., scientific, technology, engineering and math skills) needed in today’s and tomorrow’s tax and finance functions?
  6. Does the tax organization have a sustainable model to address challenges, such as new tax reform requirements, a digital tax administration, and evolving global tax reporting obligations?
  7. How does the board effectively communicate changes in tax strategy to shareholders and the public? Are disclosures and related risk factors in the company’s public filings updated and appropriate given the company’s planned digital activity and recent regulatory tax developments?
  8. Does the company have a strategy for engaging on tax policy issues?

Regulatory developments

  1. How will the SEC cybersecurity guidance and investor interest impact 2019 cybersecurity disclosures, including information about risk management governance, cyber risks, disclosure controls and procedures, and insider trader protocols?
  2. How does management periodically assess and calibrate the company’s internal accounting controls in response to emerging cyber threats?
  3. Does the board have regular briefings on the evolving cybersecurity threat environment and how the cybersecurity risk management program is adapting? How is the board actively overseeing the company’s investments in new cybersecurity technologies and solutions?
  4. How has the role of the audit committee evolved in recent years (e.g., oversight of enterprise risk management, cybersecurity risk), and to what extent are these changes being communicated to stakeholders via the proxy statement?
  5. What impact will new auditor reporting requirements have on audit committee disclosures?
  6. What additional voluntary disclosures might be useful to shareholders related to the audit committee’s time spent on certain activities, such as cybersecurity, business continuity, mergers and acquisitions, and financial statement reporting developments?

Risk management

  1. Does the organization’s ERM practices incorporate forward-looking insights and use of data analytics to determine trends and predictive indicators?
  2. Has management clearly articulated the key individual risks and aggregate risk to achieving its strategic goals and properly applied the organization’s risk tolerance to determine risk management priorities?
  3. Is the organization continually scanning the risk landscape and responding? Is its risk mitigation approach shifting from reactive to predictive response strategies?
  4. Is the organization harnessing emerging technology to better mitigate downside risk?
  5. Is the organization’s talent pool equipped to meet the changing needs of the risk function?
  6. How does the company incentivize executives, as well as lower-level employees and third parties, to act ethically? And how does it instill the concept of employees taking individual responsibility for the integrity of their own actions?

Endnotes

1 National Association of Corporate Directors publication: Adaptive Governance: Board Oversight of Disruptive Risks, October 2018. (go back)

2Audit Analytics publication, 2017 Financial Restatements: A Seventeen Year Comparison, June 2018. (go back)

3 To encourage long-term investment within economically distressed communities, policymakers enacted the Opportunity Zone (O-Zone) program as part of the TCJA. It allows taxpayers to defer capital gains tax by investing in qualified Opportunity Funds (O-Funds), which, in turn, invest in property within designated O-Zones. Investors in the O-Funds can defer capital gains tax, and also potentially permanently exclude from taxable income capital gains generated in any qualified investment made in an O-Fund. (go back)

Both comments and trackbacks are currently closed.