By KPMG’s Audit Committee Institute
[This piece was written by KPMG, published by NACD, and is reposted here.]
Recognizing the sizeable challenges that audit committees and boards face, KPMG’s Audit Committee Institute (ACI) has issued its annual message to directors. “Ten To-Do’s for Audit Committees” highlights key issues that should be top of mind as audit committees think through their agendas for the future.
1. Stay focused on the audit committee’s top priority: financial reporting and related internal control risk. Ensuring that the audit committee’s agenda focuses on the issues that require its attention will be a significant undertaking. The challenges of ongoing economic uncertainty and volatility coupled with the impact of cost- reductions, major public policy initiatives, and an uncertain—yet clearly more-complex—regulatory environment will require the attention of every audit committee. Meeting this workload challenge will require focused (yet flexible) agendas, with an eye on the company’s key financial reporting and related internal control risks. As-needed updates from management between regular audit committee meetings can be invaluable.
2. Continue to monitor accounting judgments and estimates, and prepare for accounting changes. Monitor fair value estimates, impairments, and management’s assumptions underlying critical accounting estimates. Recognize that the company’s greatest financial reporting risks are often in areas where there is a range of possible outcomes, and management is called upon to make difficult judgments and estimates. Understand management’s framework for making accounting judgments and estimates (was the framework in the “Pozen report” considered?19), make sure management has appropriate controls in place, and ask for the external auditor’s views. Also, understand how major accounting changes on the horizon may impact the company, including implementation/resources and IT systems requirements. The SEC continues to explore what role IFRS will play in U.S. financial reporting, with a decision expected in 2012; and key FASB/IASB joint projects on revenue recognition, leases, financial instruments, and insurance are moving forward. Stay close to where these projects are headed and the timeline.
3. Consider whether the financial statements and disclosures tell the company’s story. Given the importance of transparency to the investor community, as well as the SEC’s ongoing focus on disclosures, consider how disclosures can be improved—perhaps going beyond what’s “required”— to better address expectations. Enlist management’s disclosure committee in this effort, and consider the findings of the recent FEI/KPMG study on disclosures, Disclosure Overload and Complexity: Hidden in Plain Sight. Understand the process management uses to calculate any non-GAAP measures that are used in SEC filings to ensure their relevance and reasonableness. At the end of the day, do the financial statements and disclosures tell the company’s story?
4. Focus on the company’s plans to grow and innovate. Growth, strategy, and innovation will be front-and-center as companies search for top-line growth and look forward, beyond the recessionary environment. A key challenge will be monitoring and calibrating growth plans to appropriately balance risk and reward. (Remember: good risk management enables innovation and growth.) Does lack of innovation pose a threat to the company? Make sure risk and strategy are discussed together—each hinges on the other. Given historically low valuations and high levels of corporate cash on hand, understand the company’s position in the M&A “ecosystem” (as a potential acquirer or target). Is there a robust M&A process in place in the event an offer or opportunity arises? What is the role of the audit committee versus the full board?
5. Reassess the company’s vulnerability to business interruption and its crisis readiness. As illustrated by the earthquake in Japan, the European debt crisis, and other systemic disruptions over the past 24 months, the global interconnectedness of businesses, markets, and risk poses challenges for virtually every company. Ensure that management is weighing a broad spectrum of “what-if” scenarios—from supply chain links and the financial health of vendors to geopolitical issues, natural disasters, and cyber threats. Is the company’s crisis response plan robust and ready to go? Is the plan actively tested or war-gamedz—and updated as needed?
6. Understand how technology change and innovation are transforming the business landscape—and impacting the company. IT risk discussions should be moving (rapidly) beyond “defensive” issues (compliance, data privacy, system implementations) to address the critical challenge today: understanding the transformational implications of IT and emerging technologies—cloud computing, social media, mobile technologies, and data—and the strategic issues they present. The audit committee can help the organization get its arms around IT by insisting on more frequent and robust communications with the CIO; elevating IT discussions to a senior management/full- board level (beyond the “IT shop”); helping to frame the big picture view of the company’s IT governance efforts (on data and social media); clarifying the oversight role(s) of the board, audit committee, and other committees; and strengthening the board’s understanding of IT (by bringing IT expertise onto the board and/or through education). A comprehensive IT risk assessment is essential, and support from internal audit can be invaluable. Review the SEC’s October 2011 guidance on cyber security disclosures, which may highlight IT issues requiring greater attention by the company and the board.
7. Focus on asymmetric information risk and seek out dissenting views. Is the audit committee hearing views from those below and beyond senior management—e.g., from middle management and business unit leaders, sell-side analysts and critics, and other third parties—about the risks and challenges facing the company? Does the information provided by management, internal audit, and external auditors tell a consistent story? What is being said about the company by customers, employees, and others on social media networks? Make time to visit company facilities and attend employee functions. Key goals here are to recognize when asymmetric information risk—the over-reliance on senior management’s information and perspective—is too high, and to promote a culture of candor and constructive skepticism, where raising red flags and challenging information are welcomed.
8. Consider the impact of the regulatory environment on compliance programs and business plans. The increasing complexity of the global regulatory environment—including compliance challenges posed by the Foreign Corrupt Practices Act and the UK Bribery Act, the SEC’s whistleblower bounty program, and Dodd-Frank provisions on conflict minerals and compensation clawbacks—will require continued attention. The right tone at the top and throughout the organization is critical. From a broader business perspective, consider the potential impact of regulatory compliance developments on the business planning process, particularly when growth strategies include international expansion. Do the company’s regulatory compliance and monitoring programs align with its business plans?
9. Understand the company’s significant tax risks and how they are being managed and modeled. Prospects for business tax reform; ongoing assessment of uncertain tax positions; increased state, federal, and global enforcement activities; and the continued complexity of operating globally in different tax regimes all pose significant compliance and financial risks. To stay abreast of critical tax risks—including internal control, compliance, and disclosure issues—establish a clear communications protocol for management to update the audit committee on the status of its tax risk management activities. Ensure the tax function is monitoring the federal tax reform debate and “testing” the impact of various tax legislative scenarios (e.g., on R&D, capital investments, cash flow, hiring, etc.) and possible remedial steps as the proposals become more specific. Are leading risk management practices (such as scenario planning) being leveraged to manage significant tax risks?
10. Monitor the PCAOB’s initiatives on auditor independence and transparency, and consider the implications for the audit committee. PCAOB initiatives designed to promote auditor independence, objectivity, and professional skepticism have potentially significant implications for the audit process and the role of the audit committee. Set clear expectations with management and auditors for staying apprised of these projects and communicating their potential impact on the audit and the audit committee’s oversight (the PCAOB is seeking input from all stakeholders, including audit committee members). Consider how the audit committee currently reinforces auditor independence and skepticism. Would a more robust audit committee report be beneficial to investors?