By Timothy Copnell – Chairman of KPMG’s UK Audit Committee Institute
Financial reporting, compliance and the risk and internal control environment will continue to be put to the test in 2018 by slow growth and economic uncertainty, technology advances and business model disruption, cyber risk, greater regulatory scrutiny and investor demands for transparency, as well as dramatic political swings and policy changes in the UK, US and elsewhere.
Focussed, yet flexible audit committee agendas – exercising judgement about what does and does not belong on the committee’s agenda and when to take deep dives – will be critical.
In the Audit Committee Institute’s 2017 Global Audit Committee Survey, nearly half of the 800 audit committee members who responded said it is ‘increasingly difficult’ to oversee the major risks on the audit committee’s agenda in addition to the committee’s core oversight responsibilities (financial reporting and related internal controls and oversight of internal and external auditors). Aside from any new agenda items, the risks that many audit committees have had on their plates for some time – cybersecurity and IT risks, supply chain and other operational risks, legal and regulatory compliance – have become more complex, as have the audit committee’s core responsibilities.
Issue #1 for 2018 is staying focussed on the basics – including financial reporting integrity – and then reassessing whether the committee has the time and expertise to oversee these other major risks. Does cyber risk require more attention at the full-board level – or perhaps the focus of a separate board committee? Is there a need for a compliance committee? Keeping the audit committee’s agenda focussed – and its eye on the ball – will require discipline and vigilance in 2018.
“The risks that many audit committees have had on their plates for some time — cybersecurity and IT risks, supply chain and other operational risks, legal and regulatory compliance – have become more complex”
Issue #2 is recognising that financial reporting quality starts with the CFO and the finance team. In the Audit Committee Institute’s 2017 Global Audit Committee Survey, 44 per cent of respondents were not satisfied that their agenda was properly focussed on CFO succession planning. Furthermore, few were satisfied with the level of focus on talent and skills in the finance team. Given the increasing demands on the finance team and its leadership – financial reporting and controls (including the implementation of new accounting standards), risk management, analysing mergers and acquisitions and other growth initiatives, shareholder engagement and more – it is essential that the audit committee can devote adequate time to the finance talent pipeline, training and resources, as well as succession plans for the CFO and other key executives in the finance team. Audit committees are thinking about whether finance teams are incentivised to stay focussed on long-term performance and looking to internal and external auditors to share their thoughts about the talent and skills in the finance organisation, including the organisation’s leadership.
Impact of change
The new accounting changes on the near horizon are just one of the increased demands facing finance teams – but an important one. Issue #3 for the Audit committee for 2018 is monitoring the company’s implementation plans and activities for major accounting changes, particularly the new revenue recognition and leasing International Financial Reporting Standards. The scope and complexity of these implementation efforts and the impact on the business, systems, controls and resource requirements, should be a key area of focus. While the impact of the new revenue standard will vary across industries, many companies – particularly those with large, complex contracts – will need to make many critical judgements and estimates. Audit committees will want to understand the underlying process and how judgements and estimates are reached. Under the new leasing standard, many companies will face significant implementation challenges during the transition period. Implementation of these two new standards is not just an accounting exercise; audit committees will want to receive periodic updates on the status of implementation activities across the company (including possible trouble spots), the adequacy of resources devoted to the effort and the plan to communicate with stakeholders.
Issue #4 in a similar vein, audit committees need to ensure appropriate attention is given to non-GAAP financial measures within corporate reports. Following the European Securities and Markets Authority’s (ESMA) final report on alternative performance measures (APMs), other regulators have expressed concern about the undue prominence given to APMs over the equivalent generally accepted accounting principles (GAAP) measures. While APMs can provide valuable insight into a company and the extent to which its business model is successful, audit committees should be having a robust dialogue with management about the process and controls by which management develops and selects the APMs reported upon, their correlation to the actual state of the business and results, and whether they are being used to improve transparency rather than to distort the balance of the annual report. The committee should be questioning what broader drivers of value contribute to the long-term success of the company and how they should be disclosed. Think about what sources of value have not been recognised in the financial statements and how are those sources of value managed, sustained and developed (for example, a highly-trained workforce, intellectual property or internally-generated intangible assets, where these are relevant to an understanding of the company’s development, performance, position or impact of its activity).
Issue #5 for the audit committee in 2018 is increased transparency around audit processes. This is now high on the agenda for both internal regulators and the investment community. Under International Standards on Auditing (ISA 701), auditors are now required to describe in the audit reports of listed entities the key areas they focussed on in the audit and what audit work they performed in those areas; and in the US, the Public Company Accounting Oversight Board (PCAOB) issued a final standard on the auditors’ reporting model, which requires a description of ‘critical audit matters’ in the auditor’s report.
Auditors may have the primary responsibility for implementing the requirements, but they are relevant to and affect other stakeholders as well, in particular the audit committee. Audit committees will need to interact comprehensively with the auditor from the audit planning stage through to the finalisation of the audit report. In particular, think about whether disclosures in the financial statements, or elsewhere in the annual report and/or in other investor communications, need refreshing, otherwise the auditor might be disclosing more information about an item than the company. Engaging in early and open communication with the auditor is crucial in this regard.
Issue #6 is the quality of the audit committee’s report – an issue around which both regulators and investors and increasingly focussed. This is particularly important when it comes to any disclosures relating to the audit committee’s consideration of the significant financial reporting issues and the external audit relationship – including the committee’s role in the appointment, reappointment or removal of the external auditor.
Audit committees should consider providing investors with more insight into how they carry out their oversight responsibilities, particularly their role in helping to maintain audit quality. Consider how the committee can engage with investors to help enhance investor confidence in audit and the oversight discharged by the committee. Does any audit committee/investor dialogue focus on matters specific to the company and the current year, or explain what the committee actually did and how it added value using active, descriptive language? Is the audit committee transparent as to the key issues it considered during the year, their context, the relevant policies and processes, the conclusions drawn and their consequences for the company and its reporting? Is the committee transparent as to the key judgements it made and the sources of assurance and other evidence drawn upon to satisfy it of the appropriateness of its conclusions?
“Failure to manage key risks can potentially damage corporate reputations and impact financial performance”
Issue #7 relates more broadly – as recent headlines suggest it should – to failure to manage key risks – tone at the top, culture, legal/regulatory compliance, incentive structures, cybersecurity, data privacy, global supply chain and outsourcing risks and environmental, social and governance risks, etc – that can potentially damage corporate reputations and impact financial performance.
A key task for the audit committee is ensuring the company is focussed on identifying those risks that pose the greatest threat to the company’s reputation, strategy and operations, and helping to ensure that internal audit is focussed on these key risks and related controls.
Audit committees are spending more time looking at audit plans and ensuring they are both risk-based and flexible. Does the audit plan adjust to changing business and risk conditions? What has changed in the operating environment? What are the risks posed by the company’s digital transformation and by the company’s extended organisation – sourcing, outsourcing, sales and distribution channels? Is the company sensitive to early warning signs regarding safety, product quality and compliance? What role should internal audit play in auditing the culture of the company? Audit committees should be setting clear expectations and helping to ensure that internal audit has the resources, skills and expertise to succeed; as well as helping the head of internal audit think through the impact of new technologies on the internal audit function.
Issue #8 on the audit committee agenda – and of particular importance is that the EU Public Interest Entities (PIEs) is reinforcing the audit committee’s direct responsibility for the external audit. Overseeing the auditor selection process including any (mandatory) tender process, and auditor independence, should be a key part of any audit committee’s role. Regular audit tendering and rotation is already ‘business as usual’ for EU public interest entities (PIEs), but the new regulatory regime includes some requirements that are difficult to navigate and, in some cases, will significantly impact the way audit committees operate in practice. To ensure the auditor’s independence from management and to obtain critical judgements and insights that add value to the company, the audit committee’s direct oversight responsibility for the auditor must be more than just words in the audit committee’s charter. All parties – the audit committee, external auditor and senior management – must acknowledge and continually reinforce this direct reporting relationship between the audit committee and the external auditor in their everyday interactions, activities, communications and expectations.
Monitoring behaviour
In recent years, a number of highly publicised corporate crises that have damaged corporate reputations were due, in part, to failures to manage key risks posed by the company’s culture, tone at the top and incentive structures. Issue #9 for 2018 is monitoring the impact of the tone at the top and the corporate culture on the company’s compliance programmes, as well as the wider business and regulatory environment. This is particularly true in a complex business environment as companies move quickly to innovate and capitalise on opportunities in new markets, leverage new technologies and data, engage with more vendors and third parties across longer and increasingly complex supply chains and, as a result, face heightened compliance risks.
As a result of the radical transparency enabled by social media, the company’s culture and values, commitment to integrity and legal compliance and brand reputation are on display as never before, so audit committees need to use all the tools at their disposal – including internal audit and other assurance functions to assess whether the desired culture is the culture that actually persists throughout the organisation.
Issue #10 finishes this round-up of audit committee issues for 2018, and it is around making the most of the audit committee’s time together. Audit committees should look at streamlining committee meetings by insisting on quality pre-meeting materials (and expecting them to have been read), making use of consent agendas and reach a level of comfort with management and auditors so that routine financial reporting and compliance activities can be ‘process routine’ (freeing up time for more substantive issues). Think about how the committee can best leverage the array of resources and perspectives necessary to support its work. Does the committee spread the workload by allocating oversight duties to each member, rather than relying on the committee chair to shoulder most of the work? Does the committee spend time with management and the auditors outside of the boardroom to get a fuller picture of the issues? Take a hard, honest look at the committee’s composition, independence and leadership. Is there a need for a fresh set of eyes? Is it time for a rotation?
About the Author:
Timothy Copnell is the Chairman of KPMG’s UK Audit Committee Institute. Timothy qualified as a chartered accountant in 1989 and joined KPMG’s Department of Professional Practice in 1993 where he took responsibility for corporate governance matters and KPMG’s non-executive programme. His role includes advising on private sector corporate governance and responding to major UK corporate governance developments. In 2004/5 Timothy was awarded the Accountancy Age ‘Accountant of the Year’ for his work with audit committees. Timothy writes regularly for various publications and is the Author of the Audit Committee Guide (ICSA 2010) and Shareholders Questions and the AGM (ICSA 2007).
