Operating against a backdrop of global volatility and economic uncertainty, with business and regulatory risks becoming more complex and challenging, audit committees will need to manage their agendas carefully in 2020, keeping financial reporting integrity front-and-center. As the SEC noted recently, “Effective oversight by strong, active, knowledgeable and independent audit committees significantly furthers the collective goal of providing high-quality, reliable financial information to investors and our markets” (Jay Clayton, Sagar Teotia, and William Hinman, “Statement on Role of Audit Committees in Financial Reporting and Key Reminders Regarding Oversight Responsibilities,” Dec. 30, 2019, http://bit.ly/36ERw7I).
To help audit committees stay focused and optimize their time, KPMG’s Audit Committee Institute has highlighted seven items to consider when assessing and prioritizing the 2020 agenda:
- Maintain (or regain) control of the committee’s agenda
- Reinforce audit quality and set clear expectations for the external auditor
- Closely monitor management’s progress on implementing FASB’s new credit loss standard
- Redouble the focus on the company’s ethics, compliance, and whistleblower programs
- Understand how technology is impacting the finance organization’s talent, efficiency, and added value
- Reassess the scope and quality of environmental, social, and governance (ESG) or sustainability reports and disclosures
- Help ensure that internal audit’s eyes and ears are focused on key risks beyond financial reporting.
Control the Agenda
Nearly half of the 1,300 audit committee members responding to the KPMG 2019 global audit committee survey said it is “increasingly difficult” to oversee the major risks on the audit committee’s agenda in addition to its core financial reporting oversight responsibilities. Committees are being asked to oversee cybersecurity and information technology risks; ESG risks; operational risks; and legal and regulatory compliance. Members should reassess whether the committee as a whole has the time and expertise to oversee the risks it has been assigned.
Reinforce Audit Quality
Audit committees must work closely with the external auditor and set clear expectations. They also should probe the audit firm on its quality control systems that are intended to drive sustainable, improved audit quality, including the firm’s use of new technologies. In discussions with the external auditor, committees should consider PCAOB and internal inspection results along with efforts to address deficiencies. They should also monitor the PCAOB’s quality control initiatives, including the December 17, 2019, concept release soliciting public comment on potential revisions to its quality control standards.
Monitor Management’s Progress on CECL
ASU 2016-13, Financial Instruments–Credit Losses, with its guidance on the current expected credit losses (CECL) model, took effect on January 1, 2020, for calendar-year public companies that are not eligible to be smaller reporting companies (SRC). Other public entities and private companies, such as nonprofits and employee benefit plans, are not required to implement the standard until 2023. They should take advantage of the extra time to learn from the implementation issues encountered by SEC filers that are not SRCs, confirm the preparedness of their technologies and systems (or develop new solutions), and solidify their business processes and controls over implementation and reporting. Both financial and nonfinancial services companies are affected, as many financial instruments are within the new standard’s scope.
Audit committees must understand how management has determined the transition impact of adoption and what the external auditor has done to evaluate the transition impact. Committees also should discuss with management the company’s readiness to operate and report under ASU 2016-13. They should understand the impact on internal controls over financial reporting, new disclosure requirements, and the impact on disclosure controls and procedures. The external auditor is in a unique position to provide insights on the company’s reporting processes and internal controls.
Focus on Ethics and Compliance
Social media has put companies’ culture and values, commitment to integrity and legal compliance, and reputation on full display, making the reputational costs of failure higher than ever. The focus should be on behavior, not just results. The audit committee should ask if the company’s corporate culture makes it safe for people to do the right thing. It should review the effectiveness of the company’s whistleblower reporting channels and investigation processes in today’s environment. Does the committee see all whistleblower complaints? If not, what is the process to filter complaints?
Fundamental to an effective compliance program is the right tone at the top and an organizational culture that supports the company’s strategy and its commitment to its values and ethics. This is particularly true in a complex business environment, as companies innovate and capitalize on new markets, leverage technology, and engage with third parties across longer, more complex supply chains. Coupled with the challenging global regulatory landscape—new data privacy, environmental, healthcare, financial services, and consumer protection regulations, along with the Foreign Corrupt Practices Act and the U.K. Bribery Act—compliance risks and vulnerabilities require vigilance.
Understand Technology’s Impact
Technology changes present opportunities for the finance function to reinvent itself and add greater value to the business. As audit committees monitor and guide finance’s progress in this area, they should understand the organization’s plans to leverage robotics and cloud technologies to automate manual activities, reduce costs, and improve efficiencies. Audit committees should also understand how finance will use data analytics and artificial intelligence to develop sharper predictive insights and better deployment of capital. The finance function is well positioned to guide the company’s technology agenda and to consider the implications of new transaction-related technologies. As the finance function increasingly combines strong analytics and strategic capabilities with traditional financial reporting, accounting, and auditing skills, its talent and skill-set requirements must change accordingly.
Reassess ESG/Sustainability Disclosures
Nearly all S&P 500 companies provide some form of ESG or sustainability reports, but there are growing concerns about the quality, comparability, reliability, and usefulness of these reports. Institutional investors are demanding more information and seeking engagement with companies on core ESG issues and their impact on the company. Employee and consumer activism is in its early stages, but it is growing, and there continues to be large number of shareholder–driven ESG proposals, particularly on environmental and social issues.
The Business Roundtable’s “Statement on the Purpose of a Corporation” (http://bit.ly/2GAo9ZC) will likely increase expectations for companies to explain how they are meeting their ESG commitments. Given increasing stakeholder demands for more transparent, higher-quality, and comparable ESG reporting, the audit committee can serve as a catalyst, recommending that the board encourage management to reassess the scope and quality of ESG reports and disclosures. This may be a significant undertaking and would likely include benchmarking, considering the methodologies and standards used by firms that rate companies on ESG practices, understanding stakeholder expectations, and reviewing ESG reporting frameworks for potential use. To bring the right focus and attention, a board committee, such as the audit or governance committee, should oversee the effort. Management’s disclosure committee should be part of these discussions to help ensure that the company has the necessary infrastructure—including disclosure controls and procedures—to support its ESG reporting.
Focus on Key Risks beyond Financial Reporting
Highly publicized corporate crises can damage company reputations, due in part to a failure to manage key risks such as tone at the top and culture, legal and regulatory compliance, incentive structures, cybersecurity and data privacy, ESG risks, and global supply chain and outsourcing risks. The audit committee should work with the chief audit executive and chief risk officer to identify the risks that pose the greatest threat and help ensure that internal audit is focused on those risks and related controls. The audit plan should be risk-based and flexible to adjust to changing business and risk conditions.
Audit committees should understand the changing operating environment, along with the risks posed by digital transformation and the company’s sourcing, outsourcing, sales, and distribution channels. They should ask whether the company recognizes the early warning signs regarding safety, product quality, and compliance. They should understand the role internal audit plays in monitoring the culture. And they need to set clear expectations and ensure that internal audit has the resources, skills, and expertise to succeed, while helping the chief audit executive think through the impact of digital technologies on internal audit.
The above topics are not the only issues that will feature prominently on audit committee agendas in 2020, but this list should spark a discussion about where the committee will focus its time and attention in the year ahead.