Now and for the foreseeable future, organizations must navigate an ever-more turbulent, unpredictable and fast-paced environment, with ever-increasing expectations about the role of corporations/organizations in society. The boards of directors that guide corporate activity need to adapt to assure that corporate governance keeps pace.
Audit Committees play an increasingly important role in assisting boards to discharge their responsibilities. The business and risk environment has changed dramatically in recent years, with surging inflation, global economic volatility, recession, supply chain disruptions, cybersecurity risks and ransomware attacks and social media risks placing new demands on organizations’ talent management. Increasing demands from customers, employees, investors, regulators and other stakeholders for action will require increased action, disclosure and transparency.
In light of this changing business and risk environment, Audit Committee agendas should keep these seven areas top of mind when setting agendas in the next few years:
- Financial reporting & Internal controls
- Financial statements
- External auditor relationship
- Internal auditor focus
- Compliance and ethics programs
- Risk management
- Deterring fraud
Audit Committee basics
The Audit Committee is critical to the corporate governance structure of most entities. The Committee has general oversight responsibility for an organization’s financial reporting process and its system of internal controls. In most cases, it is responsible for retaining and overseeing the performance and independence of the organization’s external auditor.
The Audit Committee increasingly serves as the forum where internal and external auditors, legal counsel, IT/cyber personnel, and compliance/ethics personnel candidly report and discuss key issues, like accounting, auditing, compliance, ethics/fraud, financial reporting, legal, and risk management.
Common sense, diligence, and an attitude of constructive skepticism are important qualifications for Audit Committee members. All major securities markets require that committee members are financially literate, with at least one committee member having accounting or financial management experience. The Sarbanes-Oxley Act requires all public companies to designate a “financial expert” in their annual report or proxy statement to the SEC.
Financial reporting & internal controls: Still the key responsibility
Focusing on financial reporting and internal control considerations will remain a top priority for Audit Committees. Given the current geopolitical, macroeconomic, and risk environment, as well as changes in the organization’s business functions or digital transformations as examples, internal control systems will be tested in the years to come.
The Committee should discuss with management how the current environment affects their procedures and controls and assessment of the effectiveness of its Internal Control Over Financial Reporting (ICOFR). The Committee should regularly take a fresh look at the organization’s control environment, asking this important question: Are controls keeping pace with the organization’s operations, business structure, and changing risk profile, including cybersecurity risks?
Financial statements: Thoughtfully including new disclosure requirements
With today’s uncertainties, companies are making more tough calls. Audit committees must emphasize the importance of well-reasoned judgments and transparency, including contemporaneous documentation demonstrating the application of a rigorous decision-making process.
The changing environment may require more frequent disclosure of changes in judgments, estimates, and controls may be required more frequently. Public companies and reporters, for certain, should continue to disclose matters that directly or indirectly impact the organization’s business.
Audit Committees should focus on management’s disclosures about the impact of supply chain disruptions, inflation, interest rates, risk of recession, and heightened cybersecurity risk. Focus on impairment of assets, forward-looking cash-flow estimates, fair value estimates, non-GAAP measures, and going concern issues—all will be important.
Interest in environmental, social, and governance (ESG) matters is intensifying. The SEC has recently issued disclosure rule-making on human capital and a broadening array of ESG issues, so determining the roles of the audit or nominating/governance committees will be necessary.
External auditor relationship: Reinforce expectations for audit quality and clear communications
The Audit Committee should review with the external auditor and the chief financial officer or chief accounting officer major issues regarding and any changes in choices of accounting principles. It may also be helpful to ask the external auditor to inform the committee the consideration of alternative choices of accounting principles or disclosures.
The committee must also review the quality of management’s accounting judgments with the external auditor. A fully engaged audit committee that sets the tone and clear expectations for the external auditor and monitors auditor performance rigorously through frequent communications and a robust performance assessment enhances audit quality. By setting clear expectations for frequent, candid, and open communications between the external auditor and the audit committee, the audit engagement should provide the committee greater value.
Taking the discussion beyond the traditional auditor-required communications gives the Audit Committee insight into the organization’s culture, quality of talent, and tone at the top. Always remember that audit quality requires the commitment and engagement of everyone in the process: the auditor, Audit Committee, internal audit, and management.
Internal auditor focus: Ensure activity is directed at key risks
Internal audit is a valuable resource to the audit committee and top management on risk and control matters. With the rapidly evolving business risk environment, internal audit can provide a perspective on the adequacy of the organization’s risk management process.
Internal audit should develop views on human capital management, diversity, equity and inclusion (DEI) to talent, leadership, corporate culture, cybersecurity, data governance, and data privacy. The Audit Committee should assess whether the internal audit plan is risk-based and flexible enough to adjust to changing business and risk conditions.
Audit Committees should work with the chief audit executive and chief risk officer to help identify the risks that pose the greatest threat to the organization’s reputation, strategy, and operations. Internal audit must regularly demonstrate its focus on these key risks and related controls.
Compliance and ethics programs: Sharpen focus on ethics, compliance, and culture
The reputational costs of an ethics or compliance failure are higher than ever, particularly given the increased fraud risk and pressures on management to meet financial targets. Unless another board committee is responsible for compliance, the Audit Committee should assume this responsibility and meet, as necessary and as appropriate, with management responsible the organization’s codes of business conduct and compliance policies.
Fundamental to an effective compliance program is the right tone from the top and a culture that is committed to its stated values, ethics, and mission. Legal and regulatory compliance will be enhanced when culture and respect for doing the right things are embedded in standard operating procedures and respected by everyone in the organization.
A closely monitored program with leadership and communications reinforcing this desired behavior is more important than ever. Board or committee members should question whether the organization’s culture makes it safe for employees to do the right thing. Visiting the field and meeting employees to better understand the culture and reinforce the organization’s expectations for high ethical standards and regulatory compliance greatly help.
Today it is even more critical that regulatory compliance and monitoring programs are up to date and cover all key vendors and partners. The Audit Committee or its Chairperson should review all whistleblower-reported matters and see they are appropriately investigated. With the transparency enabled through social media today, the organization’s values and culture, commitment to integrity and compliance, and brand reputation are on full display.
Risk management: consider the broader definition of risks impacting your organization and explore risk oversight/mitigation
The increasing complexity and fusion of unfolding risks require a more holistic approach to risk management. Stakeholders are demanding higher quality and more insightful disclosures in many areas; and the newest relate to ESG.
Given this challenging risk environment, many boards are reassessing the risks assigned to each board committee. At first, most boards assigned risk management overall to the Audit Committee. More recently, boards are transferring certain risks to other committees or creating new committees. ESG risks and disclosures are more frequently assigned to a Governance Committee (environmental and social policy), HR Committee (DE&I and human capital disclosure), Audit Committee (cybersecurity), or Finance Committee (climate/carbon capture).
An overriding consideration should be: Does the committee have the skill set to oversee a particular risk category? Should the board consider additional/new directors with skill experience to help oversee specific risks? Additionally, often risks will suit themselves to to multiple committees for oversight responsibility. In such instances, it is important to clearly delineate the responsibilities of each committee and think clearly about how to coordinate committee activities.
Maintaining critical alignments of strategy, goals, risks, internal controls, incentives, and performance measures is essential to effectively managing an organization’s risks. Today’s environment makes maintaining these critical alignments particularly challenging. The full board and each committee should play a key role in helping to ensure that management’s strategy, goals, objectives, and incentives are appropriately aligned, performance is rigorously monitored, and that the organization’s culture is the one it desires.
Deterring fraud: consider the committee’s role in times of crisis
Organizations that encourage ethical behavior are more resistant to misconduct, including financial reporting fraud. A strong ethical culture hedges against all three sides of the fraud triangle: pressure, opportunity, and rationalization. In an ethical culture, pressure to commit fraud is counteracted through sound risk management strategies and appropriate incentives. An organization’s culture will support well-designed controls that reduce opportunities for fraud and increase the likelihood of early detection. A culture of honesty limits an individual’s ability to rationalize fraudulent actions.
Another vital ingredient in an ethical culture is skepticism. Management should encourage employees to not only feel comfortable but obliged to question and challenge the results for which they are responsible. Audit Committee members can use skepticism to spot red flags at points throughout the financial reporting process that others may not be in a position to see, even if it means challenging assumptions and asking tough questions. Skepticism is a key component that can strengthen an organization’s fraud risk management program.
Audit Committee members and all members of the financial reporting supply chain are responsible for promoting integrity in the financial reporting process, whether due to regulatory mandates, codes of ethics, the duty to safeguard the organization’s reputation and assets, or other such factors. Disruptions, emergencies, or other unexpected crises also threaten skepticism because challenging environments often increase the pressure, opportunity, and rationalization for fraud.
While management’s attention is focused on the outcome of a crisis, they can increase their efforts to mitigate fraud and misconduct risk by enhancing skepticism. Actionable steps to exercise an appropriate level of skepticism include:
- Understanding the limits of one’s objectivity
- Avoiding jumping to conclusions
- Keeping an open mind
- Avoiding unwarranted faith in data
- Honing critical thinking skills
- Seeking expert advice
- Recognizing critical areas
- Training everyone on the importance of a skeptical mindset and how to mitigate bias
Finally, recognize that fraud or misconduct can occur within your organization and those of your partners, vendors, or advisors. This, too, should be considered, as these actions can influence your organization’s reputation and beyond.
Building an effective Audit Committee
Navigating the ever-changing environments of today and tomorrow requires an increasingly agile and well-informed Audit Committee. It needs to be purpose-driven and understand the interrelationships and codependencies between long-term success and the interests of customers, employees, shareholders, and other key stakeholders.