All audit committees have an agenda that they follow every year. And while every organization faces its own unique challenges, there are some agenda priorities we believe that all audit committees and executive leadership should consider. Protiviti’s take on what those items should be for 2018 is outlined in the latest issue of The Bulletin, and we will be discussing them throughout the year.
I recently had the opportunity to present our recommendations for the 2018 audit committee agenda in a webinar, which I hosted along with my colleagues Susan Haseley, Executive Vice President and Leader of Protiviti’s Diversity and Inclusion initiative, and Chris Wright, Regional Managing Director in the U.S. Northeast Region and firm-wide leader of Protiviti’s Finance Remediation and Reporting Compliance and Public Company Transformation practices. In this post, I will cover the first two of eight recommendations: periodic assessments of committee effectiveness and obtaining a sufficient business context for discharging committee responsibilities.
Periodic Assessments of Committee Effectiveness
In a constantly changing environment, it is a good idea for companies and key leaders to take stock of what they’re doing, in the spirit of continuous improvement. The audit committee is no exception. It just makes good business sense to ascertain whether the committee’s agenda is focused on the appropriate topics and whether committee members possess the requisite experience and expertise to tackle those topics. This assessment should cover questions in such areas as:
- For example, are all members of the committee financially literate, and is there at least one member who is an expert in financial reporting matters germane to the issues the company faces?
- Does the committee give adequate attention to the financial reporting process, e.g., annual and quarterly financial statements, earnings statements, non-GAAP disclosures, critical accounting policies and so forth? Does it provide oversight of appropriate financial reporting controls and disclosure controls and procedures? And does it focus on the hiring, retention, performance and compensation of the external auditor?
- Timely escalation of critical issues. For the committee to provide effective oversight, it needs to stay current on critical matters. For example, is the committee being notified timely of significant deficiencies and material weaknesses? Is it being notified promptly of significant compliance issues? Are there effective procedures for handling complaints and employee concerns on accounting, financial reporting, internal control, auditing and other related issues?
- The role of the audit committee needs to be clearly defined. Does the committee oversee the organization’s ethics and legal compliance policies? What about the sufficiency of frequency and duration of committee meetings? And is there a process in place when the committee reports audit activities to the full board? Is there a process in place to ensure that all matters in the committee charter are covered sufficiently by the committee’s activities during the year?
This kind of periodic assessment will help to ensure that the audit committee is focused and effectively performing in its primary objective, which should be oversight of the quality of financial and other information reported to investors.
Obtaining Business Context
Oversight cannot be performed in a vacuum. Audit committee members have to understand the critical risks their organization faces and the context in which they operate in order to effectively discharge their responsibilities for reliable financial reporting. Some committees serve New York Stock Exchange listed companies and so are required to discuss policies with respect to risk assessment and risk management. Other committees serve companies listed on other exchanges that have no such requirements. And still other committees serve non-public companies. For every audit committee the circumstances are different, but every audit committee needs a strong business context by which to discharge its respective activities.
We recently completed a survey of the top risks for 2018, which is available on our website. If you look at those risks in that report, you will notice that there are a number of items that can impact the sustainability and viability of the business model and the reputation of the company, the sufficiency of the organization’s talent and the susceptibility of the organization to internal control, risk management and compliance breakdowns. This is why, as audit committees deal with their number one job – the quality of financial reporting – they must be knowledgeable of the company’s risk profile and must focus on critical enterprise risks and emerging business risks in order to discharge their responsibilities for financial reporting effectively.
Are Risk Oversight Responsibilities Part of the Audit Committee Agenda?
If the audit committee is responsible for the board’s risk oversight, one comment is in order. With COSO’s release of its ERM framework, we expect more questions over the next five years at the board and senior management levels on advancing risk management to meet the challenges of an unpredictable and volatile world. The COSO ERM framework will help organizations focus on four important things – integrating the ERM process with strategy, integrating risk with performance, tying risk considerations into decision-making processes. and laying a foundation for strong risk governance and culture.
How do the top agenda items link to top ERM risks? Certain risks, such as cybersecurity, privacy and identity management and other related issues, must be considered from a disclosure perspective. Many of these risks can have public reporting ramifications either directly to the financials themselves or through other impacts. This might include, for example, the impact on the risk factors disclosure and management discussion and analysis (MD&A). If the audit committee’s chartered activities so dictate, the committee may also have oversight concerns related to specific risk areas, such as, say, risks related to cybersecurity and culture.
Taking time to critically assess the focus and qualifications of the audit committee and to understand the importance of business context in shaping the focus of the committee will go a long way toward ensuring effective oversight. Susan and Chris will be following up with subsequent posts exploring the rest of our suggested 2018 audit committee agenda. I hope you’ll check back for those. In the meantime, you can view our recorded webinar on demand.