It was a good kickoff of the new year, with more than 1,500 forward-looking directors and executives logging on to our January 7th webinar, Setting the 2016 Audit Committee Agenda. Hosted by Protiviti’s Brian Christensen and David Brand and me, the webinar was based on our latest issue of The Bulletin, which I’ve tweeted about, but have not previously addressed here.
Given the high attendance and rapid-fire Q&A (we will be covering some of these questions on this blog soon), I want to recap Protiviti’s ten Mandates for Audit Committees in 2016 that shaped the discussion. These mandates are intended to augment the normal, ongoing operations of the committee. The first five address issues pertaining to enterprise, process and technology risk issues. The rest focus on financial reporting issues.
- Ensure the risk profile reflects current business realities. Historically, boards have looked at their risk profiles annually. That was the case for more than half of webinar participants (51.5 percent). Given the increasing economic, political and global risk volatility, it is critical that boards ensure that the risk profile remains current and that emerging risks are identified timely as the risk landscape changes. The audit committee has either a direct or indirect interest in having a current view of the organization’s risks, depending on the risks’ impact on public and financial reporting.
- Understand the technology-related risks that present threats to the business model. Whether your company is creating the disruption or reacting to it, audit committees need to stay abreast of these changes. For example, the United States Securities and Exchange Commission (SEC) requires listed companies to disclose significant cybersecurity breaches and other related matters.
- Pay attention to risk culture and the tone of the organization. Recent catastrophic risk management failures have one thing in common: The tone at the top was not as strong as it could have been. A resounding majority of webinar participants (86.5 percent) said maintaining a robust risk culture is important to leaders in their organization. I hope this is true for your organization, as well.
- Consider the need for expanded capabilities of the finance organization. Big data, business intelligence, reporting enhancements – all of these changes, along with the increasing regulatory/compliance burden, are increasing demands on the finance organization, particularly in the areas of automation and information technology. Make sure your organization has allocated adequate resources to this critical and growing area.
- Consider the need for expanded capabilities of the internal audit function. As risk management matures, internal audit’s role as the third line of defense changes. Every year, technology-enabled auditing and data analytics rank as top challenges in our Internal Audit Capabilities and Needs Survey – which means we’re not making the progress that needs to be made. And the list of internal audit priorities continues to grow. The audit committee needs to ensure that internal audit is sufficiently resourced to execute its risk-based audit plan.
- Make the necessary process adjustments to enable the new revenue recognition standard. It’s common knowledge that public companies must comply with new Financial Accounting Standards Board (FASB) revenue recognition standards beginning with calendar year 2018. The task here is to make sure that your company gets started. There’s a lot of work entailed, even if it’s just in determining how the new rules affect your organization – and yet, less than 40 percent of organizations have even started.
- Review the Public Company Accounting Oversight Board (PCAOB) inspection report on the audit firm and understand how it impacts the audit process. As the PCAOB increasingly holds audit firms accountable for the quality of their audits, it could affect what auditors are looking for when they audit your organization. Audit committee members should review the PCAOB inspection report on the company’s audit firm and determine whether there are any implications for the organization. Also, the PCAOB is seeking public comment on a draft of 28 audit quality indicators, and audit committees need to keep an eye on that development.
- Consider the PCAOB-audit committee dialogue. Both the PCAOB and the SEC have increased their outreach to audit committees. We encourage audit committee members to obtain an understanding of what these organizations expect in a quality audit.
- Pay attention to developments on the lease accounting front. There’s a new standard on leases coming out in early 2016 that will have a significant effect on so-called “off balance sheet” financing. Going forward, both operating and capital leases will have to be accounted for on balance sheets. If this impact is significant, the company may need to start thinking about the related implications to contractual agreements, loan covenants and capital ratios, among other things.
- Ascertain the implications of the SEC’s concept release on audit committee disclosures. The SEC wants more transparency into audit committee activities. In 2015, the agency issued a concept draft of new audit committee disclosures. If you haven’t reviewed these already, you need to.
As 2016 builds a full head of steam, it promises to be a wild ride. As always, we’ll be here at The Protiviti View to help you find the signal amid the noise. If your audit committee has other priorities that aren’t on this list, I’d love to hear them. Feel free to weigh in, in the comment section below.