Topical webinars featuring Protiviti’s subject-matter experts rank among our most popular content — both live and on demand. One of the best features of the live versions are the questions from participants, which offer insight into what’s top of mind for them. Our recent webinar on the 2018 Audit Committee Agenda drew out some interesting questions, which we are happy to share as part of our series on the top issues for audit committees this year.
Joining us at the webinar as a presenter was Susan Haseley, Managing Director, Executive Vice President and leader of Protiviti’s Diversity and Inclusion initiative. Susan will address questions from the audience related to culture that she answered at length during the webinar, in a separate blog post. Below, we want to share our views on a few other questions raised by webinar attendees.
Q: Should the audit committee be concerned with financial risk where there is an established risk committee?
DeLoach: The simple answer is “yes.” To be effective, audit committee members must understand the business context in which they operate. Even if there is a separate risk committee, the listing standards of the New York Stock Exchange require the audit committee to discuss risk management and risk assessment processes. That, obviously would be done in cooperation with the risk committee. For companies listed on other exchanges, the audit committee should be apprised of significant financial risks because of their potential ramifications to public reporting.
Wright: The audit committee should always be involved to the extent that any financial risk is significant, in terms of dollar amount or clarity, to require disclosure — in which case it would come back to them as a matter of financial reporting.
Q: How does the scope of the audit committee within financial controls limit its outreach to emerging risks such as cyber and data privacy?
Wright: Technically, nothing can limit the committee’s outreach into areas like that – but they should take care not to take on more than they should when others are better positioned to do so. The audit committee has an obligation to at least understand what should be disclosed, even if it is just to ensure that it is brought to another committee or to the board of directors. There are also specific cyber risk disclosure requirements in the business section of an SEC filing, pursuant to regulation S-K, that would fall under the audit committee’s financial reporting jurisdiction. See our recent Flash Report on the most recent SEC guidance concerning cybersecurity disclosures.
DeLoach: I think that emerging risks can and will have an impact on determining that business context I mentioned earlier.
Q: Do you see audit committees moving to a more frequent model of meeting?
DeLoach: This is part of what the assessment of committee effectiveness is about. The audit committee agenda has been crowded for a long time. I think that comes with the territory. But as part of the assessment of the committee’s effectiveness, the committee should consider the sufficiency, frequency and duration of its meetings. Committee meetings are often planned around board meetings, so there may be a need for an occasional special meeting when there is a significant transaction such as a merger or an acquisition. That could be done online or by teleconference. Even ad hoc sessions may be useful, with individual committee members meeting with management, such as when an audit committee chair has periodic discussions with top executives between formal meetings.
Feel free to download a copy of our Bulletin, Setting the 2018 Audit Committee Agenda, which includes our view of the current challenges companies are facing and illustrative questions for audit committees to consider. The recorded webinar can be accessed here.