In this new Bulletin, consultant Protiviti identifies key issues for the 2021 audit committee agenda and—no surprise—at least half reflect the impact of COVID-19. The agenda includes four topics related to enterprise, process and technology risks and four related to financial reporting, with a reminder regarding ESG. Also available is an audit committee self-assessment questionnaire. The topics suggested for the audit committee agenda are summarized below.
Enterprise, process and technology risk issues
- “Consider shifts in the risk landscape to establish an appropriate business context.” The pandemic and its fallout have presented the most obvious risks of disruption to the context in which businesses operate. For some companies that disruption has been dramatic, including business shutdowns, changing consumer behaviors, changing workplaces (e.g., work from home, health safety compliance), supply chain issues and uncertainties related to the economy. Continued disruption, Protiviti suggests, could impair the ability of the company and its management to maintain the company’s culture and “spill over to the internal control environment.” Other risks that audit committees should consider include domestic and international politics and regulation, cybersecurity and the digital economy. In addition, the agenda observes, “[n]o discussion of changing risk profiles is complete without reference to the circumstances calling attention to the importance of social equity and equal justice. These circumstances—and what has been, in most cases, a vocal and supportive response by businesses to do more to level the playing field—set a context for the audit committee’s role in evaluating the diversity of its composition, the treatment of company management and staff and company engagement with partners and stakeholders consistent with the board’s overall focus on the CEO’s commitment to social responsibility—including diversity, equity and inclusion issues.” Understanding all of these risks can help the committee assess the adequacy of the company risk factor disclosures, inform consideration of financial reporting and “put into proper context” the representations from management, the outside auditors (through CAMs and otherwise), as well as internal control issues and concerns raised by internal audit.
- “Work with the CFO to review the finance function’s resiliency.” The issue of resiliency, the agenda suggests, has risen to the forefront as a result of the pandemic. Audit committees should assess with the CFO how well financial reporting functioned with employees working from home, whether productivity was acceptable, whether improvements are required, whether processes needed to be redesigned, whether employees had the technology and tools they needed and whether improvements can be sustained in 2021. Advanced digital operating capabilities may be a key, the agenda suggests, to achieving an effective remote workplace.
- “Encourage the CFO to function as a strategic partner in addressing cybersecurity, privacy and other key priorities.” In addition to technology investments to support digital operations, the audit committee is advised to consider whether finance is “sufficiently resourced to focus on such matters as evolving cyber threats, more advanced data analytics, internal customer expectations, financial planning and analysis, regulatory challenges, and internal controls as a strategic partner with the rest of the organization?” Is finance appropriately contributing its expertise to address issues such as cybersecurity? Is finance working with internal customers to address expectations for more insight and analysis? How is the CFO assessing the talent and skills investments necessary to address future disruptions and opportunities?
- “Work with the CAE [chief audit executive] to formulate appropriate imperatives for internal audit to ensure the function’s continued relevance.” A recent Protiviti survey found that audit committees have demonstrated increased interest in internal audit “transformation and innovation.” The key question is whether the CAE is “effective in achieving appropriate risk coverage, agile responses to new and emerging risks, and efficient delivery of value-added insights regarding risk culture, risk management capabilities and the internal control environment?” The “transformation process” for internal audit should make its way onto the committee’s agenda for an appropriate length of time: acccording to Protiviti, the “opportunity before the audit committee is for internal audit to enhance its value proposition by becoming a problem-solver, rather than a mere problem-finder.”
Financial Reporting Issues
- “Address accounting and reporting implications of operational adjustments during the pandemic and recession.” Given that many companies were compelled to make significant changes to their operations as a result of the pandemic, the audit committee will need to discuss with management and the outside auditor whether these changes have been properly accounted for and reported. Changes might include discontinued operations and divestitures, termination benefits, government assistance (such as PPP loans) and the impact of contract modifications, such as debt restructuring or covenant breaches or waivers.
- “Assess COVID-19-related impacts on financial reporting assertions.” Financial reporting often involves significant judgments and estimates. The pandemic—and especially the uncertainty it has created—has required companies to reevaluate many of these estimates and judgments. Protiviti recommends that audit committees discuss with management and the outside auditor the impact of the pandemic on these significant accounting estimates to assess whether the accounting and disclosure are understood and addressed. In particular, COVID-19 may have affected estimates regarding asset impairments, goodwill impairment, net realizable value of inventory, costs of significant excess capacity (as a result of work slowdowns or material shortages), fair value measurement, loss contingencies, the impact of variable customer contract consideration (such as discounts and concessions), exposure considerations and impairment of receivables, loans and investments, Significant subsequent events would also need to be considered.
- “Evaluate the pandemic’s near-term and longer-term impacts on the internal control environment.” Notably, the imposition of the work-from-home environment as a result of the pandemic may have affected internal control over financial reporting, cybersecurity and exposure to compliance and fraud risk. In addition, companies may need to reimagine the workplace in planning for a return to the physical office, which could involve more space (for social distancing), work shifts or hybrids, along with technology enhancements and health protocols. Given the audit committee’s role in advocating for a strong internal control environment, Protiviti recommends that the audit committee consider making inquiry regarding issues such as legal compliance, changes that may have affected the integrity of the company’s internal control structure or key controls, segregation-of duties issues, cybersecurity and fraud risks.
- “Consider the nature of critical audit matters raised by the independent auditor.” The audit committee should evaluate with management and the auditor any CAMs identified by the auditor to understand the underlying issues and verify that the related disclosures are clear. Protiviti suggests that if “there are significant judgmental issues on which management and the auditor do not agree, or if management is applying aggressive accounting principles, there may be an opportunity for the committee to inquire of management as to whether the company’s accounting and reporting processes can be streamlined and improved.”
- “Assess other matters: Keep an eye on ESG developments.” Protiviti observes that “market forces continue to elevate the importance of ESG-related matters. It’s a matter of when, not if, the market can expect more rulemaking and standard-setting on ESG-related impacts.” That may be especially true with a new administration and new SEC Chair, who may advocate a more prescriptive, less principles-based approach to ESG disclosure, particularly issues such as climate risk and diversity. The agenda also advocates that audit committees make a point of reviewing the company’s disclosure in response to the SEC’s new human capital disclosure requirement in light of developments occurring at the company.