Audit committees play a vital role in overseeing the integrity of financial reporting. But in today’s shifting risk landscape, is your audit committee paying attention to the right things?
Most audit committees are effective at executing their core responsibilities, such as selecting and overseeing the independent auditor. Optimizing your audit committee, rather than falling prey to a checkbox mentality, starts by following a risk-focused approach.
Exceptional audit committees seek an understanding of the financial and operational risks specific to their organizations, and they ask probing questions about how their organizations are lowering those risks. When necessary, these committees seek input from external sources, such as the independent auditor, internal auditors, executives in peer organizations, or industry experts.
While each organization has its own top risk areas, we do see some commonalities. Below are topics that we recommend audit committees include in their 2019 agendas, along with questions to ask management or the independent auditors:
- Data security. Information security should be a top priority for every organization that stores or processes sensitive information, such as medical records, Social Security numbers, and bank account numbers.
Audit committees don’t need to be information security experts. They just need to approach the issue from a risk identification standpoint and ask some critical questions. For example:
- What types of information are we storing, processing, or transmitting?
- How could that data be compromised?
- What policies and procedures do we have in place to secure that information?
- What internal resources monitor the effectiveness of those policies and procedures?
- Should we supplement our capabilities with third-party consultants, such as through security audits or penetration testing (i.e. ethical hacking)?
If your organization stores, processes, or transmits sensitive data, then you should consider performing or updating a cybersecurity risk assessment. Also, consider whether cyber risk should become a regular fixture of the full board’s agenda.
- Fraud. Occupational fraud is another risk that affects every type of organization — from global public companies to small, family businesses. In many cases, fraud hits smaller organizations even harder than it does those larger organizations with more resources. According to Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse by the Association of Certified Fraud Examiners, small businesses lose roughly $200,000 per fraud scheme, which is significantly higher than the median loss among all organizations of $130,000.
An engaged audit committee can help prevent occupational fraud or mitigate its effects. To start, your committee should ask questions such as:
- Do we effectively segregate duties and oversee employees responsible for receipt and disbursement of funds?
- Does our accounting system protect against the alteration of transaction information?
- When we add employees and third-party contractors, do we (or our auditors) perform additional testing in those areas?
Performing a fraud risk self-assessment is an important risk management step. But given the likelihood of fraud and what’s at stake, many organizations benefit from bringing in an independent professional to conduct a fraud risk assessment.
- Revenue recognition and lease accounting compliance. The combined effect of these two Financial Accounting Standards Board (FASB) rules is just starting to be felt by accounting departments in private companies. The true impact will come during preparation for audits in the next few years.
Fortune favors the prepared. Audit committees should check that their organizations are on track with their implementation roadmaps. The committee should consider:
- What problems are we encountering with the implementation of the lease accounting, revenue recognition, and any other new accounting standards?
- Do we have the appropriate accounting structure and software to track the data required for compliance?
- Will the addition of leases to our balance sheet create any operational risk, such as issues with debt covenants?
Thankfully, the FASB requires public companies to go first, so private companies can learn from their experiences. One of the key lessons public entities learned about revenue recognition was that the effort was far greater than they anticipated. Private company audit committees should take this lesson to heart and check in early and often with management to make sure the organization is on a path to compliance.
- Regulatory and standards developments. The number of organizations being caught flat-footed by revenue recognition and lease accounting implementation suggests a general lack of communication about regulatory developments. Audit committees can help prevent surprises by ensuring the organization has a process to monitor these developments and inform the appropriate parties.
Committee members should ask management the following:
- Who is responsible for monitoring standard-setters for our sector and our industry?
- How are these developments communicated, and to whom?
- Are the appropriate people receiving the appropriate training in these areas?
- Automation. The new data and processes required to comply with the lease accounting standard alone will be substantial. Audit committees should encourage their organizations’ finance departments to automate these processes as soon as possible. But in the meantime, many organizations will rely on Excel spreadsheets and other manual workarounds. And manual processes increase the probability of human error. Finance functions are automating more and more processes to minimize this risk while increasing efficiency and clearing the way for higher-value activities. Consider adding these questions to the audit committee agenda:
- What are the organization’s plans to use robotic process automation (RPA), artificial intelligence (AI), and machine learning into accounting and finance processes?
- How does the technology cost to achieve automation compare to the human resources currently required for those tasks?
- What value could we derive from the finance function by redirecting those human resources?
- How are we leveraging data and analytics for deeper insight into the organization’s performance?
- How are we attracting, developing, and retaining the talent needed to achieve this transformation?
Are You on the Same Page with Your Auditors?
Your audit committee should communicate closely with the audit firm regarding key risk areas. At the outset of the audit, your independent audit firm should solicit the committee’s input regarding key risk areas, followed by regular status meetings throughout the audit. During the end-of-audit presentation, many auditors share insights from their experiences with similar organizations, including benchmarking key performance metrics and suggesting ways to elevate not only your audit committee but also your organization’s performance. For more information about how to improve your audit committee’s agenda, be sure to reach out to your local CRI advisor.