Audit Committee Priorities for 2022
Audit Committee Priorities for 2022
As 2021 draws to a close and we look to 2022, governance oversight advances, enterprise risks multiply, demands for increased transparency in reporting continue, changes to tax policy loom and the effects of the COVID-19 pandemic linger. In preparation for the year ahead, audit committees should prepare for an expanding array of responsibilities and actively seek education that will contribute to audit quality and the integrity of financial reporting. Below are five key areas that should be top of mind for audit committees in the coming year.
1. Evolving Roles and Increasing Responsibilities
2. Topical Financial Reporting Implications
3. Ongoing Pandemic Impacts
4. Digital Investment While Countering Cybersecurity
5. Increased Disclosure and Reporting Demands
6. How Audit Committees Can Prepare for the Year Ahead
Evolving Roles and Increasing Responsibilities
The audit committee has the critical role of overseeing management’s financial reporting and ensuring compliance with rules and regulations. Audit committees often have responsibilities beyond these requirements that should be reflected in their governance charters. As such, it is imperative that the full board continually evaluate the allocation of responsibilities among the committees of the board and aim for a balance in board efficiency without loss in communication, productivity, and impact.
The audit committee is often tapped with broad responsibility for Enterprise Risk Management (ERM), a classification that expands beyond financial reporting risk and continues to evolve with the everchanging business environment. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) reminds boards of their increasing role in the oversight of ERM which may include governance and culture, strategy and objective-setting, performance, information, communications and reporting, and the review and revision of practices to enhance entity performance. Having responsibility for the oversight of ERM does not equate to having responsibility over the oversight of each individual risk identified; but rather over the related process and controls surrounding such risks. Audit committees often are expected to keep the board informed on specific risk elements within the ERM framework that further impact reporting and disclosure. As enterprise risks increase in number, scope, and extend beyond traditional audit and financial risks to include business risks such as cybersecurity, M&A and/or ESG matters, responsibilities of the audit committee should be carefully evaluated to ensure risk oversight is aligned with the appropriate resources, available capacity, and experience. Certain areas may require specified knowledge and/or expertise beyond what may currently exist within the board. In these instances, the audit committee should have the ability and consider the value of bringing in specialists to educate and/or work with the directors to help inform their decision-making. These specialists may be found within the company, within the auditing firm or via other third-party advisors. Regardless of where the expertise is derived, the board must ensure the appropriate skill level of their advisors and determine that the board is capable of objectively and knowledgeably evaluating recommendations made to it.
Communication and collaboration are critical components in the oversight of risk. Ultimately the full board has responsibly for the governance of an entity. The audit committee accepting the responsibilities outlined in its charter to “dig deep” on issues needs to collaborate with other board committees as necessary and ultimately, communicate their findings and recommendations to the full board. Further, the audit committee should expect from and be expected to provide consistent communication to management, internal and external auditors, and other available resources to timely discuss the impact of risks and how such should be conveyed to stakeholders. As risks evolve, collaboration grows more crucial. Clear lines of communication and responsibilities between the audit committee, management and the auditors may also encourage other departments to proactively involve the audit committee in various decisions that may further impact both audit risk and ERM.
A Case Study in Collaboration
Topical Financial Reporting Implications
At the core of the audit committee’s responsibilities is the oversight of the company’s financial reporting. Continued economic uncertainty requires careful evaluation regarding financial reporting implications for businesses. Accounting estimates, including forecasts and fair value estimates, require a high degree of professional judgment and evaluation. While it is management’s responsibility to develop the assumptions and data methods supporting accounting estimates, it is up to the audit committee to understand and challenge management, which includes consideration of potential management bias in the development of estimates. This has been an area of increased interest and scrutiny from both the SEC and the PCAOB. The SEC requires companies to describe valuation techniques and inputs they use for determining fair value, including those used by third parties. Public entities are also required to disclose the range and weighted average used to develop significant unobservable inputs and are asked about the use of third-party pricing services. The SEC asks companies to describe the procedures they performed to validate the fair value information received from third parties and if adjustments were made, to explain why. The SEC has indicated it is seeking more robust fair value measurement disclosure to assist stakeholders in understanding valuation techniques and inputs used, quantitative information about significant unobservable inputs and the use of third-party pricing services. The PCAOB released Auditing Standard 2501 in 2020 to provide a single audit standard with a uniform, risk-based approach for the evaluation of accounting estimates including fair value measurements which may be referenced by audit committees in their oversight role. Directors may also refer to the Center for Audit Quality’s (CAQ’s) publication Understanding the Auditing Requirements for Accounting Estimates and the Use of Specialists and BDO’s Five Point Plan for Forecasting as further support in this area.
Disruption from the pandemic, together with evolving guidance from professional organizations over the past several years, provide the impetus for audit committees to have a keener understanding of how to identify and challenge any potential bias from management as it relates to accounting estimates.
Directors are encouraged to ask:
Which areas are affected by accounting estimates and fair value measurements?
Have we considered all the evidence that led to this accounting decision?
Do the choices management is making hold up against increased scrutiny and industry peer data?
Does the management team have the experience and track record to accurately project these forecasts?
Would the use of a specialist, advisor, or service organization help?
The ability for the audit committee to skeptically consider and independently verify management’s approach to financial reporting as well as engage with auditors on the work performed is a critical component of audit quality and a basis for the integrity of financial reporting. This is highly applicable to the audit committee when it considers tax risk. Forty-nine percent of respondents in the 2021 BDO Tax Outlook Survey identified an enhanced role of tax professionals as strategic partners, with management increasingly looking to the tax function to add value to the organization. It is important for the audit committee to not only recognize how operational priorities will impact financial reporting decisions and disclosures, but to further understand the related tax effects as well. The audit committee may want to ensure management employs a tax control framework to foster a tax risk communication mechanism and clearly defined processes and controls to identify and manage operational tax risk and provide tax transparency. Anticipated changes to domestic and global tax policy present business and financial implications that fall under the audit committee’s purview. The proposed Build Back Better Act passed by the U.S. House of Representatives on November 19, 2021 (and, at the time of this writing, awaiting action in the Senate) will, if enacted, have tax implications for U.S. domestic and international businesses. The audit committee should ensure its members, along with management, are keeping up with changing U.S tax legislation, while also evaluating the potential impacts of such proposals on tax planning opportunities, company forecasting and financial reporting. In its financial reporting oversight role, the audit committee will want to ensure management has planned for this year’s tax provision year-end close process including considering lessons learned from virtual close cycles experienced during the pandemic. Recent SEC comment letters indicate particular interest in changes in valuation allowances and forecasts used in evaluating the realizability of deferred tax assets. Bridging all of these considerations, the audit committee will want to ensure that the tax function has the right resources to tackle the broad range of responsibilities in this ever-changing environment.
Audit committees must also contend with complex accounting standards including accounting for leases under ASC 842, accounting for revenue under ASC 606, and the adoption of the new CECL standard under ASC 326 which significantly changes the impairment model for most financial assets from an incurred loss model to an expected loss model and provides targeted improvements on evaluating impairment among other updates.
Additionally, audit committees would be wise to also invest their education efforts in developing areas such as cybersecurity, distributed ledger technologies and digital assets – all emerging risk areas identified by the PCAOB in their recent Staff Update and Preview of 2020 Inspection Observations. Specifically, the audit committee should evaluate how both management and the auditor have assessed the risk of cybersecurity and the existence and valuation of distributed ledger technologies and digital assets (e.g., crypto assets), if applicable, and planned responses to those risks.
Ongoing Pandemic Impacts
The COVID-19 pandemic continues to challenge companies with persistent supply chain, labor, and fraud issues. In the coming year, the audit committee will need to continue to collaborate with the full board, various committees, and management to ensure a full understanding of risks along with the appropriate mitigation of such risks affecting their business.
The 2021 BDO Fall Pulse Survey reveals that boards view the supply chain as a major area of concern, with 32% of directors anticipating supply chain disruption will pose the greatest risk to their business in the next 12 months. Supply chain risk includes numerous difficulties that disrupt operations such as securing materials and products to counter increased costs, lost opportunities and a plethora of third-party risks involving suppliers such as increased exposure to cyber risk and ESG concerns. Supply chain disruption is prompting boards to prioritize sourcing diversification, as a limited supply chain network leaves companies especially vulnerable to the effects of these risks, all which impact forecasting and business plans. The BDO Resilience Agenda gives considerations for managing third party risk, including scoring third parties based on perceived risk level, scenario planning and reviewing internal controls as a few steps that can help the audit committee understand management’s risk management and mitigation when engaging with third parties. The audit committee and the board may need to take swift action and plan for alternative sourcing that could have near-, mid- and long-term ramifications to the business model.
While it has brought about many benefits, the pandemic era shift to remote work has also led to an uptick in fraud and further third-party risk. Newly launched, decentralized systems in which largely uninformed, physically distant employees were tasked with ensuring the security of data left many companies vulnerable to cyber-attacks. But fraud can be an inside job as well and remains a priority for regulators and boards alike. The Anti-Fraud Collaboration compiled themes from SEC enforcement actions of financial statement fraud which include improper revenue recognition, reserves manipulation, inventory misstatement and loan impairment deferral. Now is the time for companies to refine their processes accordingly and educate employees on emerging threats. The audit committee should continue collaborative efforts in this area as well, for example partnering with management and IT to oversee cybersecurity improvements, internal controls, and other initiatives to mitigate fraud and third-party risks. The audit committee, along with the board, should remind the organization to be alert for fraud and set a strong tone from the top that such behaviors will not be tolerated within the organization.
Outside of the shift to remote work, the business community has been hit by broader workforce issues, including shortages and lack of highly skilled workers. As the economy recovers, companies will dedicate more resources to attracting and retaining talent. According to the 2021 BDO Fall Board Pulse Survey, 46% of boards plan to upskill the workforce to address evolving risks, increasing costs and technology advancements/integration. Additionally, companies may be hindered in their growth opportunities by a lack of available and qualified labor. Audit committees will likely need to be dialed into the workings of the nomination and governances as well as the compensation committees within their organizations, as many of the issues that represent financial reporting risk may come under the expanding purview of other committees of the board. These considerations are applicable not only to an organization’s broader employee base but to the board as well – when searching for directors with experience in existing and emerging risk areas.
Digital Investment While Countering Cybersecurity
Lagging in digital transformation is a major concern for boards, as evidenced by BDO’s 2021 Middle Market Digital Transformation Survey. Our survey finds that one in ten boards view it as their single biggest business risk. More than half (53%) are making digital investments in upskilling initiatives with a focus on digital fluency. In 2022, we anticipate board members to continue to make similar investments to broaden their own digital skillsets to successfully govern in this new environment and consider the digital expertise resident within the board to support corporate-wide digitization efforts.
Access to data, automation of operations and real-time information provides increasingly competitive advantages. An expanded digital skillset will help board members protect their companies from both the risk of obsolescence and inefficiency as well as from the current onslaught of cyber threats, including the increasingly common ransomware attacks. According to Fortune.com, “Year to date, there have been 1,291 breaches, compared to 1,108 in 2020” demonstrating the continuation of an upward trend in attacks. Regular briefings by the Chief Information Security Officer or similar position directly to the board that provide key communications about:
advanced threat levels,
detection and prevention capabilities,
continual penetration testing,
and education for all employees throughout the organization.
From a financial reporting audit perspective, cyber risk remains a focus of PCAOB inspection observations – if a cyber incident occurred during the audit period, the PCAOB will closely scrutinize how the auditor considered the incident in their risk assessment process and if any material risk was overlooked.
Managing cybersecurity requires a layered, risk-based approach, and boards need to take an active role in keeping their organizations prepared. If assigned to the audit committee by the board, the audit committee must make cybersecurity a recurring item on its agenda, ensure the entity is getting good information about the status of its cyber threat detection, prevention and mitigation programs and is regularly testing its cyber incident response plan. Additionally, the audit committee needs to ensure that the appropriate resources are being allocated to cybersecurity initiatives.
Boards recognize cyber risk as a significant issue – the top-cited governance oversight challenge for the next six months is ensuring effective cybersecurity and data protection. In turn, boards are increasing their own disclosures – according to the CAQ 2021 Audit Committee Transparency Barometer, audit committee proxy disclosure of oversight of cybersecurity risk has jumped by five to seven percentage points since 2020. Such disclosures with respect to rapidly evolving risks may provide a higher level of confidence to the market participants.
Digital literacy will also help the audit committee leverage and evaluate external auditors’ use of the wealth of technology designed to streamline the audit process. As tech-based audits become more commonplace, the audit committee should take every step necessary to question efficiency and efficacy to build confidence in its ability to evaluate a tech-based audit and consider the digital nature of the audit in their oversight and evaluation of the external auditor.
Increased Disclosure and Reporting Demands
The role of the audit committee requires members to remain abreast of evolving disclosure and reporting requirements. Recent SEC comment letter themes include use of non-GAAP financial measures, MD&A, goodwill, revenue recognition, segments, intangibles and the aforementioned fair value measurements and income taxes. MD&A will soon be impacted by the new S-K rules that eliminate and amend certain disclosure requirements and are effective with upcoming 10-Ks and aim to clarify the overall objective of MD&A and promote a principles-based approach to certain disclosures, together with the continued consideration of guidance on KPIs. For example, companies will have to explain why certain changes have occurred over periods and provide more details on performance indicators, both financial and nonfinancial, employed in management of the business. SEC comments on non-GAAP measures focus on those measures that appear to modify GAAP recognition and measurement principles, exclude normal cash operating expenses from performance measures or are not consistently applied period over period. Goodwill disclosure evaluations continue to focus on impairment and associated estimates as well as disclosures regarding reporting units. Newly effective SEC rules related to financial statements of acquired businesses as well as new pro forma rules are also important disclosure considerations. Understanding and keeping track of these evolving rules will be critical to the audit committee’s success in 2022.
The demand for ESG reporting by a variety of stakeholders has been steadily growing and shows no signs of slowing down in 2022. Sustainability and transparency are increasingly associated with successful business outcomes and have long-term investor appeal. Twenty-nine percent of directors surveyed in the BDO Fall Board Pulse Survey reported that they are including ESG metrics and disclosures within audited financial statements. Current reporting requirements and guidance are limited, but emerging. The SEC had requested public comment on the need for climate risk disclosures and released a sample comment letter which highlighted existing 2010 guidance reminding companies of their duty to disclose material information even if not expressly required by rules, which will require professional judgment to be applied. Such disclosures may appear in the business, legal proceedings, risk factor and MD&A sections of public filings and may range from consideration of the impact of pending or existing climate change related legislation to physical impacts of climate change. Currently, material climate-related risks are considered and assessed by management and auditors during the preparation and auditing of financial statements. Under current U.S. GAAP, climate-related risks may have a direct impact, an indirect impact, or in some cases no impact at all on the financial statements. The CAQ has issued a resource to provide investors and other stakeholders with a foundational understanding of current climate-related reporting and auditing requirements in the U.S. and how they are applied.
In addition to the new Nasdaq diversity rules, the SEC had also issued new guidance effective for 2021 audits calling for a description of the issuer’s human capital resources to the extent such disclosures would be material to an understanding of the business. In 2022, we anticipate the SEC to issue additional rules focused on human capital management and corporate board diversity.
In the absence of a unified global ESG reporting standard, companies who chose to report on ESG often chose to draw metrics from a variety of frameworks when determining voluntary ESG disclosures. While more and more entities are providing ESG disclosures – both quantitatively and qualitatively - very few are integrating fully within filed financial information. Additionally, at this time, only about 11% of U.S. entities that provide attestation on their ESG reporting have engaged an audit firm to do so. Much of the attestation work in the U.S. is being done by boutique firms that may or may not have the rigor of controls or apply the caliber of standards of the auditing profession, while still many businesses are opting for no attestation at all.
However, we anticipate that aspects of ESG reporting will be rapidly changing as more time, attention, and effort by a broader variety of stakeholders will demand more robust reporting and validation by skilled and credentialed professionals for such information to be reliable and considered decision useful.
How Audit Committees Can Prepare for the Year Ahead
Governance responsibilities continue to evolve and increase in importance and accountability. The audit committee should ensure they are prepared with an understanding of their expanded roles and responsibilities, and that they have adequate resources to execute those increasingly complex areas. At its core, the audit committee is responsible for oversight of financial reporting, external and internal auditors, compliance, ethics, and controls. Increasingly, the committee is charged with additional responsibilities such as ERM and all that encompasses, digital transformation, cybersecurity and ESG.
The audit committee can prepare for the coming year by ensuring clear communication and collaboration with management, the full board, and other committees along with its advisors. Continuous education on emerging topics of interest and an eye on trends serves to keep directors knowledgeable and relevant. Keeping the company’s vision and strategy in mind is key as the audit committee helps leadership mitigate risk and identify new opportunities in the coming year.
These are just some of the many issues that audit committees are facing as they exercise their oversight responsibilities. We encourage audit committees to maintain continuous and thoughtful communications with their auditor, be thoughtful in their continued education including remaining abreast of industry trends and take advantage of the numerous opportunities available through the BDO Center for Corporate Governance. To begin receiving email notifications regarding BDO publications and event invitations (live and web-based), visit http://www.bdo.com/member/registration and create a user profile. Please reach out to your engagement teams with questions about content contained within this publication.