2015 Risks for Audit Committees and Internal Audits
Five Areas of Focus for Audit Committees and Companies
Audit committees and the companies they represent face a wider variety of risks in 2015 than ever before. Audit committees oversee the functions that strive to protect sensitive information and deliver accurate financial reports including preventing the efforts of hackers and corporate spies, complying with frequently changing standards and managing the relationships with external auditors and regulators. To better understand the risks that threaten companies, it helps to break them into five categories: Information Technology (IT) Control Risks, Cyber Risks, Financial Reporting Risks, Compliance Risks, and Talent Retention and Recruiting Risks.
1. IT Control Risks
IT control risks are the risks that a business faces within its own information systems. A company’s sensitive information should be available only to internal users who need access. Mobile data storage devices, such as phones, thumb drives, and even laptops have revolutionized the ability of employees to work anytime, anywhere. Therefore, every business that utilizes this technology needs to have very clear protocols and procedures in place for verifying that sensitive information only travels when necessary and authorized. When information does travel, it should do so in an encrypted form protecting the files in the event of loss or theft. Companies and their audit committees need to understand that internal controls over information technology are every bit as necessary for business success today as internal controls over cash. It takes people, processes, and technology working together to have an effective IT control environment.
2. Cyber Risks
Recent news is full of stories about companies that have suffered significant data breaches from external sources. Whether it is customer credit card numbers, patient health information, or internal e-mails, no business can afford to let its internal files get hacked by outside parties.
The steps that businesses take to manage and mitigate the risk of an external data breach often focus on firewalls, encryption and technology-based solutions. However, employees can inadvertently cause data breaches by opening an e-mail with an attached virus, or clicking on a link in an email that includes malware. Effective protection from this risk includes empowering everyone on the company’s network with the knowledge to avoid missteps that allow hackers to bypass all of the security measures the business has instituted.
3. Financial Reporting Risks
Financial reporting risk relates to a situation where the financial statements contain inaccurate data. Constant changes and updates to standards, rules and regulations by the FASB, SEC, PCAOB (Board), and other regulatory bodies have increased the risk of financial reporting errors.
The FASB’s recent revisions to the revenue recognition standards provide an example of increased risk for financial reporting errors. Even though implementation has recently been delayed by one year, companies still have significant work ahead of them in order to adapt accounting systems to this new principles-based approach. The new standard will provide significant flexibility in terms of how businesses choose to recognize revenue, but it will require additional recordkeeping in order to document how the number was reached. In effect, businesses will have more latitude in terms of what revenue number is correct, but just like any math test, they will have to show their work and maintain evidence supporting the calculation in order to get credit.
4. Compliance Risks
Compliance risks focus on a company’s ability to comply with applicable laws, rules and regulations. Increased scrutiny by the PCAOB has external auditors addressing issues that were noted in the Board’s inspection reports. The release of Staff Practice Alert 11 in October 2013 brought to light the concerns around Management Review Controls and the reliance on a signature to prove that a control operated effectively. In the past, many companies would assess a control as effective based solely on a signature. This has many companies adding details to their controls to document the specific procedures carried out by a reviewer in the review process.
The role of developing estimates is another area currently under review by the PCAOB. The Board has expressed concern that the processes used to generate assumptions related to accounting estimates, including fair value and impairment, have not been documented precisely enough to assess the accuracy of internal controls over financial reporting. Internal auditors, CFOs and audit committees need to focus closely on the controls related to accounting estimates, specifically those that support management’s assumptions applied in the respective process. Every assumption that has a material impact on financial statements should be challenged and reviewed. Documents that support the assumptions i.e., interest rate tables, purchase and sales agreements, etc., should be maintained to demonstrate management’s though processes in developing estimates so that a third party reviewer could derive a similar conclusion independently.
5. Talent Retention and Recruiting Risks
Succession planning should be a top priority for companies and audit committees, nearly 75 percent of CPAs will be retiring or near retirement by 2020. Every day, more companies learn how challenging it can be to find knowledgeable and experienced professionals with skills focused in a particular industry. That shortage will only become more acute if the AICPA’s 2018 projections come to pass.
At the same time, a recent Big 4 poll showed that nearly 60 percent of the companies surveyed worldwide did not have a formal succession plan for their CFO. The Committee of Sponsoring Organizations (COSO), a leading authority on internal controls, feels strongly about talent retention and recruiting. The COSO 2013 Framework lists as its fourth principle, “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.”
Three Lines of Defense in Effective Risk Management and Control
The Institute of Internal Auditors (IIA) issued a position paper in 2013 entitled “The Three Lines of Defense in Effective Risk Management and Control.” The first line of defense is the operational managers who exercise control delegated to them by senior management. The second line is management’s risk and compliance oversight functions, including financial control, quality assurance, and compliance. The third line is the internal audit function.
PCAOB member Jeanette Franzel elaborated on this model in a recent speech. She noted that, “Effective use of internal audit work to support the external audit enhances assurance not only through the external audit process, but also enhances internal audit’s knowledge and experience that can be applied across its assurance functions as the ‘third line of defense.’”
In some cases, a business may not have the internal resources to effectively manage a particular risk area, like cyber security. In other cases, businesses have realized that the internal auditor may provide more value performing true internal audits and, therefore, they outsource SOX compliance. Businesses frequently outsource pieces of the SOX compliance function to resources with the necessary expertise.
Summary of the Five Areas of Focus for Audit Committees and Companies
IT Risks – Education is one key when it comes to protecting company data. It can come in the form of signage in the break room, a meeting with all employees to stress security protocol and procedures, or annual acknowledgment stating the employee’s understanding of IT security procedures.
Cyber Risks – Educate the audit committee and the board of directors about cyber risk. Assess your company’s cyber risk and develop a plan to address breaches if they occur. Test your system to see if there are items that need to be immediately addressed.
Financial Reporting Risks – Work closely with your internal and external auditors when a new pronouncement or standard is released. Once the company has made its first pass at an assessment, it is a good idea to start the communication with external audit to validate that management’s interpretation is in line with the auditor’s expectations.
Compliance Risks – Read the PCAOB Inspection Reports for the firm that performs your external audit function. Ask the partner on the engagement what comments they received and how this affects your company or the industry in which you operate. Also, read the PCAOB Reporter. It contains information as to the PCAOB staff’s areas of focus.
Talent Retention and Recruiting Risks – Develop a formal succession plan for, at a minimum, the C-level suite. Some suggest establishing a plan that includes the company’s Controller, Directors of Internal Audit, and other key positions.
May 7, 2015