The 8th Annual Audit Committee Issues Conference brought together 140 directors along with governance professionals and other business leaders and luminaries to discuss the challenges, practices and priorities shaping audit committee and board agendas in the year ahead. At the top of the agenda: ensuring that governance is keeping pace.
Hosted by KPMG’s Audit Committee Institute and cosponsored by NACD and Weil, Gotshal & Manges, the conference discussion and survey findings cut across a number of key oversight issues. Only 6 percent of attendees said they are satisfied that their company’s governance processes and controls—including risk management—are keeping pace with technology change; uncertainty—economic, political and social—is a top concern, as is fostering growth and innovation. Many attendees said their audit committee would be more effective with “additional expertise” (in IT, for example) and bringing “fresh thinking” onto the committee.
Moving Beyond a Legacy Approach
Aside from financial communications, disclosures and related controls, a majority of conference attendees cited the adequacy of “governance processes, controls and risk management—particularly in light of emerging technologies, globalization and changes to the business”—as posing the greatest concern for their audit committees this year.
This comes as little surprise, given the ongoing economic and political/regulatory uncertainty, the transformational impact of social media and emerging technologies, and the challenges of growth and innovation in a difficult economy and complex risk environment.
As one panelist noted, “With emerging technologies and globalization posing new challenges and risks almost daily, a ‘legacy approach’ to managing risk won’t work.” A key challenge for audit commit- tees is to help mobilize the board (to keep the business on track), mobilize management (to rethink its strategy and risks, and stress test the business model), and emphasize that making well-informed decisions may require a more sophisticated approach to manage an increasingly complex array of risks—the economy, technology, globalization, competition, regulatory risk, the speed of change and more.
To this end, panelists highlighted a number of considerations for audit committees/boards, including:
- Insisting on ongoing, substantive involvement by the board in strategy and risk
- Understanding the company’s significant operational risks and whether “business controls” are keeping pace with technology and changes in the business
- Engaging in scenario planning, considering economic and political “what-ifs,” and focusing on tail risks
- Assessing the company’s crisis readiness
- Fostering the right risk culture, including seeking dissenting views and ensuring that the compliance function has a prominent seat at the table
- Ensuring that internal audit is properly focused and resourced
- Devoting more time to judgments and estimates, and the quality of disclosures.
MD&A: Does It Tell the Story?
In light of the ongoing economic uncertainty, audit committees are sharpening their focus on the
related impact on financial reporting and disclosures. “We’re probing much more deeply on [ac- counting] judgments and estimates,” noted one panelist, including asking detailed questions to understand whether the company’s accounting is aggressive, conservative or down the middle. “Remember that judgments are made by people. What was the diligence behind their process? Does the estimate make sense, particularly in this volatile business environment?”
Other areas of focus include goodwill and asset impairments, pension assets and obligations, and valuations generally. “Establishing the value of any- thing right now is difficult,” said one participant.
Earnings quality also remains front and center, particularly in light of cost-reductions and pressures to grow the business in a low-growth economy. “In the current environment, you have to be particularly vigilant on this,” said one audit committee chair, noting that his group regularly discusses earnings quality with the external auditor in executive session.
Audit committee chairs also said they are spending more time considering the “completeness and depth” of the MD&A: Does it tell the company’s story?
“Boilerplate information is not very helpful,” said one conference attendee from the investor community. ”We’re looking for more insight into where the company is headed and the risks it faces going forward.” More than 80 percent of attendees agreed that their company’s disclosures— including the MD&A—are “overly complex and voluminous, and could be improved to better tell the company’s story.”
Recent guidance and comments from the Securities and Exchange Commission highlight other financial reporting and disclosure issues that should be on the audit committee’s radar, including:
- European debt exposure
- Foreign operations (e.g., liquidity, foreign currency, tax issues)
- Use of non–GAAP information
- Loss contingency disclosures
- Cybersecurity disclosures.
Audit committees were also reminded to continue to monitor regulatory progress on IFRS (the SEC expects to consider staff recommendations by mid-2012); various FASB convergence projects (particularly on lease accounting, financial instruments, revenue recognition and insurance contracts) and the implications of these and other accounting changes on the company’s accounting processes and IT systems; SEC Dodd-Frank rule- making on conflict minerals and compensation clawbacks (final rules are anticipated this year); and ongoing PCAOB initiatives to enhance auditor in- dependence and transparency.
“These PCAOB projects could have a major impact on auditing and the audit committee’s role, and every audit committee ought to be weighing in with their views—in writing,” stated one attendee.
Technology Is Driving an Information Revolution
“It’s important to recognize that this is an information revolution more than a technology revolution,” noted one panelist, adding that “the best technology discussions are business discussions. What do social media and emerging technologies—and the information they’re generating—mean for our customer strategy and how we do business?”
Indeed, emerging technologies and social media are enabling companies to capture and analyze huge volumes of data—to “slice and dice” the in- formation and extract value for real-time, even predictive, insight, and to build brand loyalty. They are also reshaping customer strategy, changing the way employees work and collaborate, and improving supply-chain efficiency. Said one participant, “When a technology changes behavior [of employees, customers, suppliers], you need to pay attention to it.”
Only 18 percent of conference attendees said they are satisfied with their discussions with management about the impact of social media and emerging technologies on the company’s strategy. And many said they are only “somewhat satisfied” (51 percent) or “not satisfied” (43 percent) that the company’s governance process and controls— including risk management—are keeping pace with technology change.
To help ensure the company is keeping pace—from both a strategic and a risk perspective—one audit committee chair said that his company’s CIO attends every audit committee meeting, “and we expect the CIO to be in touch with what’s happening in Silicon Valley. With technology changing so fast, the risk of not doing something—like adopting a particular technology—can be as devastating as active risk taking.”
The Defensive Lens
From a “defensive” perspective, social media and rapid technology change bring with them a host of critical risks—each, as noted by conference participants, with significant implications for the business:
- Information privacy and security “This is not just about compliance. It also goes to the heart of customer trust and loyalty.”
- Cybersecurity “The volume and ferocity of efforts around the world to break into IT systems are astonishing.”
- Protection of intellectual property and “all things digital” “Safeguarding IP requires a corporate culture that recognizes the sanctity of IP and all digital assets of the company.”
- Reputation risk, particularly with the viral speed of social media: “You can’t afford to ignore what’s being said on Facebook or Twitter. Every company should have a full-time function monitoring social media to hear what customers and others are saying about the company and its products, positive or negative.”
Indeed, cybercrime has become an “advanced, persistent threat”—from cybercriminals, nation-states and hacktivists. And as value continues to migrate online, according to McKinsey on Business Technology (No. 23, Summer 2011), the protection of data assets and IP is a growing challenge: “If your CIO isn’t having sleepless nights about cyber threats, then you probably don’t have the right CIO.” Only 36 percent of conference attendees characterized their company’s data as “well-protected”—though admitting that even with “state- of-the-art security, the company still may be vulnerable to hacking.”
Given the host of risks posed by emerging technologies, it is critical that companies reassess the adequacy of their governance policies and controls. “Digital risk needs to be embedded into the company’s risk and governance processes,” noted one participant.
Staying Vigilant on Compliance
Compliance continues to be high on audit committee agendas, particularly in light of stepped-up enforcement of FCPA, the U.K. Bribery Act and other anti-bribery initiatives around the world, and with the SEC’s whistleblower bounty program now in place.
“Compliance training and awareness—particularly on whistleblowing—is not a one-time exercise. It has to be an ongoing effort,” said one panelist. “Don’t under- estimate the impact of employee turnover.”
Visibility and ease of use are also keys to an effective whistleblower process. “It needs to be very easy for employees to use, and social media is a natural fit,” said another conference attendee, adding that “it’s important to communicate that your whistleblower system is in place and that it’s working. Escalation of complaints outside of the company happens when employees feel like they’re being ignored, so keep the program visible, even when the news is negative.”
Noting that rogue behavior is “by definition, hard to prevent,” panelists emphasized the importance of understanding the corporate culture: What are the values of the organization? Are performance incentives driving the right behaviors? What’s the tone in the middle? Emphasizing that “in many cases of major fraud, someone, somewhere knew it was happening,” panelists highlighted the importance of promoting a culture that surfaces what’s happening—that rewards people for coming forward or raising a red flag.
Testing Management’s Thinking
Keeping pace with the increasing complexity of the business, risk and regulatory environments will require boards to be at the top of their game. The audit committee’s efficiency and effectiveness is particularly critical—and challenging—given the evolving nature of its oversight role and the ongoing pressures on financial reporting systems and the control environment.
“With all the regulatory requirements today, it’s hard to find time for good, robust discussions about substantive issues like strategy and risk,” said one panelist. “But you need to make the time. Being an effective audit committee and board is not just about defense—it’s about advising and guiding management.”
A majority of conference attendees said their interaction with management has become “much more robust and collaborative” in recent years, yet only 50 percent said they are satisfied that their board’s involvement in corporate strategy is both “on- going and substantive.”
“Strategy is about choices,” said one panelist. “The board should be involved early on, well before a strategy is fully baked. The board should be testing management’s thinking and drawing analogies based on their own experience. Is it the right strategy? Do we have the talent to execute on that strategy? If the strategy turns out to be wrong, what is Plan B?”
Robust discussions about strategy and risk depend not only on having sufficient time, but also on having the right culture in the boardroom—that is, one that welcomes give and take, and even contrarian views.
On challenging the thinking in the boardroom and avoiding “groupthink,” one audit committee chair suggested that “responsibility is a much more important word than collegiality. Directors need to remember that they work for the company’s shareholders, and they need to know how to argue with each other” in the interest of those shareholders.
Conference participants shared a number of suggestions for enhancing the audit committee’s “operating efficiency” and overall effectiveness, including:
- Removing certain responsibilities from the audit committee’s plate, if needed: “We simply could not do it all.”
- “We asked for better executive summaries of meeting materials—and if we need to dig deeper, we do.”
- “Our audit committee chair delegates much of the work to the other members of the committee, including visits to business locations.”
- “Having a nonfinancial person on the audit committee is very beneficial—she asks great questions that others typically wouldn’t think of asking.”
- “Interaction between formal meetings is critical—particularly spending informal time with the external auditor and key members of management.”
Leo Abruzzese: Director, Global Forecasting, Economist Intelligence Unit
Catherine A. Allen: Director, El Paso Electric, Hudson Partners, Singlepoint, Stewart Title, Synovus Financial
Christian R. Bartholomew: Partner, Weil, Gotshal & Manges LLP
Dennis R. Beresford: Director, Fannie Mae, Legg Mason Nicholas Bloom Professor Stanford University Graduate School of Business
Paula Cholmondeley: Director, Albany Intl., Terex Corp., DENTSPLY Intl., Minerals Technologies, Nationwide Mutual Funds
Jeffrey M. Cunningham: Managing Director and Senior Advisor, NACD
Kenneth Daly: President and CEO, NACD
Michael A. Epstein: Partner, Weil, Gotshal & Manges LLP
David Gergen: Senior Political Analyst, CNN
Ellen M. Hancock: Director, Aetna, Colgate- Palmolive
Conrad W. Hewitt: Director, Bank of the West; Former Chief Accountant, SEC
Steven Hill: Vice Chair, Strategic Investments, KPMG LLP
Teresa E. Iannaconi: Partner, National Office, KPMG LLP
Stephen G. Hasty: Advisory Innovation Leader, KPMG LLP
Laban P. Jackson Jr.: Director, JPMorgan Chase
Marie L. Knowles: Director, McKesson, Fidelity Funds
Richard S. Levick: President and CEO, Levick Strategic Communications
James P. Liddy: Vice Chair, Audit Regional Head of Audit, Americas, KPMG LLP
Richard K. Lochridge: Director, Dover Corp., Lowe’s Companies, PetSmart
Mary Pat McCarthy: Retired Partner KPMG LLP
Aeisha Mastagni: Investment Officer CalSTRS
Charles H. Noski: Vice Chairman, Bank of America; Director, Microsoft
Ellen Odoner: Partner, Weil, Gotshal & Manges LLP
Michael Pierce: Audit Partner, KPMG LLP
J. Thomas Presby: Director, ExamWorks, First Solar, Invesco, Tiffany & Co., World Fuel Services
David T. Seaton: Chairman and CEO, Fluor Corp.
Garrett Sheridan: CEO, Axiom Consulting Partners
Jeffrey A. Sonnenfeld: Professor, Yale School of Management
Dennis T. Whalen, Partner in Charge, Executive Director, KPMG’s Audit Committee Institute