Audit reports continue to evolve. The pace and extent of future change are important issues and the views of audit committee members are very relevant to that debate. This report puts forward the case for audit committees to consider, and engage with shareholders, about where they should be on the spectrum ranging from meeting the minimum requirements of auditing standards, through to the inclusion in the audit report of graduated findings and detailed audit risk maps.
Disruption can affect audit committees in different ways. In some cases - for example, cyber security - audit committees may need to become more knowledgeable and more vigilant in their oversight due to the rapid, ongoing evolution of the field. In other areas, such as oversight of reporting and compliance, it is their own approaches and processes that are changing, as complex standards up the regulatory ante.
In the three short documents below we look at some of the issues arising from disruptive trends in technology, geopolitics and regulation.
Audits are changing significantly. The core goals remain, but audit tools, execution and results are being transformed and expanded by new capabilities in Data & Analytics (D&A). This is more than a trend. This is the way audits will be conducted by virtually all the major accounting firms, and it is critical that audit committees and auditors begin working together now so audit committees understand where the process is heading, what the broad benefits are and how to work effectively with management to enable a smooth and effective shift within their organisations.
Our briefing explores the impact, benefits and challenges of D&A in the audit.
Agenda overload is not a new issue for audit committees, but our latest ACI survey shows that it’s becoming a major concern: 75 percent of the 1,500 audit committee members responding to our 2015 Global Audit Committee Survey said the amount of time required to carry out their audit committee responsibilities has increased moderately (51%) or significantly (24%) over the past two years.
So actual face-time across the audit committee table is really precious. Audit committee meetings should be well thought out and structured in a way that allows the committee to make the most of its time together. Effective planning and organisation can help ensure that meetings, are used effectively.
It’s increasingly obvious that the role of the audit committee is changing.
Into what? What factors are driving change? And how should audit committees respond?
With so many considerations at play, these are difficult questions to answer. Yet, it is incumbent upon stakeholders – audit committee members, their companies, auditors, investors and regulators – to pursue the answers and expand current thinking to match the rapidly shifting audit and oversight environments.
We have identified five key areas to which audit committee members can gain a deeper understanding of both their new risk responsibilities and their traditional duties for overseeing the audit and reporting processes:
Ethics and integrity are fundamental to an effective governance framework and the foundation for developing a culture that supports employee, customer and investor confidence. Notwithstanding compliance with an ever growing set of rules and regulations, if the ethics and integrity within an organisation are below par, then fraudulent financial reporting, reputational damage and business failure is more likely to occur.
Boards of directors and audit committees looking to reassure themselves about their organisations’ ethical behaviour might ask the following questions:
Are we safe? Do we need to look beyond existing risk management approaches? Why now and why does it matter? How do we spot the signals in our business?
We explore these questions and things to look out for when answering them.
Audit committees have a critical role to play in ensuring that their organisations have robust cyber security defences, not in understanding the minutiae of the technology involved, but in leading governance and policy. GCHQ director Sir Iain Lobban has been quoted as saying that business secrets are being stolen on an ‘industrial scale’ with 70 sophisticated cyber espionage operations a month against government and industry networks. Clearly, this is not an issue where a ‘wait-and-see’ approach is viable.
The audit committee needs to be able to answer the following questions: What are the key assets requiring protection? How are they being protected? What level of cyber security risk is acceptable? How would the company respond to a major cyber security incident?
We explore the threats and their potential impacts and what the role of the audit committee is in cyber security.
Guidance for the Effective Internal Audit in the Financial Services Sector was published by the Committee on Internal Audit Guidance for Financial Services in July 2013. The guidance builds on International Auditing Standards and aims to improve the effectiveness and raise the profile of internal audit across the financial services sector. We have provided a summary of the guidance.
Many audit committee members continue to cite ‘groupthink’ as a significant concern and express the need to hear more ‘dissenting views, particularly from down-the-line’ to help them be more effective in their oversight of financial reporting, internal controls, compliance, strategy and risk.
We have provided a snapshot of key insights from a white paper from the Committee of Sponsoring Organisations of the Treadway Commission which include the following:
Despite being vigorously independent and knowledgeable, non-executive board members will never be fully effective unless they have both access to, and an understanding of, all the relevant information.
Non-executive directors should insist on receiving high-quality information sufficiently in advance so that there can be thorough consideration of the issues prior to, and informed debate and challenge at, board and committee meetings. Some questions which the audit committee may wish to consider in assessing the quality of the information provided by management might be:
Do you have a clear view of underlying performance in each area of the business? Are you equipped to challenge strategic decisions? Does the financial reporting provide a fair view of business performance?
The following document addresses in more detail the types of information non-executive directors might receive and what it might look like in practice.