Ten To-Do’s for Audit Committees in 2012

By KPMG’s Audit Committee Institute

1. Stay focused on the audit committee’s top priority: financial reporting and related internal control risk

    Ensuring that the audit committee’s agenda focuses on the issues that require its attention will be a significant undertaking.

The challenges of ongoing economic uncertainty and volatility, coupled with the impact of cost- reductions, major public policy initiatives, and an uncertain—yet clearly more-complex — regulatory environment will require the attention of every audit committee. Meeting this workload challenge will require focused (yet flexible) agendas, with an eye on the company’s key financial reporting and related internal control risks. As- needed updates from management between regular audit committee meetings can be invaluable.

2. Continue to monitor accounting judgments and estimates, and prepare for accounting changes. Monitor fair value estimates, impairments, and management’s assumptions underlying critical accounting estimates. Recognize that the company’s greatest financial reporting risks are often in areas where there is a range of possible outcomes, and management is called upon to make difficult judgments and estimates. Understand management’s framework for making accounting judgments and estimates, make sure management has appropriate controls in place, and ask for the external auditor’s views. Also, understand how major accounting changes on the horizon may impact the company, including implementation/resources and IT systems requirements. Key FASB/IASB projects on revenue recognition, leases, financial instruments, and insurance are moving forward. Stay close to where these projects are headed and the timeline.

3. Consider whether the financial statements and disclosures tell the company’s story. Given the importance of transparency to the investor community, as well as the ongoing regulatory focus on disclosure, consider how disclosures can be improved — perhaps going beyond what’s “required” —to better address expectations. If appropriate, enlist management’s disclosure committee in this effort, and consider the findings of recent initiatives aimed at cutting the complexity of annual reports, such as Disclosure Overload and Complexity: Hidden in Plain Sight (KPMG*/FEI) and Cutting Clutter: Combating Clutter in Annual Reports (FRC). Understand the process management uses to calculate any non-GAAP measures that are used in the annual report or regulatory filings to ensure their relevance and reasonableness. At the end of the day, do the financial statements and disclosures tell the company’s story?

4. Focus on the company’s plans to grow and innovate. Growth, strategy, and innovation will be front-and-center as companies search for top-line growth and look forward, beyond the recessionary environment. A key challenge will be monitoring and calibrating growth plans to appropriately balance risk and reward. Does lack of innovation pose a threat to the company? Make sure risk and strategy are discussed together — each hinges on the other. Given historically low valuations and high levels of corporate cash on hand, understand the company’s position in the M&A “ecosystem” (as a potential acquirer or target). Is there a robust M&A process in place in the event an offer or opportunity arises? What is the role of the audit committee versus the full board?

5. Reassess the company’s vulnerability to business interruption, and its crisis readiness. As illustrated by the earthquake in Japan, the European debt crisis, and other systemic disruptions over the past 24 months, the global interconnectedness of businesses, markets, and risk poses challenges for virtually every company. Ensure that management is weighing a broad spectrum of “what-if’ scenarios — from supply chain links and the financial health of vendors to geopolitical issues, natural disasters, and cyber threats. Is the company’s crisis response plan robust and ready to g Is the plan actively tested or war-gamed — and updated as needed?

6. Understand how technology change and innovation are transforming the business landscape — and impacting the company. IT risk discussions should be moving (rapidly) beyond “defensive” issues (compliance, data privacy, system implementations) to address the critical challenge today: understanding the transformational implications of IT and emerging technologies — cloud computing, social media, mobile technologies, and data — and the strategic issues they present. The audit committee can help the organization get its arms around IT by insisting on more-frequent and robust communications with the ClO; elevating IT discussions to a senior management/full board level (beyond the “IT shop”); helping to frame the big picture view of the company’s IT governance efforts (on data and social media); clarifying the oversight role(s) of the board, audit committee, and other committees; and strengthening the board’s understanding of IT (by bringing IT expertise onto the board and/or through education). A comprehensive IT risk assessment is essential, and support from internal audit can be invaluable.

7. Focus on asymmetric information risk and seek out dissenting views. Is the audit committee hearing views from those below and beyond senior management — e.g., from middle management and business unit leaders, sell- side analysts and critics, and other third parties — about the risks and challenges facing the company? Does the information provided by management, internal audit, and external auditors tell a consistent story? What is being said about the company by customers, employees, and others on social media networks? Make time to visit company facilities and attend employee functions. Key goals here are to recognize when asymmetric information risk — the over-reliance on senior management’s information and perspective — is too high, and to promote a culture of candor and constructive skepticism, where raising red flags and challenging information are welcomed.

8. Consider the impact of the regulatory environment on compliance programs and business plans. The increasing complexity of the global regulatory enviroi will require continued attention. The right tone at the top and throughout the organization is critical. From a broader business perspective, consider the potential impact of regulatory compliance developments on the business planning process, particularly when growth strategies include international expansion. Do the company’s regulatory compliance and monitoring programs align with business plans?

9. Understand the company’s significant tax risks and how they are being managed and modeled. As tax authorities are ratcheting-up their enforcement efforts and more aggressively sharing information with a view to increasing the effectiveness of their tax audits, audit committees should ensure they understand the company’s tax risk appetite and management’s processes for managing tax risk. To stay abreast of critical tax risks — including internal control, compliance, and disclosure issues — establish a clear communications protocol for management to update the audit committee on the status of its tax risk management activities. Ensure the tax function is monitoring the tax reform debate and “testing” the impact of various tax legislative scenarios and possible remedial steps as proposals become more specific. Are leading risk management practices (such as scenario planning) being leveraged to manage the company’s significant tax risks?

10. Monitor regulatory initiatives on auditor independence and transparency, and consider the implications for the audit committee. PCAOB and European Commission initiatives designed to promote auditor independence, objectivity, and professional skepticism have potentially significant implications for the audit process and the role of the audit committee. Set clear expectations with management and auditors for staying apprised of these projects and communicating their potential impact on the audit and the audit committee’s oversight (input to these initiatives is being sought from all stakeholders, including audit committee members). Consider how the audit committee currently reinforces auditor independence and skepticism. Would a more robust audit committee report be beneficial to investors?