The past year has made it clear that many of the fundamental changes to organizations that were brought on by the pandemic are here for the long haul. The impacts of widespread remote work, accelerated digital transformation, and shifts in talent dynamics have been far-reaching, and the full scope of their effects—and related risks—is not yet certain.
The audit committee’s role in overseeing risk and financial reporting is more important than ever in this evolving context, as organizations navigate increasingly complex reporting requirements and a shifting regulatory landscape. Effective oversight requires committee members to stay up to date on these changes while understanding how emerging risks may impact the organization. This publication highlights five areas of focus—financial reporting and controls; enterprise risk management; environmental, social, and governance; cyber risk; and digital finance transformation—that likely will be recurring topics of discussion for audit committees in 2022. While these topics cover only certain aspects of audit committee responsibilities, their importance and prominence on agendas is reflected in audit committee member survey responses captured in the recent Deloitte and CAQ Audit Committee Practices Report. Each topic highlighted also includes probing questions audit committees can consider posing to management to help them stay ahead of issues, navigate pitfalls, and fulfill the organization’s responsibilities to investors and other key stakeholders.
Financial reporting and internal controls
The fundamental role of the audit committee is overseeing the integrity of the financial statements, which entails accurate financial reporting with strong internal control over financial reporting, but that doesn’t mean the associated responsibilities are static or predictable. Companies continue to navigate uncharted waters in areas such as remote work, shifting talent requirements, and emerging technologies that impact the finance organization and evolve how business is conducted. With these large-scale changes comes an increased risk for fraud. It is critical in the current environment for audit committees to understand the development of new controls and the testing and rationalization of existing ones.
Nearly a quarter (24%) of respondents believe they will spend more time, and approximately three-quarters (73%) expect to spend about the same amount of time, on this critical area compared to last year.
The current regulatory environment may also have a significant impact on financial reporting, especially as it relates to disclosures. The SEC’s disclosed regulatory agenda includes proposing rules on disclosure relating to climate risk; human capital, including workforce diversity and corporate board diversity; and cyber risk. Audit committees should consider engaging in discussions with the regulators to help drive the agenda and stay apprised of developments. Additionally, once rules are proposed, they should understand how the proposed rules will impact disclosures and the processes and controls management has in place around those disclosures.
Financial reporting and internal controls questions for audit committees to consider:
- How have shifts in the organization’s talent model and the associated job responsibilities affected controls, including whether there is an appropriate segregation of duties?
- Have changes in transaction flow and processes resulted in a change in the design and monitoring of controls? If so, how has management ensured that controls have been appropriately redesigned?
- What new internal controls should be considered given ongoing shifts in the business operating model?
- Has management considered the potential for emerging fraud risks, and what has been the process for developing and assessing the appropriate internal controls?
- Does management have appropriate disclosure controls and procedures (DCPs) related to the disclosure of non-GAAP measures to ensure that procedures are in place regarding compliance, consistency of preparation, data quality, accuracy of calculation, transparency of disclosure, review, and monitoring?
Enterprise risk management
Audit committees play a major role in understanding and communicating the importance of an effective risk management program and related infrastructure and policies. Forty-two percent of audit committee members who responded to the survey as summarized in the Deloitte and CAQ Audit Committee Practices Report said that the audit committee has primary oversight of enterprise risk, with 33% reporting that the full board has responsibility and 20% using a dedicated risk committee.1
But regardless of the governance structure, enterprise-level risk is never the sole responsibility of an individual or group, which is why it’s critical for the audit committee to work with the board to allocate oversight of key risks across the full board and its committees.
The audit committee should understand how management identifies, monitors, and evaluates key risks, particularly in the context of the volatile risk environment brought about by the pandemic. This includes inquiring about how emerging risks are incorporated in the organization’s risk map, who is responsible for monitoring them, and how risks are disclosed. When developing audit committee meeting agendas, topics should be viewed through a risk lens. The committee chair should make certain that key risks are reflected on the agenda and prioritize discussions related to risk oversight.
Nearly one-third of the audit committee members surveyed said their committees likely will be increasing the amount of time spent on enterprise risk management in the coming year.
Enterprise risk management questions for audit committees to consider:
- Is there agreement between the board and its committees on where primary responsibility lies for overseeing the enterprise risk management (ERM) program and related processes?
- Is there a clear mapping of how key risks are allocated to the board or individual committees for oversight? Is this delineation of responsibilities regularly reassessed?
- How often is enterprise risk management on the board’s (or audit committee’s) agenda, and what information is being provided in support of this?
- How does internal audit’s plan align with the key risks identified in the ERM program?
- How are management and internal audit staying ahead of emerging and evolving risk areas such as technology, ESG, and cybersecurity?
- Has management taken into consideration unlikely but potentially severe risks that could have a significant detrimental effect on the organization?
- Have risks to the extended enterprise, including third-party risks, been appropriately assessed?
Environmental, social, and governance (ESG)
Having an effective ESG oversight and reporting policy and framework is quickly transitioning from a good-to-have to a must-have for many companies across industries, as investors and other stakeholders push for greater accountability, clarity, and disclosure. Two-thirds of audit committee members surveyed in the Deloitte and CAQ Audit Committee Practices Report said that their organizations issue a sustainability or ESG-related report, with 69% reporting that their committees have sought or are actively discussing obtaining third-party assurance on components of ESG and sustainability data. Rulemaking also is proceeding at a rapid pace, with the SEC set to propose rules in areas such as climate change, cyber risk governance, board diversity, and human capital management in early 2022. In addition, there has been strong movement toward the global convergence of standards, as reflected by the November 2021 announcement of the formation of the International Sustainability Standards Board. Staying on top of these changes will require regular engagement from the audit committee.2
ESG questions for audit committees to consider:
- Where does the primary ownership and oversight responsibility for ESG reside on the board, both overall and in terms of its various components (e.g., climate, diversity, talent, cyber)? Is there consistent understanding of where and when these elements are being discussed at the board and committee level?
- How is the organization kept aware of developments in ESG legislation and regulations in all the relevant jurisdictions for the business?
- How could climate-related matters affect assets, cash flow, and capital allocation?
- How confident are management and the board in the organization’s ability to anticipate disruptive environmental and societal trends?
- Has the audit committee reviewed the organization’s sustainability report prior to issuing, and has management walked through the key assumptions made and the basis for the metrics and goals disclosed?
- How is management taking into account the organization’s environmental goals and related activities for SEC reporting purposes (e.g., the business, risk factors, results of operations sections in SEC filings)?
If the organization discloses climate-related information in the annual report that contains or accompanies the financial statements (such as in the MD&A), are those disclosures consistent with the audited financial statements?
Cyber risk, data privacy, and security
The continued proliferation of virtual work across nearly all facets of business has heightened the complexity and risks associated with cybersecurity and data privacy. A June 2021 Deloitte poll revealed that 86% of executives expect cyberattacks targeting their organization to increase over the next 12 months, with 64% highlighting ransomware as the top concern. Cyberattacks pose critical financial, operational, and reputational risks to companies and their customers. Audit committees should engage with management to make sure that the organization’s cyber risk profile is fully understood so that the appropriate investments and mitigation measures can be taken to minimize risk.
53% of audit committee members reported that the committee is responsible for overseeing cybersecurity, with 48% having primary responsibility for overseeing data privacy and security. Of those overseeing cybersecurity, more than two-thirds anticipate spending more time on the topic in the coming year. Additionally, 41% of respondents said their audit committee needed more expertise related to cybersecurity—a higher percentage than any other risk area.
Cyber risk, data privacy, and security questions for audit committees to consider:
- Has management been through a cyber simulation session, and what were the results on the effectiveness of the organization’s cyber response plan?
- Has a cyber assessment been conducted on the organization’s operational technology, including the business impact of an operational technology breach?
- Does the organization know where its most sensitive information is kept, and if so, do they know how that information is stored, used, and protected?
- Have cyberattacks increased, and have the applicable controls been reassessed, including those related to a long-term remote workforce?
- Has the organization’s cyber risk profile been assessed internally or externally to identify areas where digital finance transformation, ESG, and other new or quickly shifting requirements and initiatives may pose risks?
- Are the appropriate leadership, structure, capabilities, resources, and support in place to address cyber risks comprehensively?
- Is there an enterprise response plan and a ransomware playbook or checklist that can quickly be implemented if needed?
- Is management being proactive in identifying and complying with all the laws and regulations that govern data capture, use, retention, security, and disposal?
Digital finance transformation
Digital finance transformation efforts have kicked into high gear over the past two years, with no slowdown in sight. A successful transformation can help the finance function leverage technology to replace mundane, repetitive tasks, and advanced techniques such as predictive analytics can be used for scenario analyses. Automation can allow finance professionals to apply their skills on more strategic and value-added initiatives that ultimately can provide for more strategic insights.
But alongside these opportunities come risks in areas such as talent, data, legacy systems, stakeholder commitment, and governance. Audit committees should seek to understand the finance transformation journey the organization is on, ensure that the scope is appropriately defined and that a dedicated and accountable team will lead the transformation efforts, and plan for potential operational disruptions.
Digital finance transformation questions for audit committees to consider:
- What are management’s transformational goals? How will management measure success and drive accountability?
- Are different finance and digital transformation initiatives aligned around common objectives and staged appropriately?
- What change management procedures are being implemented to monitor changes? Does the organization have the right skill sets to lead the organization through change?
- What’s the number one risk as it relates to digital finance transformation, and how is it being mitigated?
- Is there the need to upskill employees or bring in new skill sets to operate in the new environment?
- Who is tracking the cost, value, and metrics for the transformation? How is success measured?
The breadth and pace of recent shifts in the modes, means, and tools of doing business has been remarkable. Many of these developments hold the promise of enhancing the efficiency, financial success, and accountability of companies that can successfully navigate them. The items discussed in this article don’t capture all the topics audit committees will be dealing with in 2022, but the areas highlighted will likely warrant increased attention and discussion. Focusing on these areas will help audit committees stay on top of emerging risks and provide proactive and effective governance during this period of transformative change.3