Audit Committees Stretched Thin

New regulatory responsibilities and risk oversight demands are placing a heavy burden on audit committees. Stretched thin, some are pushing back or shifting the duties elsewhere.

Audit committees increasingly are taking on risk-oversight duties—in some cases at the urging of regulators—in areas such as IT, cyber-security, bribery and corruption, and related parties, says Matthew Dallett, a partner with law firm Edwards Wildman Palmer. “To the extent something could cause problems with financial statements, people seem to think the audit committee ought to have primary responsibility for it,” he says. “Eventually everything relates to financial reporting one way or another.”

A recent KPMG global audit committee survey found U.S. audit committees are strained more than those in other countries in areas such as anti-bribery and corruption, financial risks, and cyber-security risks. Nearly one-third say their board has reallocated or rebalanced oversight duties in the past year to address complexity in the business, the regulatory environment, or the company's risks; 17 percent said their board has created new committees to spread the work around.

Audit committees are also facing an expansion of their role as owner of the audit firm relationship. Many audit committees are feeling pressure from regulators such as the Public Company Accounting Oversight Board and the Securities and Exchange Commission, which have issued new guidance over the past year asking audit committees to step up their supervision of external auditors, says Thomas White, a partner with law firm Wilmer Hale.

The PCAOB issued guidance, for example, suggesting ways audit committees could use inspection reports as a management tool, even though the regulator has no authority over them. SEC officials delivered some stern words to audit committees at a year-end national accounting conference to step up their supervision of auditors as well. “There's a perception among audit committee members that they're expected to do a lot with respect to auditors, and that it is beginning to pile up,” White says.

The Techonology Catch 22

The piling on is not just the result of regulatory pressure, says Dallett. “Probably the single biggest umbrella factor uniting complaints is the increasing dominance of technology on all areas of business, and then the increasing complexity of that technology,” he says.

Dan Goelzer, a former member of the PCAOB now a partner with Baker McKenzie, considers new technology a “double-edged sword” for audit committees. It's a great tool to get more insight into the business, he says, and yet it also presents great risks.

According to Phil Wedemeyer, chairman of the audit committee for oil and gas offshore drilling company Atwood Oceanics, the complexity of technology is creating one of the biggest challenges for audit committees. In its report, KPMG calls it “asymmetric risk,” or the risk of relying too heavily on information coming from senior management.

It's tempting, says Wedemeyer, given the volume and complexity of the data that technology can produce and how complex business has become, to take it at face value and not explore the factors and assumptions behind it. “As a board member, you have to decide how far you get into it,” he says. “For most of us, you don't get into it far enough to do anything except get scared. It's clear that audit committee members have this generalized sense of unease or concern.”

“To the extent something could cause problems with financial statements, people seem to think the audit committee ought to have primary responsibility for it.”

—Matthew Dallett,

Partner,

Edwards Wildman Palmer

White agreed the onslaught of data and the risks it represents can be overwhelming to audit committees. “Unless you're a technology company where the directors themselves are technology experts, do we know what we don't know?” he asks. “Do we know what we need to know? Sometimes all we can do is get comfortable that management has a handle on the issues that apply to the company and it's doing what it can to protect the company against any threats.”

To guard against becoming overwhelmed, experts say audit committee members need to be more assertive in asking for help or delegating duties. “You've got to speak up,” says Goelzer. “If there are risks that merit the attention of another committee, you've got to bring that to the attention of the whole board.” Another logical resource to leverage, he says, is the internal audit department. “Internal audit is traditionally the eyes and ears of the audit committee. As the audit committee duties have expanded, then the expertise and capabilities of internal audit need to expand as well.”

KEY FINDINGS

Below are key findings from the KPMG audit committee survey.

Regulation, uncertainty and volatility, and operational risk are top challenges today. Perhaps not surprisingly, most audit committees around the world point to regulation and the impact of public policy initiatives, economic and political uncertainty, and operational risk and controls as the risks posing the greatest challenges for their companies.

The quality of information about cyber risk, technology and innovation, and global systemic risk is falling short. When audit committees rate much of the information they receive about key risks facing the company—legal/regulatory compliance, operational risk, public policy developments—as “good” or “generally good,” many say information about cyber-security, emerging technologies, and the company's growth and innovation plans needs improvement. Audit committees also want to better understand the company's global systemic risk and supply chain dependencies.

Leading indicators and non-financial drivers of long-term performance are often elusive. Measuring and monitoring key non-financial drivers of long-term performance—particularly talent, innovation, and brand reputation—continues to pose challenges for many companies, as does identifying “leading indicators” that show where the company is headed and whether its strategy is on track.

The audit committee's job continues to grow more difficult. Nearly half of audit committee members indicate that given the audit committee's expertise and heavy agenda, it is “increasingly difficult” to oversee major risks—e.g., cyber risk and IT, the risk-management processes, and global compliance—in addition to the committee's core responsibilities. A significant number of others said their board has recently reallocated or rebalance risk responsibilities or created a new committee to address specific risks (or may consider doing so in the future).

Most companies don't have a CFO succession plan in place. Only about 40 percent of survey respondents said their company has a formal succession plan in place for the CFO—and clear performance objectives to evaluate the CFO's performance. Audit committees would like to see the CFO contributing more to the company's strategy and risk-management efforts, as well as “developing talent and bench strength.”

Internal audit should also be looking at risk management, IT, and operational risk—but may lack necessary skills and resources. More than 80 percent of survey respondents said internal audit's role should extend beyond the adequacy of financial reporting and controls, to include other key risks facing the business; however, only 50 percent said internal audit currently has the skills and resources to be effective in the role they envision.

Source: KPMG.

Audit committees can also get more assertive in telling management what they need in the way of information—not necessarily more, but better, more targeted, and more timely information, says Wedemeyer. “I hear lots of complaints about dealing with loads of information that's delivered right before a board meeting,” he says.

Too Much Reporting?

The KPMG report also delves into a demand that audit committees are beginning to hear more often and apparently are resisting: more disclosure. The PCAOB is leading a charge to require auditors to include in their audit reports more detailed information about what they do and what trouble spots they encounter in the course of an audit. Some have criticized the initiative and suggested the audit committee instead could provide investors with more information about how they manage the audit, whether through expansion of current proxy disclosures or elsewhere. The “Audit Committee Collaboration” also issued a “call to action,” challenging audit committees to voluntarily increase their reporting.

But the majority of audit committee members in KPMG's survey (53 percent) said no thanks, no new reporting requirements, please. Only 20 percent said they would support more reporting on the audit committee's oversight of the external audit, and only 15 percent would support more reporting on the effectiveness of the audit process.

Arnie Hanish, chairman of the audit committee for pharmaceutical company Omeros Corp. and retired chief accounting officer for Eli Lilly, says he doesn't see the case for a significant expansion of the audit committee's reporting requirements. He does, however, see the value of voluntary efforts to disclose more. Omeros' audit committee, for example, is studying disclosures by other audit committees and considering whether to expand its own committee's reporting. “We may put a little more meat around what we do and what we've done during the past year,” Hanish says. “Maybe a little more substance than was previously disclosed.”

Mark Greenfield, a partner at law firm Blank Rome, says he doesn't see as much resistance to increased reporting as the KPMG survey might suggest. “Reporting is a key function of audit committees,” he says. “It's a trend. Experienced and strong audit committees will embrace the task rather than rebuff it.”