What Canadian audit committees should consider at year-end

Rather than avoiding risk, evolved companies will focus on mitigating risk to a tolerable level and, ultimately, optimizing it to drive competitive advantage. Boards have a role to play in challenging organizations to embed risk management in their strategic decision-making and leverage digital capabilities to harness risk intelligence across their enterprises. Such an approach strives to balance upside, downside and outside risks; instill a digital risk mindset and culture; digitize risk intelligence, monitoring and reporting; and consider embedded risks in strategy and operations. That means evaluating business risk drivers, prioritizing opportunities and remediation activities, designing risk response plans to optimize value and return on investment, and keeping risk within acceptable levels of risk tolerance and appetite.

To further facilitate this shift in ERM focused on strategy and operating performance, audit committees are expecting the internal audit (IA) function to go beyond controls auditing to provide assurance over governance and emerging risks. Leading audit committees are also encouraging companies to perform their risk assessments more frequently than once a year with IA adopting the “six-plus-six” approach to audit planning and risk assessments (i.e., a risk-based rolling plan of IA work that is updated every six months). Such a flexible and dynamic approach allows organizations to better meet the changing needs and priorities.

The cyber threat environment alone is such that it is only a matter of time before all businesses will suffer a cyber breach. And as consumers become more aware of (and potentially alarmed by) the extensive sharing of their data in the digital economy, and as global data protection laws and regulations proliferate, data privacy risks are growing in number and scope. More than ever, organizations need to be confident that their complex and evolving digital platforms are safe and secure. The boundless possibilities, efficiencies and conveniences of digital are bundled with evolving and emerging risks and challenges, from business disintermediation, cybercrime, data loss and technology outages to third-party risks.

With the EU’s General Data Protection Regulation (GDPR) now legally enforceable and the passing of the California Consumer Privacy Act (which provides the most sweeping, comprehensive consumer privacy rights in the United States), organizations must bolster their cyber defenses to be certain that the personal data collected in each jurisdiction are properly maintained and managed.

Boards and audit committees should view GDPR and data privacy legislation as an opportunity to evaluate, streamline and standardize data processes and procedures, so that risk management controls are primed for the increasingly stringent regulatory requirements that are expected to come.

While the boards’ obligation extends to achieving regulatory compliance, all stakeholders across the organization are responsible for working together to create resilience. Some key board considerations include:

• How cybersecurity and personal data risks are featured in the organizational risk assessment
• Whether controls relating to the collection, processing and use of personal data and its security are compliant with data protection requirements
• In the event of a personal data breach, whether there are established response procedures that are built into the business continuity plans
• How often the board will be updated on data protection and cyber matters
• How data protection policies will be communicated internally and externally to build buy-in and assurance for all stakeholders.
  
  Audit committees should assess whether compliance with data protection and privacy laws is a process that is continually evaluated and evolving within the organization.

Boards also must exercise vigilance in confirming that organizations are properly monitoring the heightened risk presented by third-party service providers in a digital world. These providers often have access to a company’s data and its internal systems, which raises concerns and serious potential risks related to fraud, cybersecurity and the company’s reputation. It is paramount that effective governance structures be put into place to manage these risks. Companies may opt for a centralized third-party risk management structure, a decentralized model that provides oversight at the business unit level, or some combination of the two approaches.

Regardless of which model an organization adopts, the board can challenge the company to construct a clear profile of all third-party partners and the potential risks they pose. This means insisting on proper due diligence, strong contracts that protect the company, and methods to consistently evaluate and monitor each service provider (including the third parties’ compliance with stipulated codes of conduct). Companies must have a fundamental understanding of their business processes: how their data is being secured by hosts who are managing their information in the cloud, clarify with clients or customers whether employees with whom they are working are client employees or third party, as well as how their data is being managed through robotic process automation and artificial intelligence.

In a world of changing business models, the explosion of data, and increased regulation and enforcement, integrity remains a critical foundation for driving the ethical and compliance-oriented behaviors needed to protect businesses and business reputations. EY’s 15th Global Fraud Survey found that fraud and corruption remain among the greatest risks to businesses today, and a significant level of unethical conduct is ongoing, with junior professionals more likely to justify fraud. How an organization brings integrity into its culture will become increasingly important.

In this environment, board oversight of corporate culture, controls and governance through an integrity lens is a growing priority. Audit committees should work hand-in-hand with the board and other committees to create and define a culture of ethics and integrity that is modeled by the board, executives and other management and expected of all employees and other members of the workforce — even as the workforce is radically changing. The cultural values should also apply to third parties with which the company regularly does business, including key suppliers and business partners. Audit committees will also need to work ever more diligently to help make sure that company codes of conduct and ethics, compliance programs, whistle-blower policies and procedures, and related employee engagement and training programs are effective in defining and enforcing ethical behaviors.

Overseeing whether the compliance function is effective and appropriately evolving through advances in governance practices and technology is also critically important. Clear assessments of the effectiveness of compliance and ethics policies and programs can lead to more effective risk management, a stronger culture of compliance, ethics and integrity, and increased transparency. With the introduction of digital compliance tools, such as predictive analytics and real-time risk alerts, forensic data analytics can significantly improve the effectiveness and efficiency of monitoring and reporting. Along with providing better data insights, leveraging new technologies may also better optimize resources, which can be critical with budget restraints. Leading companies are also using artificial intelligence technology to replace classroom and web-based training with individualized risk-based communications in real time.

Boards and audit committees should set the right tone at the top by clearly and consistently communicating and demonstrating a clear culture of compliance, ethics and integrity, and by verifying that ethics and compliance policies and procedures (backed by effective training and consistently applied enforcement) are working to maintain the culture and deliver effective compliance.

With the effective date of the new IFRS 16 leases standard nearing (effective for all entities with annual reporting periods beginning on or after 1 January 2019), lessees are required to recognize right-of-use assets and related lease liabilities on the balance sheet for operating leases, which is a significant change from the previous lease standard. Entities should be implementing new accounting policies, processes and controls, including controls over any new or modified information technology (IT) systems they will use to account for leases.

To reduce the cost and complexity of implementation, the International Accounting Standards Board (IASB) has developed the standard to provide transition options for all entities and helpful practical expedients for lessees. One transition option allows entities to not apply the new guidance in the comparative periods they present in their financial statements in the year of adoption. Some helpful practical expedients for lessees include not having to recognize the right-of-use asset or related lease liability for low-value or short-term leases if certain criteria are met, and not having to separate non-lease components from lease components.

While the transition options may mitigate some of the costs and complexities associated with the adoption of the new leases standard, the effective date of the standard has not changed. The level of effort necessary to apply the new standard by the effective date may be significant. Audit committees should encourage management teams to stay focused on their implementation efforts, regardless of whether they plan to elect the new transition option.

As lessees prepare to adopt the new standard, audit committees should discuss with management the status of their implementation plans, key accounting policies the company elects, the impact on their processes and controls, and how management intends to communicate these to its stakeholders.

Both the new revenue recognition and new financial statements standards came into effect in 2018 for all calendar year-end reporting issuers. There are significant new disclosures required and entities may also be required to present certain new line items under the new standards. Aside from the transitional disclosures, regulators will also be carefully reviewing the ongoing disclosures made in 2018 annual financial statements. Audit committees should discuss with management the status of the draft disclosures and the key changes to the presentation and disclosures to comply with the new requirements.

In December 2018 the Accounting Standards Board of Canada (AcSB) issued its framework for reporting performance measures. The Framework provides voluntary guidance to enhance the relevance of financial reporting and was created to help entities- from public to private companies, to not-for-profits and pension plans- improve the quality of financial and non-financial performance measures they choose to report outside of the financial statements.  The Framework sets out best practice guidance for selecting, developing and reporting performance measures as well as guidance on implementing and maintaining controls and governance practices.

The Canadian Securities Administrators (CSA) performs continuous disclosure (CD) reviews of selected issuers on an annual basis. For the fiscal year ended 31 March 2018, the CSA conducted 840 CD reviews (down from 1,014 reviews in fiscal 2017). They reported that 51% (2017 – 43%) of the selected issuers reviewed required issuers to act to improve and/or amend their disclosures, with 18% (2017 – 13%) of their review outcomes requiring issuers to refile and 8% (2017 – 6%) resulting in the issuer being referred to enforcement, cease traded or placed on the default list.

The key CSA observations relating to financial statements were on the classification of items in the statement of cash flows, the adequacy of disclosure on fair value measurements on level 3 instruments, and the adequacy of disclosure on the adoption of new accounting policies.

Although the above statistics were overall better than fiscal 2016 and 2015, audit committees should continue to evaluate the adequacy of the company’s presentation and disclosures, including the consideration of presentation and disclosures provided by peer companies, industry practice and other leading practices.

Like previous years, the CSA continued to focus on non-GAAP measures, the adoption of new accounting standards, and reducing the regulatory burden for reporting issuers. In addition, cryptocurrencies and cannabis are also increasingly important topics for the Canadian securities regulators.

Some of these regulatory focus areas are summarized below.

In October 2018, the CSA published for comment Proposed National Instrument 52-112, Non-GAAP and Other Financial Measures Disclosure, which proposes disclosure requirements for issuers relating to the use of non-GAAP and other financial measures. The CSA has consistently commented on deficiencies in disclosure of non-GAAP measures over the past few years, and the Proposed Instrument is intended to improve consistency and transparency. Once implemented, these new mandatory requirements will have the force of law, replacing the existing guidance provided in CSA Staff Notice 52-306.

Companies should assess their processes, including governance processes for overseeing compliance with the Proposed Instrument, especially now that the Instrument will have the force of law and will be a stronger tool for enforcement.

With increases in the number of Canadian cryptocurrency offerings and the number of reporting issuers with cryptocurrency holdings, the CSA has issued two Staff Notices (46-307 and 46-308) to provide guidance on initial cryptocurrency offerings and securities law implications for offerings of crypto coins or tokens. In addition, there are many complexities and developments in the accounting for cryptocurrencies from both the holder and issuer perspectives that are of concern to security regulators. Audit committees should ensure they are current with regulatory and accounting developments in this area if applicable and ensure those are considered for financial reporting purposes.

With the growth of the legal cannabis industry in Canada and increasing number of reporting issuers in this space, the CSA published Staff Notice 51-357, Staff Review of Reporting Issuers in the Cannabis Industry, in October 2018. The staff notice highlights key findings based on the review of 70 Canadian reporting issuers, and provides guidance and good illustrative disclosures to issuers with the objective of increasing the transparency of information provided to investors.

All licensed producers reviewed and acted to improve their disclosure in response to issues raised by the CSA. Where applicable, audit committees should discuss this Staff Notice with management to ensure any identified deficiencies are addressed.

The number of comment letters issued by the SEC staff continued to decline in 2018, but the adoption of new accounting standards could slow or reverse that trend. Over the next year, the SEC staff is expected to focus on accounting under the new revenue standard, disclosures about how companies will be affected by new standards on leases and credit impairment, disclosures about cybersecurity and accounting for income tax reform.

The SEC staff continues to comment most often on accounting areas that require significant judgments and estimates. The top five most frequent comment areas in 2018 and 2017 were on management’s discussion and analysis (MD&A), non-GAAP financial measures, fair value measurements, segment reporting and revenue recognition.

The Tax Cuts and Jobs Act (TCJA) significantly changed US income tax law, and companies accounted for the effects of these changes in the period that includes the 22 December 2017 enactment date.

The SEC staff issued SAB 118 to provide companies that had not completed their accounting for the TCJA’s income tax effects in the enactment period with an extension of up to a year. Since the SAB 118 measurement period cannot extend beyond one year, calendar year-end companies are required to finalize any provisional balances by 31 December 2018. Companies filing under IFRS did not have SAB 118 type guidance to provide a measurement period to complete the accounting for the effects of the TCJA.

The US Treasury Department and the IRS began releasing major TCJA-related proposed regulations during the summer of 2018 and are expected to continue through spring 2019. Key proposed regulations addressed the law’s transition tax, the new global intangible low-taxed income (GILTI) regime, qualified business income (QBI) deduction, additional first-year depreciation deduction, and the new provision to encourage investment in Opportunity Zones.

The proposed regulations will be finalized after comment periods for those interested in sharing suggested changes or other observations. Companies trying to plan in the near term face some risk as they await the release of anticipated further TCJA guidance, especially around some of the complex international provisions of the law.

Further TCJA clarification — a general explanation of the new law — is also expected by year end from the Joint Committee on Taxation’s Blue Book. And while there have been calls for technical corrections legislation to resolve drafting errors in the final legislative language, it’s unlikely that this type of legislation will move forward in Congress in 2018.

In late September, the House of Representatives advanced three bills as a follow-up effort on tax reform, or “Tax Reform 2.0,” aimed at three areas:

• Making the individual and small business tax cuts permanent
• Promoting savings for families and retirement
• Spurring innovation
  
  It’s unlikely that the Senate will take the measures up this year. With so many avenues of clarification around the new tax law and the potential for additional tax legislation in the years ahead, audit committees must stay up to date with tax policy developments in real time. 

On 21 November 2018, Canadian Finance Minister Bill Morneau presented the fall economic statement in the House of Commons. The statement included some tax measures, which were in part proposed because of US tax reform. On the same day, a notice of ways and means to amend the Income Tax Act and the Income Tax Regulations to effect these proposed changes was tabled.

The statement introduced new capital cost acceleration measures, including full expensing of manufacturing and processing machinery and equipment, full expensing of clean energy equipment, and measures to accelerate the capital cost allowance for other types of capital property. In addition to the capital cost allowance measures, the fall economic statement introduced various tax credits and other measures to support certain industries.

Recent trade policy shifts from governments around the world could have significant implications for Canadian companies. Actions such as the use of targeted tariffs and the renegotiation of the 24-year-old North American Free Trade Agreement (NAFTA) are examples of policy shifts that businesses need to keep an eye on.

Shifts in approach to trade policy can have a real impact on businesses. For example, the US administration has imposed various tariffs on imported intermediary goods, or parts, used by US businesses to make finished products. Many countries, including Canada, have retaliated by imposing their own tariffs on US exports, Tariffs can increase costs for businesses and could lead them to cut other expenses, including labor costs, among other options. Tariffs on exports potentially make products less attractive to overseas purchasers.

Current trade policy developments are very fluid. For this reason, it’s critical that businesses understand the issues associated with the changes to trade policy in the countries in which they operate, examine the potential impacts to their operations and consider expressing their views. Boards need to understand management’s approach to addressing this and other potential geopolitical and regulatory developments, including impacts on strategy and risk management.

On 21 June 2018, the US Supreme Court held in South Dakota v. Wayfair that physical presence in a state was not necessary to create taxable nexus for sales and use tax purposes. Because of the decision, additional states may now begin requiring remote sellers, such as companies based in Canada, to register, collect and remit taxes on transactions with in-state customers regardless of the seller’s physical presence in the state, provided they don’t impose undue burdens on interstate commerce.

States have already begun to respond by revising their sales and use tax rules, and companies will need to track issues such as retroactivity and prospective tax liability on a state-by-state basis. A company’s facts and circumstances should be reviewed with respect to each jurisdiction in which it may have a state tax filing obligation, regardless of physical presence.

Around the world, the focus on digital tax policies has evolved quickly, mirroring the rapid integration of digital into the business landscape. Tax policymakers are trying to keep pace with this growing trend, with some countries and supranational groups exploring different digital taxation models. A current lack of agreement on how to proceed, however, threatens to create a confusing tax landscape, with a patchwork of different proposals for businesses to navigate. Increasingly, audit committees will need to verify that the company’s tax strategy supports its digital ambitions while also protecting the organization from tax uncertainty.

Boards and audit committees should begin discussing their companies’ existing digital activity and pipeline projects in new ways and assess the related tax implications. This effort will require knowledge of the digital tax approach of countries and states in which they do business, and committing resources to measuring and addressing any resulting tax risks. These risks need to be weighed against the company’s digital goals to determine whether tactics, strategy, structures or business models may need modifying.

Boards and audit committees should assess the completeness of their companies’ investor communications. Investors need to know about tax risks related to digital activities that may reduce profits if these taxes go into effect. Boards should be informed about the possibility and potential impact of restructuring parts of a digital strategy and the potential need to exit lines of business or markets depending on how tax proposals advance.

While the complex issues of how to tax digital activity are not likely to be resolved any time soon, the debate has implications for all businesses that have digital assets. As such, boards and audit committees will want to closely monitor the evolving discussion and related digital tax developments.

Tax operating models are at an inflection point. External pressures, including technology disruption and talent availability, are significantly challenging current tax operational strategies. Companies are looking at their short- and long-term requirements to efficiently and effectively manage their tax operations.

Audit committees should inquire of management as to whether their tax operating model is meeting the organization’s needs. Leading organizations are reconsidering their tax functions (e.g., fully internally sourced, outsourced or a hybrid model) to design a more efficient operating model by leveraging lower-cost resources and emerging technologies, such as robotic process automation and artificial intelligence.

EY has surveyed hundreds of institutional investors concerning their approach to ESG. More than 80% have told us their assessment of certain key risks would either rule out an investment or alter their view of the financial return required to offset the following concerns:

• Risk or history of poor governance
• Human rights risks from operations
• Limited verification of ESG data or claims
• Unmanaged ESG risks in the supply chain
• Risk or history of poor environmental performance
• Risk from resource scarcity
• ESG strategy and business strategy not linked in the near, medium and long term
• Risk from climate change

These risks align closely with those that major investor ESG rating organizations such as MSCI and Dow Jones are focused on, as well as global ESG reporting frameworks.

To meet investors’ requirements, companies will need to ensure they have adequately addressed their consideration and management of these risks. They must also determine how they can effectively convince investors they’ve done so.

Many companies are striving to improve their governance and enterprise risk management processes. These processes are key to managing ESG risks. Absent an effective process to manage overall business risk, it’s difficult to manage ESG risks that touch so many aspects of an organization’s strategy and operations.

A sound risk management process will enable strategy development that considers material ESG risks in the context of the company’s mission and core values. It will also translate the strategy into business objectives and performance goals and activities that address the risk in a desired fashion. The process will provide clear reporting and evaluation around meeting objectives and enhancing value.

While companies often struggle with whether their risk management process is sufficient, in 2017 clear specific guidance published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) outlined the 20 principles of an effective enterprise risk management framework. This principles-based approach provides companies with a clear benchmark that addresses many of the concerns investors are voicing around governance.

In 2018, COSO and the World Business Council for Sustainable Development published guidance as to how the COSO enterprise risk management framework could be applied to ESG risks. This guidance provides a roadmap for how management can challenge their approach to managing ESG risks relative to leading practice governance principles.

With well over a dozen accepted frameworks to report ESG information, such as the United Nations Sustainable Development Goals, the Global Reporting Initiative (GRI) Framework and Sustainable Accounting Standards Board (SASB) standards, it’s difficult to determine the best route to disclosure.

Investors tell us they struggle to make use of the multitude of data currently published under the current disclosure frameworks, and that the qualitative information is often generic or incomplete with respect to dealing with investors’ perception of risk. Many investors rely to some degree on third-party ESG rating agencies, such as the Dow Jones Sustainability Index, but there’s no standardized methodology for conducting ESG ratings. For this reason, most investors use rating data to supplement their own analysis of the investment risk created by the effect of ESG factors on the company and how well management is responding.

Against this backdrop, in November 2018 another investor-led initiative, known as the Embankment Project for Inclusive Capitalism, published a report compiled by leading investor and corporate participants that set out a direction for how companies could better report measures that help focus on long-term value.

The project participants formed a strong consensus that risk and performance in six factors were most important to focus on. Three of the six factors were environmental, social and governance; the other three were talent, innovation and consumer trends. While the report provides helpful thinking, it doesn’t offer the magic bullet of measures to report, since these will vary by industry and company.

One key takeaway from the report is that companies need to explain how they assess and manage risk for these six factors in a clear manner that’s transparent with respect to the nature of the risks, potential impacts, management’s objectives and success measures.

In the current year, issuers also need to address the recommendations of the International Task Force for Climate-Related Disclosure. These recommendations are focused only on climate change-related risks, but also ask users to make disclosures around the themes of governance, strategy, risk management processes, and metrics and targets.

We strongly encourage companies to consider whether they can adopt or better align their ESG governance with the principles-based COSO risk management framework. This represents a well-respected common roadmap that should give the board and investors comfort. Not only does it provide a strong approach to managing risk, but letting investors know you’re using it could give them confidence that’s hard to build through existing ESG disclosures.

In March 2018, the CSA issued an update on the status of Consultation Paper 51-404 that presented considerations for reducing regulatory burden for non-investment fund reporting issuers. Based on comments gathered from various stakeholders, the CSA has initiated six policy projects on the following topics:

• Potential alternative prospectus model
• Removing or modifying the criteria for Business Acquisition Reports
• Facilitating at-the-market (ATM) offerings
• Revisiting primary business requirements
• Revisiting certain continuous disclosure requirements
• Enhancing electronic delivery of documents

Any potential changes to the regulatory regime will follow standard policy making due process with publication of any proposed amendments for comment. 

In October 2018, the Canadian Auditing and Assurance Standards Board (AASB) approved revisions to Canadian Auditing Standards (CASs) to require auditors to communicate key audit matters (KAMs) for audits of TSX-listed entities, other than those required to comply with NI 81-106, for financial statement periods ending on or after 15 December 2020.

KAMs are defined as those matters that, in the auditor's professional judgment, were of most significance in the audit of the financial statements of the current period. Key audit matters are selected from matters communicated with those charged with governance.

The PCAOB standard includes a similar reporting concept to communication of KAMs — critical audit matter reporting — that will be effective for certain US issuers for audits of financial statement periods ending on or after 15 June 2019, and all other US issuers to which the requirements apply for periods ending on or after 15 December 2020.

The AASB is in discussions with the SEC and the PCAOB to develop a combined report that would be acceptable in both Canada and the United States for joint Canadian/SEC registrants.  In the meantime, it will not be possible for auditors to issue combined reports for financial statement periods ending on or after 15 December 2018.

Management and audit committees are encouraged to work with their auditors to understand the requirements related to KAMs, including the process of determining and describing KAMs, and any expected changes in the audit process. This will help reporting issuers prepare for questions that may be received from investors, regulators and others.

The Canadian Public Accountability Board (CPAB) inspected 77 out of 80 planned (2017:86) audit engagement files across the Big Four audit firms in 2018 and identified significant inspection findings in 14 (2017:6) of those files. CPAB noted that all firms need to do more to fully embed audit quality across the whole assurance portfolio.

Deficiencies related to auditing fair values in business combinations, impairment of assets and revenue recognition represented approximately half the significant findings in CPAB’s 2018 inspections cycle. The other half were related to significant but non-complex account balances and transactions streams where basic audit procedures were either not performed (e.g. inventory counts not attended) or not performed appropriately (e.g. testing of inventory costing was insufficient).

In 2018, CPAB began to introduce a new inspection methodology to assess Big Four audit firm quality management systems. CPAB noted that each firm has made and continues to make a significant effort to improve, better articulate and document its quality management processes and controls, and to link them to CPAB’s five assessment criteria: accountability for audit quality, risk management, talent management, resource management, and oversight.

CPAB noted that it continues to work with stakeholders on several critical audit quality matters that should also be top of mind for directors of public companies, including regulatory access to audits done in foreign jurisdictions, the growing number of reporting issuers with crypto-assets in the Canadian market, and the automation of the audit.

Five new PCAOB members have been sworn into office since January 2018, including new PCAOB Chairman William (Bill) D. Duhnke III. The PCAOB is expected to maintain its focus on promoting high audit quality through its inspection program, among other things. One of the new Board’s first acts was to seek public input on priorities to include in the PCAOB’s  2018–2022 strategic plan, the first time the PCAOB has done so. In December, the PCAOB’s new Director of Registrations and Inspections, George Botic, gave a speech commenting that the PCAOB is going through a process of transformation- focused on people, process, and technology and has reassigned inspectors to assist with approximately 15 transformation workstreams.

In December 2018, the UK Competition and Markets Authority (CMA) published an update paper on its market study into the audit sector. Independently, at the request of the UK Secretary of State for Business, Energy and Industrial Strategy, Sir John Kingman presented his independent review of the UK regulator, The Financial Reporting Council (FRC).

CMA proposed reforms include:

• Operational separation between audit and non-audit services: splitting the firms’ audit and non-audit businesses into separate operating entities, with separate management, accounts and remuneration, but under the same organizational umbrella. 
• Close regulatory scrutiny of audit appointment and management to make sure those appointing auditors are held to account and independent enough to choose the most challenging audit firm, rather than — for example — the cheapest.
• Joint audits: audits of the UK’s biggest companies (FTSE 350) should be carried out by at least two firms, at least one of which would be from outside the Big Four. A possible alternative is a market share cap, ensuring that some major audit contracts are only available to non-Big Four firms.

EY has consistently expressed its strong view that the multi-disciplinary model provides the structure, breadth and depth of technical skills and industry expertise necessary to meet our public interest obligations to deliver high quality audits. We don’t believe moves that dilute this will improve audit quality. We welcome the CMA’s proposals for increasing transparency and accountability around the tendering, appointment and re-appointment of auditors. We don’t believe that either joint audits or market share caps will enhance audit quality.

Kingman review recommendations include:

• Replacing the FRC with a new independent, statutory regulator, accountable to Parliament with new leadership, clarity of mission and powers.
• Giving the new regulator significant powers to investigate concerns relating to companies, that holds all relevant directors, not just members of professional bodies, to account for their duties to prepare and approve true and fair corporate reports.
• Giving the new regulator the duty to promote competition and innovation in the audit market. 

Risk management

1. Do the organization’s ERM practices incorporate forward-looking insights and use of data analytics to determine trends and predictive indicators?
2. Has management clearly articulated the key individual risks and aggregate risk to achieving its strategic goals and properly applied the organization’s risk tolerance to determine risk management priorities?
3. Is the organization continually scanning the risk landscape and responding? Is its risk mitigation approach shifting from reactive to predictive response strategies?
4. Is the organization harnessing emerging technology to better mitigate downside risk?
5. Is the organization’s talent pool equipped to meet the changing needs of the risk function?
6. How does the company incentivize executives, as well as lower-level employees and third parties, to act ethically? And how does it instill the concept of employees taking individual responsibility for the integrity of their own actions?

Financial reporting

1. What key actions has management taken to implement the new leasing standard? What key actions are needed to improve readiness for implementation and disclosure?
2. Did the entity consider the impact of the new standards on the patterns of revenue and lease-related expense recognition and its effect on financial covenants, incentive plans, etc.? What disclosures has management provided or considered on these changes?
3. Has the company’s management sufficiently challenged the adequacy of its presentation and disclosures required under the new revenue and financial instrument standard, particularly in areas that require significant judgment or estimates (e.g., disaggregated revenue disclosures, identification of performance obligations, expected credit loss policies and forward-looking information assumptions)?
4. What internal controls has management designed around both its implementation process for new accounting standards and ongoing processes for accounting under the new standards?
5. How is technology changing the company’s finance function, and what sort of assurance is the audit committee getting that financial information integrity is preserved during and after any transition (including during implementation efforts)?
6. Has the company’s management sufficiently challenged the adequacy of disclosures of its non-GAAP measures in the MD&A or other continuous disclosure documents? Is there equivalent disclosure emphasis on GAAP measures compared to non-GAAP measures?

Tax

1. How is the company staying abreast of the latest developments in both tax and trade policy matters?
2. Has the company performed any modeling on the impact of tax reform changes or trade policy changes such as tariffs?
3. Has the company modeled different scenarios related to its digital activity and considered the potential tax implications of recent regulatory developments? How is this information communicated to the board?
4. Does the company have sufficient resources to track and analyze recent changes in regulations and legislation?
5. How is the organization attracting, retaining and developing the talent (e.g., scientific, technology, engineering and math skills) needed in today’s and tomorrow’s tax and finance functions?
6. Does the tax organization have a sustainable model to address challenges, such as tax reform requirements, a digital tax administration and evolving global tax reporting obligations?
7. How does the board effectively communicate changes in tax strategy to shareholders and the public? Are disclosures and related risk factors in the company’s public filings updated and appropriate given the company’s planned digital activity and recent regulatory tax developments?
8. Does the company have a strategy for engaging on tax policy issues?

Environmental and social governance

• Do you have a clear process to engage the board and executive management in an exercise to identify ESG factors affecting your business and their strategic implications?
• Does your ESG risk identification and related mitigation strategy development consider all scenarios of how a key risk could affect your business over the near, medium and long term?
• Do you establish ESG operational objectives and measures to manage your progress addressing ESG factors, and do the board and management regularly monitor these measures?
• Have you established a clear link between performance evaluation and remuneration and achievement of your ESG objectives among all relevant personnel?
• Is your shareholder communication clear and candid about your key risks, your business response objectives and your progress towards relevant internal goals?

Regulatory developments

1. Does the board have regular briefings on the evolving cybersecurity threat environment and how the cybersecurity risk management program is adapting? How is the board actively overseeing the company’s investments in new cybersecurity technologies and solutions?
2. How has the role of the audit committee evolved in recent years (e.g., oversight of enterprise risk management, cybersecurity risk), and to what extent are these changes being communicated to stakeholders via the proxy statement?
3. What discussions has the audit committee had with its independent auditor regarding audit quality matters, especially the Canadian Public Accountability Board’s (CPAB’s) Big Four audit firms’ public inspection report?
4. Has the audit committee had discussions with their auditor to understand the key changes to the audit report and related processes that will be used to meet disclosure requirements for key audit matters/critical audit matters?
5. What impact will new auditor reporting requirements have on audit committee disclosures?