9 minute read 21 Sep 2021
Interior of subway station

How audit committees can prepare for 2021 Q3 reporting

By Jennifer Lee

EY Americas Center for Board Matters Audit and Risk Specialist

Provider of board and audit committee insights. Conversent on financial reporting, risk and regulatory issues. Dedicated to family, team and client.

Contributors
9 minute read 21 Sep 2021

Recent and upcoming developments impacting Q3 reporting and beyond.

In brief

  • Understanding the critical drivers of risk will help audit committees assess the near- and long-term implications for companies. 
  • Audit committees should evaluate how the uneven economic recovery and evolving business environment might impact the financial reporting processes.
  • It is important to monitor developments from the SEC and other regulatory authorities, especially as they relate to reporting requirements and disclosures.

Risk management

With rapidly changing economic conditions shaping federal policy responses, understanding the current business environment and predicting future conditions remain challenging — especially since the economic recovery remains uneven across geographies and sectors. Audit committees should stay on top of the economic recovery trends and other critical drivers of risk (e.g., political, economic, societal, technological, legal, and environmental) to better assess the near - and longer-term risk implications to companies. As management teams continue to recalibrate operations to align with these ongoing forces and changing market dynamics, some key actions to take include the following:

  • Continue to review updates to scenario plans, stress testing and contingency planning. Assess whether an appropriate range of extreme (and even improbable) scenarios as well as compounding effects are being evaluated.
  • Assess how the enterprise risk management (ERM) program and risk assessments are being regularly updated to reflect the changes to the internal and external operating environment.
  • Determine whether the organization has access to reliable real-time data sources, tools and talent to identify risks and related issues. Consider how identified risks (including those around the ongoing pandemic and recovery as well as potentially more significant cyber-risk exposure) and external data are incorporated into business decisions, scenario planning, stress testing, prospective financial information and models (e.g., impairment analyses and goodwill assessments), resources and timelines.
  • Continue to assess ways to enhance risk management within the organization to better enable business units (i.e., the first line) and risk and compliance functions (i.e., the second line) to continuously monitor baseline risks.
  • Assess how internal audit is adjusting its risk assessment process to be more dynamic and technology-enabled in its risk identification and prioritization. Evaluate how internal audit can continue to broaden its focus from detection based on past results to be more predictive in identifying control failures and risk triggers on a real-time basis.
  • Determine whether the organization has assessed and modeled the effects of potential tax changes to federal, state and foreign tax laws on overall business operations, particularly the Biden tax proposals now working their way through the House. Consider how evolving tax policy and new tax laws may impact any significant transformations (e.g., workforce changes, digital and supply chain transformation, M&A).
  • Evaluate how the organization is assessing and mitigating risks in light of ongoing political and social unrest, including impacts to the company’s culture and relationships with stakeholders (including employees and customers).
  • Understand how management is assessing and managing risk aggregation and interdependencies across the company’s entire value chain, including resiliency, suitability, and social and environmental impacts of its supply chains and other third parties on which the organization relies. Consider critical functions, processes and significant multiple party dependencies and related risks, including cyber-risk among key suppliers.
  • Evaluate how the organization is assessing and managing risks associated with ongoing and phased returns to the workplace while considering the evolving interdependencies of governmental requirements, community health matters, workforce needs and customer preferences.
  • Continue to evaluate whether future plans will change risks or necessitate changes in the design of internal controls. Consider how process changes, including people changes (e.g., terminations, hiring, reorganizations, hybrid work environment), are impacting the performance and effectiveness of key controls and the potential for control deficiencies along with heightened fraud risks.
  • Evaluate whether new fraud risks arise or current fraud risks change in the current environment.
  • Evaluate how management drives a culture of accountability and inclusiveness and evolving people, health and safety policies to safeguard and enhance employee well-being, engagement and productivity.
  • Assess whether the organization has the appropriate tools, technology and IT infrastructure to support remote execution (and evaluation) of controls in a virtual or hybrid environment.
  • Consider whether information security measures and other controls have been reviewed and adapted to respond to ongoing digital acceleration efforts, technology changes and the shifting business environment. Further, inquire of management what degree of assessments and testing have been performed to infuse cybersecurity proactively (e.g., Trust-by-Design) in all major strategy or tactical decisions such as transactions, alliances, new products or services, and technology upgrades. 
  • Assess how the organization maintains a consistent level of diligence and cyber hygiene to defend against the continued wave of ransomware and cybersecurity attacks. Evaluate plans to monitor, evaluate, communicate and disclose cyber attacks.
  • Determine whether management has elevated the sophistication of its cyber incident response plans, and accordingly practiced those updates through more rigorous simulation drills, including surprise exercises that most closely resemble real-world attacks.
  • Assess the efficacy of the company’s cyber insurance coverages. Inquire with management whether additional terms and conditions have been recently added and evaluate the related implications.
  • Consider what additional metrics the board and audit committee should monitor in light of the changing environment and factors outlined in this section. 

The board imperative: is now the time to reframe risk as opportunity?

Whether due to growing regulatory pressure or the disruption caused by COVID-19, robust risk management has risen up the agenda for boards in the past 18 months. We recently surveyed 510 global directors to uncover their views and perceptions on ERM within their organizations, determine the hallmarks of effective risk management, and identify the actions boards can take to improve risk oversight.

Some notable highlights from our survey include the following:

  • COVID-19 was not only a major risk event in itself — but it was also an accelerator of risks that were already omnipresent, including cybersecurity attacks, supply chain disruption, geopolitical tension and other external threats. Nearly 83% of board members believe market disruptions have become increasingly impactful, and 87% think they have become increasingly frequent.
  • We find that the key attributes of high-performing risk management leaders include three key behaviors: risk is viewed through a long-term horizon (ideally more than five years); risk management priorities are aligned with business strategy; and there is a greater focus on managing emerging risks, atypical risks and external risks.
  • Directors rank unfavorable economic conditions, technology and digital disruption and changing customer expectations as the top three risks that will moderately impact their business during the next 12 months. Additionally, changing customer expectations, climate change and sustainability, and changes in the regulatory environment are noted as the top three risks that have grown in importance compared to the prior year.
  • Directors noted a misalignment between corporate culture and strategy as the greatest workforce-related risk management challenge. Our study shows that 80% of companies leading on risk management often or always talk about the culture needed to support the organization’s strategy at board meetings.
  • Despite the criticality of risk management, many board members lack confidence in their organization’s capabilities. For example, just 18% believe that their organization’s disaster response and contingency planning are highly effective, and only 13% believe that their organization is highly effective at embedding risk and compliance activities. 

As companies build enterprise resiliency and revisit their risk management practices, audit committees and boards should continue to monitor the risk landscape and assess its implications. Refer to our 2021 Global board risk survey for additional insights into leading boards to improve risk oversight and drive long-term growth and transformation.

Accounting and disclosures

As organizations adapt to the uneven economic recovery and the recent outbreak of the Delta variant, we anticipate audit committees will continue to evaluate these evolving impacts and changes on their financial reporting processes.¹ Key considerations may include the following:

  • Evaluate and consider more expansive disclosures in areas such as changes in internal control over financial reporting, management discussion and analysis (e.g., impacts of labor shortages and/or labor market conditions), risk factors, critical accounting estimates, liquidity and current vulnerabilities due to certain concentrations (e.g., customer, supplier, geographic).
  • Continue to re-evaluate earnings and other performance or financial position guidance previously provided and the ability to provide future direction.
  • Re-evaluate the use of non-GAAP measures — consider whether any changes in non-GAAP financial measures (or key performance indicators) are appropriately disclosed and consistently applied in all periods.
  • Obtain an update on how management communicates, monitors, and enforces insider trading and Regulation FD policies, including whether those policies have changed or may need to change to address material undisclosed business developments.

SEC and other reporting considerations

The Securities and Exchange Commission (SEC) released its annual regulatory agenda highlighting the priorities of new Chair Gary Gensler among the short- and long-term regulatory actions it plans to take. Key SEC rulemaking areas include disclosures about climate change and other ESG matters, such as board diversity and human capital and cybersecurity risk governance.

The SEC further plans to propose rules related to special purpose acquisition company mergers and address unfinished rulemaking mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, including finalizing pay versus performance rules and reproposing rules requiring exchanges to mandate the claw back of certain incentive-based compensation upon a financial statement restatement.  The SEC also intends to reconsider and further evaluate proxy rulemaking and several other recently amended rules, including those involving the disclosure of payments by resource extraction issuers and shareholder proposals.

Given the dynamic regulatory environment, audit committees should continue to monitor information from the SEC and other regulatory authorities, including how the potential rulemaking may impact reporting requirements and related disclosures. Key actions for the audit committee may include the following:

  • Evaluate the implications arising from potential SEC rulemaking related to climate changes and ESG matters under the new leadership and the shift in the Commission’s priorities.
  • Assess how management has considered the Commission’s 2010 guidance on climate-related disclosures, which addresses how the existing SEC disclosure rules apply to climate change matters and the types of disclosures that might be required (e.g., companies may need to make climate change disclosures under Regulation S-K in the description of the business, discussion of legal proceedings, risk factor disclosures, and/or management’s discussion and analysis).
  • Evaluate whether the company has robust and adequate disclosure controls and procedures over the company’s existing climate change and other ESG disclosures in order to be ready for any regulatory action by the SEC (including any potential need for third-party assurance).
  • Continue to monitor how the company is addressing the requirements for disclosures about human capital resources as well as how those disclosures may evolve, including a consideration of market and investor feedback and related analyses, lessons learned from peer and sector practices, and SEC comment and review trends. Additionally, inquire as to ways management can enhance data- and information-gathering practices to further enhance the overall quality of these disclosures.
  • For Nasdaq listed companies: evaluate implications and related reporting considerations of the SEC’s recently approved rules proposed by the Nasdaq Stock Market LLC requiring all listed companies to meet certain minimum board diversity targets or disclose why they aren’t doing so.²
  • As a reminder, the SEC’s November 19, 2020, amendments to Regulation S-K Items 303, MD&A, will be mandatory for fiscal years ending on or after August 9, 2021 (e.g., effective for an annual report for a year ending on September 30, 2021).  The amendments add objectives to the requirements for MD&A and change or clarify the requirements for a number of items such as liquidity and capital resources, known trends and uncertainties, critical accounting estimates and off-balance-sheet arrangements.
  • Registrants with off-calendar year-end dates should be mindful of the effective dates and prepare for timely compliance with the amended rules. Key considerations for audit committees may include the following:
    • Evaluate whether sufficient disclosures, both quantitative and qualitative, have been provided to help investors understand the impact of estimation uncertainty on a registrant’s financial condition or operating results. To the extent material and reasonably available, such disclosure must include how much any critical accounting estimate has changed over a relevant period and a sensitivity analysis.
    • Review the discussion of a company’s liquidity and capital resource and assess whether it includes descriptions of material cash requirements, their general purpose and the anticipated source of the funds needed to satisfy them; assess whether sufficient discussions have been included to avoid a material loss of information for investors if the company chooses to eliminate the contractual obligation table.
    • If the company chooses to remove selected quarterly financial data tables, assess whether such removal is appropriate (e.g., whether there has been a material retrospective change affecting comprehensive income).

Adding value: perspectives on the audit committee’s dynamic role

With offices reopening and some boards resuming in-person meetings, audit committees are evaluating which board practices to resume and which approaches developed during the pandemic to maintain. Tapestry Networks recently convened six virtual meetings with the audit committee chairs of approximately 100 large US public companies to exchange views on how audit committees can maximize the value they deliver to their companies and boards. Tapestry Networks summarized the key points arising from these discussions in its recently released report Adding value: Perspectives on the audit committee’s dynamic role.

Some notable themes from these discussions include:

Adapting board and audit committee processes: most audit committee chairs found the virtual meetings to be efficient and generally effective — with some noting ability to engage directly with a broader segment of company management. However, technology is not a replacement for in-person meetings, with many audit chairs noting elements of culture and trust being difficult to replicate in a virtual world. Most audit committee chairs expect that in the future, committees will most likely utilize a combination of virtual and in-person meetings.

Reshaping audit committee agendas: many audit committee members noted ESG disclosure and performance as a newly emerging area of audit committee responsibility (in particular, the quality of ESG reporting and the design and testing of related controls used to verify its accuracy). Other topics raised as audit committee agenda priorities include revisiting their approach to risk oversight (including scheduling stand-alone deep dives on specific, high-risk topics), increasing its focus on cybersecurity and data privacy, attracting and retaining finance function talent, and re-assessing internal audit skill sets and talent.

Enhancing committee composition: as the scope and mandate of the audit committees continue to evolve and grow, boards and audit committees are examining how best to strengthen its audit committee members so that it is adding as much value as possible. In addition to examining the mix of skills, backgrounds, diversity, and expertise, boards are rethinking board training and development initiatives and considering new approaches to tackle audit committee responsibilities.

As audit committees look to enhance their overall effectiveness, we encourage audit committees to consider these points and discuss ways to enhance their effectiveness.

Source: Tapestry Networks, Adding Value: Perspectives on the audit committee’s dynamic role, July 2021

Inquiries with management, compliance personnel and auditors

In discussions with management, compliance personnel and auditors, audit committees should consider the following in addition to standard inquiries:

Risk management-related inquiries

  • How is management understanding and monitoring the effectiveness of risk management of critical third parties with respect to financial and operational resiliency; IT security; data privacy; culture; and environmental, social and governance factors?
  • In the event of a ransomware attack, what protocols and criteria will be considered to determine whether, when or how ransom will be paid? For example, what are the insurance protocols?  Should the organization have a ransom negotiator on retainer? Do system backups exist and what is the projected speed of deployment? If the ransom is paid to an ill-defined attacker located in an unknown location, what might advertently be trigger regulatory and legal implications.
  • What, if anything, is management doing to plan for potential tax policy changes under the Biden Administration, particularly the possible acceleration of revenue or deferral of expenses considering a probable increased corporate tax rate? Are there any forward-looking disclosures management should consider making in the quarter(s) ahead of possible enactment?
  • Does management have the resources within the tax function to keep up to pace with and evaluate the impacts to the company of, new environmental/carbon taxes being legislated globally on a quarterly basis?
  • Have the organization’s tax planning strategies been re-evaluated to address possible shifts in supply chain, workforce (including tax implications of continuing remote work) and capitalization?
  • Does the organization have any cultural challenges to address as a result of social unrest and the racial justice movement? Are there new risks stemming from the changing environment?
  • Are there any resource concerns and, if so, what are the mitigating plans?
  • What more should and can be done through technology, training, and manager support to optimize connectivity, engagement, security, and productivity?
  • Has the organization revisited and updated its training programs to consider the current and changing business landscape, new controls, new systems, and revised regulations?
  • How is the organization monitoring compliance with federal, state, and local regulations and guidelines around reopening of businesses, employee/customer health and safety, privacy, and confidentiality?
  • Have there been any meaningful changes to the company’s key policies, any material exceptions granted or any unusual allowances to any compliance provisions? 

Accounting, disclosures, and other financial reporting-related inquiries

  • In anticipation of SEC rulemaking on disclosure of ESG-related matters, what steps will be taken to evaluate and adopt processes and controls related to potential new disclosure requirements?
  • Has management assessed whether the company’s current disclosures on climate-related matters consider the Commission’s 2010 guidance?
  • Does the company have sufficient controls and procedures over nonfinancial data? Is internal audit providing any type of audit coverage on ESG-related data or is the company obtaining any external assurance?
  • If ESG-related matters are being discussed in more than one place (e.g., SEC filings, earnings releases, analyst communications, annual report and shareholder letter, sustainability report), is there consistency in the disclosures?
  • Has the company early adopted any items within the November 19, 2020, amendments to Regulation S-K Items 303 MD&A, which will be mandatory for fiscal years ending on or after August 9, 2021? Has management identified any additional disclosures that may need to be prepared (e.g., the company’s ability to generate and obtain adequate cash to meet its requirements and plans for cash in the short term and long term) for compliance in upcoming periodic reports?
  • Has management reassessed its prior disclosure of critical accounting estimates for compliance with the recent amendments or considered any necessary revisions?
  • What are the non-recurring events and circumstances that have transpired during the interim period and what are the related financial reporting and disclosure implications?
  • Has the company evaluated its disclosures in light of Institutional Shareholder Services’ addition of 11 cyber-specific inquiries related to cyber-risk?
  • How is the organization proactively assessing an opportunity to enhance stakeholder communications, including corporate reporting to address changes in operations and strategies as well as changing stakeholder expectations?
  • Have there been any material changes to internal controls over financial reporting or disclosure controls and procedures to address the changing operating environment? Have any cost-saving initiatives and related efforts impacted resources and/or processes that are key in internal controls over financial reporting? If so, has management identified mitigating controls to address any potential gaps?

Inquiries to auditors

  • Can financial reporting, compliance and auditing procedures (internal and external) continue to be adequately performed through a combination of physical and remote working procedures? What options are there to perform alternative procedures to facilitate timely collection, processing and reporting of information for internal use and to prepare regulatory filings?
  • As employees start to transition back to the office or into a hybrid model, have management and the auditors considered the potential need to adjust their approach to physical inventories and cycle counts?
  • External auditors: what changes are anticipated with materiality, scope, physical inventory counts and additional procedures? What are the potential impacts arising from the complete or partial transition back to the office on the audit? How has the engagement team considered changes to the incentive, opportunity and rationalization of the fraud triangle?
  • Internal auditors: how should audit plans be adjusted to address changes in risk appetite and tolerances as identified from the company’s ERM program? Are there any audit plans that are not being executed or has the scope of the work been changed?
  • Show References#Hide References

    1. Refer to the EY report What audit committees should consider at the end of 2020 and beyond for detailed considerations relating to evaluating the impact of COVID-19 on financial reporting.

    2. Most Nasdaq-listed companies will be required to have, or explain why they do not have, at least two diverse board members, including one director who self-identifies as female and one director who self-identifies as either an underrepresented minority or lesbian, gay, bisexual, transgender, queer or other (LGBTQ+). All listed companies must also provide statistical information about the diversity of their boards by the later of August 6, 2022, or the filing date of their proxy statement or information statement for their annual shareholders meeting (or the date they file their Form 10-K or Form 20-F if they do not file a proxy or information statement) in 2022. There is a transition period (which is based on the company’s listing tier) for companies to meet the diversity objectives or explain their reasons for not doing so. Under the rule’s transition provision, all listed companies must have one diverse director (or explain why they don’t) by the later of August 7, 2023, or the date they file their proxy statement or their information statement for their annual shareholders meeting (or the date they file their Form 10-K or Form 20-F if they do not file a proxy or information statement) in 2023.

Summary

In this edition of our quarterly review of issues affecting audit committees, we summarize key developments for audit committees to consider. The audit committee role grows more demanding and complex amid fast-paced change, and this report will assist audit committees as they proactively address recent and upcoming developments impacting Q3 reporting and beyond.

About this article

By Jennifer Lee

EY Americas Center for Board Matters Audit and Risk Specialist

Provider of board and audit committee insights. Conversent on financial reporting, risk and regulatory issues. Dedicated to family, team and client.

Contributors