30 minutes de lecture 3 févr. 2020
EY - What Canadian audit committees should consider at year-end

Enjeux de la fin d’exercice 2018 dont doivent tenir compte les comités d’audit canadiens

Par

Massimo Marinelli

Associé directeur, Certification, EY Canada

Piloter l’initiative de transformation de l’audit d’EY et aider les clients à s’adapter à l’évolution rapide du cadre financier et des exigences de communication de l’information.

30 minutes de lecture 3 févr. 2020

Cette année, les comités d’audit ont joué un rôle essentiel : celui de composer avec les défis que pose la surveillance et avec les attentes des parties prenantes en constante évolution découlant des nombreux changements, notamment de nouvelles normes comptables, la mise en œuvre de la réforme fiscale, des changements dans la politique commerciale, l’incidence de la technologie sur le profil de risque des entreprises et leur fonction finances, des nouveautés en matière de réglementation à l’égard des informations à fournir concernant la cybersécurité, ainsi que le nouveau modèle de rapport des auditeurs.

À l’avenir, l’évolution du contexte politique et réglementaire, ainsi que l’intérêt de plus en plus marqué des parties prenantes pour des sujets comme la confidentialité des données, la stratégie et la culture d’entreprise continuera de façonner le travail crucial du comité d’audit.

Dans le cadre de notre examen annuel des faits nouveaux ayant une incidence sur les comités d’audit, en plus de ces faits nouveaux, nous prenons en compte d’autres nouveautés importantes en matière d’information financière, de fiscalité, de questions réglementaires et de gestion des risques. Ce rapport pourra aider les membres des comités d’audit canadiens à se préparer aux discussions avec le conseil, la direction et les auditeurs externes.

Gestion des risques

Plusieurs facteurs viennent bouleverser le monde des affaires, dont l’instabilité politique alimentée par l’incertitude économique à l’échelle mondiale, la transformation numérique et la rupture des modèles d’affaires, la surveillance accrue du comportement des entreprises, et la pression grandissante subie par les organismes de réglementation pour élaborer des cadres qui favorisent la croissance, mais contrent le court-termisme et les pratiques inéquitables.

Le rythme et l’ampleur de la disruption continueront de poser divers défis pour les entreprises; cependant, des occasions d’exploiter les technologies et tendances nouvelles se manifesteront sans doute pour refaçonner les modèles d’affaires, pour améliorer la performance des entreprises et la création de valeur pour celles-ci, ainsi que pour mettre l’accent sur les risques émergents et y faire face. Dans ce contexte en constante évolution, les conseils d’administration et les comités d’audit doivent plus que jamais se concentrer sur la gestion des risques.

  • La gestion des risques d’entreprise (GRE) de prochaine génération

    Plutôt que d’éviter les risques, les entreprises averties se concentreront sur l’abaissement des risques à un niveau tolérable et, ultimement, sur l’optimisation de leur situation à ce chapitre pour en dégager un avantage concurrentiel. Les conseils d’administration ont un rôle à jouer pour mettre les organisations au défi d’intégrer la gestion des risques dans leur prise de décision stratégique et d’utiliser les capacités numériques pour exploiter les renseignements sur les risques disponibles dans l’ensemble de leurs activités. Une telle approche vise à trouver un équilibre entre les risques d’amélioration et de détérioration et les risques externes; à favoriser une culture du risque numérique; à numériser les renseignements sur les risques ainsi que les modes de surveillance et de déclaration de ceux-ci, et à tenir compte des risques intégrés dans la stratégie et les activités. Elle suppose d’évaluer les facteurs de risque pour l’entreprise, de prioriser les possibilités et les mesures correctives, de concevoir des plans d’intervention à l’égard des risques afin d’optimiser la valeur et le rendement de l’investissement, et de maintenir les risques à des niveaux acceptables selon la tolérance aux risques et l’appétit pour ceux-ci.

    Pour faciliter davantage ce passage à une GRE axée sur la stratégie et la performance opérationnelle, les comités d’audit s’attendent à ce que la fonction audit interne aille au-delà de l’audit des contrôles pour fournir une assurance quant à la gouvernance et aux risques émergents. Les comités d’audit de premier plan encouragent aussi les entreprises à évaluer les risques plus souvent qu’une fois par année et préconisent pour l’audit interne l’adoption de l’approche « six plus six » en matière de planification de l’audit et d’évaluation des risques (c.-à-d., un plan de travail continu fondé sur les risques mis à jour tous les six mois). Une telle approche flexible et dynamique permet aux organisations de mieux réagir à l’évolution des besoins et des priorités.

  • Renforcer la confiance dans le numérique et surveiller la protection des renseignements personnels

    À elles seules, les cybermenaces sont telles que ce n’est qu’une question de temps avant que toutes les entreprises subissent une cyberattaque. En outre, les consommateurs sont de plus en plus conscients (et potentiellement inquiets) de l’ampleur de l’échange de leurs données dans l’économie numérique, et les lois et règlements sur la protection des données prolifèrent dans le monde. Les risques liés à la protection des données se multiplient et s’aggravent donc. Plus que jamais, les organisations doivent avoir la certitude que leurs plateformes numériques complexes et en évolution sont sécuritaires. Les possibilités, les gains d’efficacité et les avantages illimités offerts par le numérique s’accompagnent de risques et de défis changeants et émergents, de la désintermédiation aux risques liés aux tiers, en passant par la cybercriminalité, la perte de données et les défaillances technologiques. Compte tenu de l’entrée en vigueur du Règlement général sur la protection des données (le « RGPD ») de l’Union européenne et de l’adoption de la California Consumer Privacy Act (qui prévoit les droits les plus vastes et complets en matière de protection des données à caractère personnel des consommateurs aux États-Unis), les organisations doivent renforcer leurs cyberdéfenses afin de s’assurer que les données à caractère personnel recueillies dans chaque juridiction sont conservées et gérées adéquatement.

    Les conseils d’administration et les comités d’audit devraient voir le RGPD et les lois sur la protection des données comme une occasion d’évaluer, de simplifier et d’uniformiser les processus et procédures liés aux données, afin que les contrôles de gestion des risques répondent aux exigences réglementaires de plus en plus rigoureuses qui sont prévues.

    Bien qu’il incombe aux conseils d’administration de s’assurer de la conformité réglementaire, toutes les parties prenantes à l’échelle de l’organisation ont la responsabilité de travailler ensemble pour renforcer la résilience. Voici quelques considérations importantes pour les conseils d’administration :

    • Comment la cybersécurité et les risques liés aux données à caractère personnel sont-ils présentés dans l’évaluation des risques de l’organisation?
    • Les contrôles liés à la collecte, au traitement et à l’utilisation des données à caractère personnel ainsi que leur caractère sécuritaire sont-ils conformes aux exigences en matière de protection des données?
    • Les plans de continuité des activités comportent-ils des procédures pour faire face à une éventuelle violation de données à caractère personnel?
    • À quelle fréquence le conseil d’administration aura-t-il droit à un compte rendu sur la protection des données et les questions cybernétiques?
    • Comment les politiques en matière de protection des données seront-elles communiquées en interne et à l’externe pour obtenir l’assentiment et la confirmation de toutes les parties prenantes?

    Les comités d’audit devraient déterminer si la conformité aux lois sur la protection des données et de la vie privée fait l’objet d’une évaluation et d’une évolution continues au sein de l’organisation.

  • Gestion des risques liés aux tiers

    Les conseils d’administration doivent également faire preuve de vigilance pour confirmer que l’organisation surveille adéquatement le risque accru posé par les tiers fournisseurs de services dans un monde numérique. Ces fournisseurs ont souvent accès aux données et aux systèmes internes de l’entreprise, ce qui suscite des préoccupations et pose des risques sérieux liés à la fraude, à la cybersécurité et à la réputation de l’entreprise. Il est vital que des structures de gouvernance efficaces soient mises en place pour gérer ces risques. Les entreprises pourraient choisir une structure centralisée de gestion des risques liés aux tiers, un modèle décentralisé qui permet une surveillance à l’échelon de l’unité fonctionnelle, ou une combinaison des deux approches.

    Quel que soit le modèle adopté par une organisation, le conseil d’administration peut mettre au défi l’entreprise d’établir un profil clair de tous les partenaires tiers et des risques qu’ils posent. L’accent doit donc être mis sur un contrôle préalable approprié, des contrats solides qui protègent l’entreprise, et des méthodes pour évaluer et surveiller constamment chaque fournisseur de services (y compris la conformité des tiers aux codes de conduite prévus). Les entreprises doivent avoir une compréhension des fondements mêmes de leurs processus d’affaires : savoir comment leurs données sont protégées par les hôtes qui gèrent leurs renseignements dans le nuage, déterminer si les employés des clients avec qui elles travaillent sont des employés, des clients ou des tiers, et être au fait de la manière dont leurs données sont gérées dans le cadre de l’automatisation des processus par la robotique et de l’intelligence artificielle.

  • L’avenir de la conformité et la surveillance de la culture par les conseils d’administration

    Dans un monde où les modèles d’affaires changent, où le volume de données explose et où la réglementation et son application s’accroissent, l’intégrité demeure une base fondamentale pour favoriser les comportements éthiques et axés sur la conformité nécessaires pour protéger les entreprises et leur réputation. Le 15e sondage mondial d’EY sur la fraude a révélé que la fraude et la corruption comptent toujours aujourd’hui parmi les plus grands risques pour les entreprises, et que beaucoup de comportements contraires à l’éthique sont observés actuellement, les professionnels juniors étant plus enclins à justifier la fraude. La façon dont une organisation incorpore l’intégrité à sa culture deviendra de plus en plus importante.

    Dans ce contexte, la supervision de la culture, des contrôles et de la gouvernance de l’entreprise par le conseil d’administration dans une perspective d’intégrité devient une priorité de plus en plus importante. Les comités d’audit devraient travailler de concert avec le conseil d’administration et les autres comités pour créer et définir une culture d’éthique et d’intégrité incarnée par le conseil d’administration, les dirigeants et les autres gestionnaires, et attendue de tous les salariés ou autres membres du personnel – même lorsque le personnel change radicalement. Les valeurs de cette culture devraient également s’appliquer aux tiers avec lesquels l’entreprise fait régulièrement affaire, y compris les fournisseurs et partenaires d’affaires clés. Les comités d’audit devront aussi travailler de manière plus diligente que jamais pour aider à assurer l’efficacité des codes de conduite et d’éthique, des programmes en matière de conformité, des politiques et procédures relatives aux dénonciateurs, ainsi que des programmes d’engagement et de formation des employés des entreprises, en définissant et en faisant respecter les comportements éthiques.

    Il sera également essentiel de surveiller si la fonction conformité est efficace et évolue adéquatement grâce à des avancées sur les plans des pratiques de gouvernance et de la technologie. Des évaluations claires de l’efficacité des politiques et programmes en matière de conformité et d’éthique peuvent mener à une meilleure gestion des risques, à une culture de conformité, d’éthique et d’intégrité plus forte ainsi qu’à une transparence accrue. Avec l’arrivée d’outils de conformité numériques comme l’analytique prédictive et les alertes au risque en temps réel, l’analyse des données d’investigation peut rendre la surveillance et la présentation de l’information considérablement plus efficaces. En plus d’accroître la visibilité des données, les nouvelles technologies peuvent aussi favoriser l’optimisation des ressources, ce qui peut s’avérer essentiel en raison des contraintes budgétaires. Les entreprises de premier plan utilisent également l’intelligence artificielle pour remplacer la formation magistrale ou virtuelle par des communications personnalisées en temps réel tenant compte des risques.

    Les conseils d’administration et les comités d’audit devraient donner l’exemple au sommet de l’organisation en communiquant et en incarnant de façon évidente et uniforme une culture de conformité, d’éthique et d’intégrité claire, et en s’assurant que les politiques et procédures en matière d’éthique et de conformité (appuyées par de la formation efficace et une application uniforme) parviennent à maintenir la culture et la conformité.

Présentation de l’information financière

Les organismes de réglementation exigent des entreprises qu’elles présentent davantage d’informations pour une multitude de raisons, notamment l’incertitude économique mondiale continue et l’instabilité des développements géopolitiques qui pèsent sur l’entreprise. Avec l’adoption de trois nouvelles normes comptables importantes en l’espace de deux ans et la surveillance accrue des organismes de réglementation à l’égard des informations à fournir connexes, les comités d’audit doivent chercher à maintenir une présentation de l’information financière de grande qualité. 

  • Gearing up for the leases standard

    With the effective date of the new IFRS 16 leases standard nearing (effective for all entities with annual reporting periods beginning on or after 1 January 2019), lessees are required to recognize right-of-use assets and related lease liabilities on the balance sheet for operating leases, which is a significant change from the previous lease standard. Entities should be implementing new accounting policies, processes and controls, including controls over any new or modified information technology (IT) systems they will use to account for leases.

    To reduce the cost and complexity of implementation, the International Accounting Standards Board (IASB) has developed the standard to provide transition options for all entities and helpful practical expedients for lessees. One transition option allows entities to not apply the new guidance in the comparative periods they present in their financial statements in the year of adoption. Some helpful practical expedients for lessees include not having to recognize the right-of-use asset or related lease liability for low-value or short-term leases if certain criteria are met, and not having to separate non-lease components from lease components.

    While the transition options may mitigate some of the costs and complexities associated with the adoption of the new leases standard, the effective date of the standard has not changed. The level of effort necessary to apply the new standard by the effective date may be significant. Audit committees should encourage management teams to stay focused on their implementation efforts, regardless of whether they plan to elect the new transition option.

    As lessees prepare to adopt the new standard, audit committees should discuss with management the status of their implementation plans, key accounting policies the company elects, the impact on their processes and controls, and how management intends to communicate these to its stakeholders. 

  • Revenue and financial instruments

    Both the new revenue recognition and new financial statements standards came into effect in 2018 for all calendar year-end reporting issuers. There are significant new disclosures required and entities may also be required to present certain new line items under the new standards. Aside from the transitional disclosures, regulators will also be carefully reviewing the ongoing disclosures made in 2018 annual financial statements. Audit committees should discuss with management the status of the draft disclosures and the key changes to the presentation and disclosures to comply with the new requirements. 

  • Framework for reporting performance measures

    In December 2018 the Accounting Standards Board of Canada (AcSB) issued its framework for reporting performance measures. The Framework provides voluntary guidance to enhance the relevance of financial reporting and was created to help entities- from public to private companies, to not-for-profits and pension plans- improve the quality of financial and non-financial performance measures they choose to report outside of the financial statements.  The Framework sets out best practice guidance for selecting, developing and reporting performance measures as well as guidance on implementing and maintaining controls and governance practices.  

  • CSA comment letter trends

    The Canadian Securities Administrators (CSA) performs continuous disclosure (CD) reviews of selected issuers on an annual basis. For the fiscal year ended 31 March 2018, the CSA conducted 840 CD reviews (down from 1,014 reviews in fiscal 2017). They reported that 51% (2017 – 43%) of the selected issuers reviewed required issuers to act to improve and/or amend their disclosures, with 18% (2017 – 13%) of their review outcomes requiring issuers to refile and 8% (2017 – 6%) resulting in the issuer being referred to enforcement, cease traded or placed on the default list.

    The key CSA observations relating to financial statements were on the classification of items in the statement of cash flows, the adequacy of disclosure on fair value measurements on level 3 instruments, and the adequacy of disclosure on the adoption of new accounting policies.

    Although the above statistics were overall better than fiscal 2016 and 2015, audit committees should continue to evaluate the adequacy of the company’s presentation and disclosures, including the consideration of presentation and disclosures provided by peer companies, industry practice and other leading practices.

  • CSA areas of focus

    Like previous years, the CSA continued to focus on non-GAAP measures, the adoption of new accounting standards, and reducing the regulatory burden for reporting issuers. In addition, cryptocurrencies and cannabis are also increasingly important topics for the Canadian securities regulators.

    Some of these regulatory focus areas are summarized below.

  • Non-GAAP financial measures

    In October 2018, the CSA published for comment Proposed National Instrument 52-112, Non-GAAP and Other Financial Measures Disclosure, which proposes disclosure requirements for issuers relating to the use of non-GAAP and other financial measures. The CSA has consistently commented on deficiencies in disclosure of non-GAAP measures over the past few years, and the Proposed Instrument is intended to improve consistency and transparency. Once implemented, these new mandatory requirements will have the force of law, replacing the existing guidance provided in CSA Staff Notice 52-306.

    Companies should assess their processes, including governance processes for overseeing compliance with the Proposed Instrument, especially now that the Instrument will have the force of law and will be a stronger tool for enforcement. 

  • Cryptocurrency

    With increases in the number of Canadian cryptocurrency offerings and the number of reporting issuers with cryptocurrency holdings, the CSA has issued two Staff Notices (46-307 and 46-308) to provide guidance on initial cryptocurrency offerings and securities law implications for offerings of crypto coins or tokens. In addition, there are many complexities and developments in the accounting for cryptocurrencies from both the holder and issuer perspectives that are of concern to security regulators. Audit committees should ensure they are current with regulatory and accounting developments in this area if applicable and ensure those are considered for financial reporting purposes.

  • Cannabis

    With the growth of the legal cannabis industry in Canada and increasing number of reporting issuers in this space, the CSA published Staff Notice 51-357, Staff Review of Reporting Issuers in the Cannabis Industry, in October 2018. The staff notice highlights key findings based on the review of 70 Canadian reporting issuers, and provides guidance and good illustrative disclosures to issuers with the objective of increasing the transparency of information provided to investors.

    All licensed producers reviewed and acted to improve their disclosure in response to issues raised by the CSA. Where applicable, audit committees should discuss this Staff Notice with management to ensure any identified deficiencies are addressed.

  • SEC comment letter trends

    The number of comment letters issued by the SEC staff continued to decline in 2018, but the adoption of new accounting standards could slow or reverse that trend. Over the next year, the SEC staff is expected to focus on accounting under the new revenue standard, disclosures about how companies will be affected by new standards on leases and credit impairment, disclosures about cybersecurity and accounting for income tax reform.

    The SEC staff continues to comment most often on accounting areas that require significant judgments and estimates. The top five most frequent comment areas in 2018 and 2017 were on management’s discussion and analysis (MD&A), non-GAAP financial measures, fair value measurements, segment reporting and revenue recognition.

Tax

Tax changes around the world are constant and the pace of change is accelerating. Audit committees will need to stay up to date with proposed tax changes in the jurisdictions in which their organizations operate and understand the key financial statement impact of current and future proposed changes.

Boards and audit committees should also stay focused on trade activity. With continued uncertainty in both trade and tax policy, modeling alternative tax and supply-chain scenarios has become more important than ever.

  • US tax reform

    The Tax Cuts and Jobs Act (TCJA) significantly changed US income tax law, and companies accounted for the effects of these changes in the period that includes the 22 December 2017 enactment date.

    The SEC staff issued SAB 118 to provide companies that had not completed their accounting for the TCJA’s income tax effects in the enactment period with an extension of up to a year. Since the SAB 118 measurement period cannot extend beyond one year, calendar year-end companies are required to finalize any provisional balances by 31 December 2018. Companies filing under IFRS did not have SAB 118 type guidance to provide a measurement period to complete the accounting for the effects of the TCJA.

    The US Treasury Department and the IRS began releasing major TCJA-related proposed regulations during the summer of 2018 and are expected to continue through spring 2019. Key proposed regulations addressed the law’s transition tax, the new global intangible low-taxed income (GILTI) regime, qualified business income (QBI) deduction, additional first-year depreciation deduction, and the new provision to encourage investment in Opportunity Zones.

    The proposed regulations will be finalized after comment periods for those interested in sharing suggested changes or other observations. Companies trying to plan in the near term face some risk as they await the release of anticipated further TCJA guidance, especially around some of the complex international provisions of the law.

    Further TCJA clarification — a general explanation of the new law — is also expected by year end from the Joint Committee on Taxation’s Blue Book. And while there have been calls for technical corrections legislation to resolve drafting errors in the final legislative language, it’s unlikely that this type of legislation will move forward in Congress in 2018.

    In late September, the House of Representatives advanced three bills as a follow-up effort on tax reform, or “Tax Reform 2.0,” aimed at three areas:

    • Making the individual and small business tax cuts permanent
    • Promoting savings for families and retirement
    • Spurring innovation

    It’s unlikely that the Senate will take the measures up this year. With so many avenues of clarification around the new tax law and the potential for additional tax legislation in the years ahead, audit committees must stay up to date with tax policy developments in real time. 

  • Canadian update

    On 21 November 2018, Canadian Finance Minister Bill Morneau presented the fall economic statement in the House of Commons. The statement included some tax measures, which were in part proposed because of US tax reform. On the same day, a notice of ways and means to amend the Income Tax Act and the Income Tax Regulations to effect these proposed changes was tabled.

    The statement introduced new capital cost acceleration measures, including full expensing of manufacturing and processing machinery and equipment, full expensing of clean energy equipment, and measures to accelerate the capital cost allowance for other types of capital property. In addition to the capital cost allowance measures, the fall economic statement introduced various tax credits and other measures to support certain industries. 

  • Trade policy

    Recent trade policy shifts from governments around the world could have significant implications for Canadian companies. Actions such as the use of targeted tariffs and the renegotiation of the 24-year-old North American Free Trade Agreement (NAFTA) are examples of policy shifts that businesses need to keep an eye on.

    Shifts in approach to trade policy can have a real impact on businesses. For example, the US administration has imposed various tariffs on imported intermediary goods, or parts, used by US businesses to make finished products. Many countries, including Canada, have retaliated by imposing their own tariffs on US exports, Tariffs can increase costs for businesses and could lead them to cut other expenses, including labor costs, among other options. Tariffs on exports potentially make products less attractive to overseas purchasers.

    Current trade policy developments are very fluid. For this reason, it’s critical that businesses understand the issues associated with the changes to trade policy in the countries in which they operate, examine the potential impacts to their operations and consider expressing their views. Boards need to understand management’s approach to addressing this and other potential geopolitical and regulatory developments, including impacts on strategy and risk management. 

  • Wayfair and evolving digital tax policies

    On 21 June 2018, the US Supreme Court held in South Dakota v. Wayfair that physical presence in a state was not necessary to create taxable nexus for sales and use tax purposes. Because of the decision, additional states may now begin requiring remote sellers, such as companies based in Canada, to register, collect and remit taxes on transactions with in-state customers regardless of the seller’s physical presence in the state, provided they don’t impose undue burdens on interstate commerce.

    States have already begun to respond by revising their sales and use tax rules, and companies will need to track issues such as retroactivity and prospective tax liability on a state-by-state basis. A company’s facts and circumstances should be reviewed with respect to each jurisdiction in which it may have a state tax filing obligation, regardless of physical presence.

    Around the world, the focus on digital tax policies has evolved quickly, mirroring the rapid integration of digital into the business landscape. Tax policymakers are trying to keep pace with this growing trend, with some countries and supranational groups exploring different digital taxation models. A current lack of agreement on how to proceed, however, threatens to create a confusing tax landscape, with a patchwork of different proposals for businesses to navigate. Increasingly, audit committees will need to verify that the company’s tax strategy supports its digital ambitions while also protecting the organization from tax uncertainty.

    Boards and audit committees should begin discussing their companies’ existing digital activity and pipeline projects in new ways and assess the related tax implications. This effort will require knowledge of the digital tax approach of countries and states in which they do business, and committing resources to measuring and addressing any resulting tax risks. These risks need to be weighed against the company’s digital goals to determine whether tactics, strategy, structures or business models may need modifying.

    Boards and audit committees should assess the completeness of their companies’ investor communications. Investors need to know about tax risks related to digital activities that may reduce profits if these taxes go into effect. Boards should be informed about the possibility and potential impact of restructuring parts of a digital strategy and the potential need to exit lines of business or markets depending on how tax proposals advance.

    While the complex issues of how to tax digital activity are not likely to be resolved any time soon, the debate has implications for all businesses that have digital assets. As such, boards and audit committees will want to closely monitor the evolving discussion and related digital tax developments.

  • The future of the tax operating model

    Tax operating models are at an inflection point. External pressures, including technology disruption and talent availability, are significantly challenging current tax operational strategies. Companies are looking at their short- and long-term requirements to efficiently and effectively manage their tax operations.

    Audit committees should inquire of management as to whether their tax operating model is meeting the organization’s needs. Leading organizations are reconsidering their tax functions (e.g., fully internally sourced, outsourced or a hybrid model) to design a more efficient operating model by leveraging lower-cost resources and emerging technologies, such as robotic process automation and artificial intelligence.

Environmental and social governance

The demand by investors for better and additional disclosure around how companies are managing their environmental and social governance (ESG) agenda continued to grow in 2018. This intersects directly with increasing demands for better governance in general. Investors and shareholder advisory groups are looking for information that helps them rank relative investment risks.

Multiple standard setters and other organizations continue to struggle with development of a comprehensive and standardized disclosure framework that would effectively provide this information to investors. While many companies are working to determine which elements of current ESG disclosure frameworks they can adopt to satisfy investors, many are overlooking the fact that their existing governance and management processes are no longer aligned with investors’ expectations.

Many companies will need to revisit their current ESG practices and disclosures to continue to effectively compete for capital in the coming years.

  • What investors want

    EY has surveyed hundreds of institutional investors concerning their approach to ESG. More than 80% have told us their assessment of certain key risks would either rule out an investment or alter their view of the financial return required to offset the following concerns:

    • Risk or history of poor governance
    • Human rights risks from operations
    • Limited verification of ESG data or claims
    • Unmanaged ESG risks in the supply chain
    • Risk or history of poor environmental performance
    • Risk from resource scarcity
    • ESG strategy and business strategy not linked in the near, medium and long term
    • Risk from climate change

    These risks align closely with those that major investor ESG rating organizations such as MSCI and Dow Jones are focused on, as well as global ESG reporting frameworks.

    To meet investors’ requirements, companies will need to ensure they have adequately addressed their consideration and management of these risks. They must also determine how they can effectively convince investors they’ve done so.

  • Meeting the governance and management challenge

    Many companies are striving to improve their governance and enterprise risk management processes. These processes are key to managing ESG risks. Absent an effective process to manage overall business risk, it’s difficult to manage ESG risks that touch so many aspects of an organization’s strategy and operations.

    A sound risk management process will enable strategy development that considers material ESG risks in the context of the company’s mission and core values. It will also translate the strategy into business objectives and performance goals and activities that address the risk in a desired fashion. The process will provide clear reporting and evaluation around meeting objectives and enhancing value.

    While companies often struggle with whether their risk management process is sufficient, in 2017 clear specific guidance published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) outlined the 20 principles of an effective enterprise risk management framework. This principles-based approach provides companies with a clear benchmark that addresses many of the concerns investors are voicing around governance.

    In 2018, COSO and the World Business Council for Sustainable Development published guidance as to how the COSO enterprise risk management framework could be applied to ESG risks. This guidance provides a roadmap for how management can challenge their approach to managing ESG risks relative to leading practice governance principles.

  • Meeting the reporting challenge

    With well over a dozen accepted frameworks to report ESG information, such as the United Nations Sustainable Development Goals, the Global Reporting Initiative (GRI) Framework and Sustainable Accounting Standards Board (SASB) standards, it’s difficult to determine the best route to disclosure.

    Investors tell us they struggle to make use of the multitude of data currently published under the current disclosure frameworks, and that the qualitative information is often generic or incomplete with respect to dealing with investors’ perception of risk. Many investors rely to some degree on third-party ESG rating agencies, such as the Dow Jones Sustainability Index, but there’s no standardized methodology for conducting ESG ratings. For this reason, most investors use rating data to supplement their own analysis of the investment risk created by the effect of ESG factors on the company and how well management is responding.

    Against this backdrop, in November 2018 another investor-led initiative, known as the Embankment Project for Inclusive Capitalism, published a report compiled by leading investor and corporate participants that set out a direction for how companies could better report measures that help focus on long-term value.

    The project participants formed a strong consensus that risk and performance in six factors were most important to focus on. Three of the six factors were environmental, social and governance; the other three were talent, innovation and consumer trends. While the report provides helpful thinking, it doesn’t offer the magic bullet of measures to report, since these will vary by industry and company.

    One key takeaway from the report is that companies need to explain how they assess and manage risk for these six factors in a clear manner that’s transparent with respect to the nature of the risks, potential impacts, management’s objectives and success measures.

    In the current year, issuers also need to address the recommendations of the International Task Force for Climate-Related Disclosure. These recommendations are focused only on climate change-related risks, but also ask users to make disclosures around the themes of governance, strategy, risk management processes, and metrics and targets.

    We strongly encourage companies to consider whether they can adopt or better align their ESG governance with the principles-based COSO risk management framework. This represents a well-respected common roadmap that should give the board and investors comfort. Not only does it provide a strong approach to managing risk, but letting investors know you’re using it could give them confidence that’s hard to build through existing ESG disclosures. 

Regulatory developments

As cybersecurity threats evolve and risks become more complex and widespread, focus on corporate disclosures in public filings on the subject will likely intensify. The SEC issued guidance in February 2018, clarifying companies’ obligations to disclose cybersecurity risks, material breaches and the potential impact of the breaches on business, finances and operations. The new Commission guidance also addresses company disclosure on how the board of directors oversees the management of cybersecurity risk, among other things. This publication is a clear indication that regulators and stakeholders want to better understand a company’s efforts around cybersecurity planning, incident response and notification procedures.   

  • Reducing regulatory burden

    In March 2018, the CSA issued an update on the status of Consultation Paper 51-404 that presented considerations for reducing regulatory burden for non-investment fund reporting issuers. Based on comments gathered from various stakeholders, the CSA has initiated six policy projects on the following topics:

    • Potential alternative prospectus model
    • Removing or modifying the criteria for Business Acquisition Reports
    • Facilitating at-the-market (ATM) offerings
    • Revisiting primary business requirements
    • Revisiting certain continuous disclosure requirements
    • Enhancing electronic delivery of documents

    Any potential changes to the regulatory regime will follow standard policy making due process with publication of any proposed amendments for comment. 

  • Auditor’s reporting model

    In October 2018, the Canadian Auditing and Assurance Standards Board (AASB) approved revisions to Canadian Auditing Standards (CASs) to require auditors to communicate key audit matters (KAMs) for audits of TSX-listed entities, other than those required to comply with NI 81-106, for financial statement periods ending on or after 15 December 2020.

    KAMs are defined as those matters that, in the auditor's professional judgment, were of most significance in the audit of the financial statements of the current period. Key audit matters are selected from matters communicated with those charged with governance.

    The PCAOB standard includes a similar reporting concept to communication of KAMs — critical audit matter reporting — that will be effective for certain US issuers for audits of financial statement periods ending on or after 15 June 2019, and all other US issuers to which the requirements apply for periods ending on or after 15 December 2020.

    The AASB is in discussions with the SEC and the PCAOB to develop a combined report that would be acceptable in both Canada and the United States for joint Canadian/SEC registrants.  In the meantime, it will not be possible for auditors to issue combined reports for financial statement periods ending on or after 15 December 2018.

    Management and audit committees are encouraged to work with their auditors to understand the requirements related to KAMs, including the process of determining and describing KAMs, and any expected changes in the audit process. This will help reporting issuers prepare for questions that may be received from investors, regulators and others. 

  • CPAB Big Four firm inspection findings

    The Canadian Public Accountability Board (CPAB) inspected 77 out of 80 planned (2017:86) audit engagement files across the Big Four audit firms in 2018 and identified significant inspection findings in 14 (2017:6) of those files. CPAB noted that all firms need to do more to fully embed audit quality across the whole assurance portfolio.

    Deficiencies related to auditing fair values in business combinations, impairment of assets and revenue recognition represented approximately half the significant findings in CPAB’s 2018 inspections cycle. The other half were related to significant but non-complex account balances and transactions streams where basic audit procedures were either not performed (e.g. inventory counts not attended) or not performed appropriately (e.g. testing of inventory costing was insufficient).

    In 2018, CPAB began to introduce a new inspection methodology to assess Big Four audit firm quality management systems. CPAB noted that each firm has made and continues to make a significant effort to improve, better articulate and document its quality management processes and controls, and to link them to CPAB’s five assessment criteria: accountability for audit quality, risk management, talent management, resource management, and oversight.

    CPAB noted that it continues to work with stakeholders on several critical audit quality matters that should also be top of mind for directors of public companies, including regulatory access to audits done in foreign jurisdictions, the growing number of reporting issuers with crypto-assets in the Canadian market, and the automation of the audit. 

  • Public Company Accounting Oversight Board (PCAOB) outlook and developments

    Five new PCAOB members have been sworn into office since January 2018, including new PCAOB Chairman William (Bill) D. Duhnke III. The PCAOB is expected to maintain its focus on promoting high audit quality through its inspection program, among other things. One of the new Board’s first acts was to seek public input on priorities to include in the PCAOB’s  2018–2022 strategic plan, the first time the PCAOB has done so. In December, the PCAOB’s new Director of Registrations and Inspections, George Botic, gave a speech commenting that the PCAOB is going through a process of transformation- focused on people, process, and technology and has reassigned inspectors to assist with approximately 15 transformation workstreams. 

  • UK regulatory developments

    In December 2018, the UK Competition and Markets Authority (CMA) published an update paper on its market study into the audit sector. Independently, at the request of the UK Secretary of State for Business, Energy and Industrial Strategy, Sir John Kingman presented his independent review of the UK regulator, The Financial Reporting Council (FRC).

    CMA proposed reforms include:

    • Operational separation between audit and non-audit services: splitting the firms’ audit and non-audit businesses into separate operating entities, with separate management, accounts and remuneration, but under the same organizational umbrella. 
    • Close regulatory scrutiny of audit appointment and management to make sure those appointing auditors are held to account and independent enough to choose the most challenging audit firm, rather than — for example — the cheapest.
    • Joint audits: audits of the UK’s biggest companies (FTSE 350) should be carried out by at least two firms, at least one of which would be from outside the Big Four. A possible alternative is a market share cap, ensuring that some major audit contracts are only available to non-Big Four firms.

    EY has consistently expressed its strong view that the multi-disciplinary model provides the structure, breadth and depth of technical skills and industry expertise necessary to meet our public interest obligations to deliver high quality audits. We don’t believe moves that dilute this will improve audit quality. We welcome the CMA’s proposals for increasing transparency and accountability around the tendering, appointment and re-appointment of auditors. We don’t believe that either joint audits or market share caps will enhance audit quality.

    Kingman review recommendations include:

    • Replacing the FRC with a new independent, statutory regulator, accountable to Parliament with new leadership, clarity of mission and powers.
    • Giving the new regulator significant powers to investigate concerns relating to companies, that holds all relevant directors, not just members of professional bodies, to account for their duties to prepare and approve true and fair corporate reports.
    • Giving the new regulator the duty to promote competition and innovation in the audit market. 
  • 30 questions for audit committees to consider at year-end

    Risk management

    1. Do the organization’s ERM practices incorporate forward-looking insights and use of data analytics to determine trends and predictive indicators?
    2. Has management clearly articulated the key individual risks and aggregate risk to achieving its strategic goals and properly applied the organization’s risk tolerance to determine risk management priorities?
    3. Is the organization continually scanning the risk landscape and responding? Is its risk mitigation approach shifting from reactive to predictive response strategies?
    4. Is the organization harnessing emerging technology to better mitigate downside risk?
    5. Is the organization’s talent pool equipped to meet the changing needs of the risk function?
    6. How does the company incentivize executives, as well as lower-level employees and third parties, to act ethically? And how does it instill the concept of employees taking individual responsibility for the integrity of their own actions?

    Financial reporting

    1. What key actions has management taken to implement the new leasing standard? What key actions are needed to improve readiness for implementation and disclosure?
    2. Did the entity consider the impact of the new standards on the patterns of revenue and lease-related expense recognition and its effect on financial covenants, incentive plans, etc.? What disclosures has management provided or considered on these changes?
    3. Has the company’s management sufficiently challenged the adequacy of its presentation and disclosures required under the new revenue and financial instrument standard, particularly in areas that require significant judgment or estimates (e.g., disaggregated revenue disclosures, identification of performance obligations, expected credit loss policies and forward-looking information assumptions)?
    4. What internal controls has management designed around both its implementation process for new accounting standards and ongoing processes for accounting under the new standards?
    5. How is technology changing the company’s finance function, and what sort of assurance is the audit committee getting that financial information integrity is preserved during and after any transition (including during implementation efforts)?
    6. Has the company’s management sufficiently challenged the adequacy of disclosures of its non-GAAP measures in the MD&A or other continuous disclosure documents? Is there equivalent disclosure emphasis on GAAP measures compared to non-GAAP measures?

    Tax

    1. How is the company staying abreast of the latest developments in both tax and trade policy matters?
    2. Has the company performed any modeling on the impact of tax reform changes or trade policy changes such as tariffs?
    3. Has the company modeled different scenarios related to its digital activity and considered the potential tax implications of recent regulatory developments? How is this information communicated to the board?
    4. Does the company have sufficient resources to track and analyze recent changes in regulations and legislation?
    5. How is the organization attracting, retaining and developing the talent (e.g., scientific, technology, engineering and math skills) needed in today’s and tomorrow’s tax and finance functions?
    6. Does the tax organization have a sustainable model to address challenges, such as tax reform requirements, a digital tax administration and evolving global tax reporting obligations?
    7. How does the board effectively communicate changes in tax strategy to shareholders and the public? Are disclosures and related risk factors in the company’s public filings updated and appropriate given the company’s planned digital activity and recent regulatory tax developments?
    8. Does the company have a strategy for engaging on tax policy issues?

    Environmental and social governance

    1. Do you have a clear process to engage the board and executive management in an exercise to identify ESG factors affecting your business and their strategic implications?
    2. Does your ESG risk identification and related mitigation strategy development consider all scenarios of how a key risk could affect your business over the near, medium and long term?
    3. Do you establish ESG operational objectives and measures to manage your progress addressing ESG factors, and do the board and management regularly monitor these measures?
    4. Have you established a clear link between performance evaluation and remuneration and achievement of your ESG objectives among all relevant personnel?
    5. Is your shareholder communication clear and candid about your key risks, your business response objectives and your progress towards relevant internal goals?

    Regulatory developments

    1. Does the board have regular briefings on the evolving cybersecurity threat environment and how the cybersecurity risk management program is adapting? How is the board actively overseeing the company’s investments in new cybersecurity technologies and solutions?
    2. How has the role of the audit committee evolved in recent years (e.g., oversight of enterprise risk management, cybersecurity risk), and to what extent are these changes being communicated to stakeholders via the proxy statement?
    3. What discussions has the audit committee had with its independent auditor regarding audit quality matters, especially the Canadian Public Accountability Board’s (CPAB’s) Big Four audit firms’ public inspection report?
    4. Has the audit committee had discussions with their auditor to understand the key changes to the audit report and related processes that will be used to meet disclosure requirements for key audit matters/critical audit matters?
    5. What impact will new auditor reporting requirements have on audit committee disclosures? 

Résumé

Les comités d’audit canadiens doivent tenir compte de l’actualité en matière d’information financière, des modifications fiscales, des changements réglementaires et de la gestion des risques lorsqu’ils collaborent avec la direction pour se préparer à l’exercice à venir.

À propos de cet article

Par

Massimo Marinelli

Associé directeur, Certification, EY Canada

Piloter l’initiative de transformation de l’audit d’EY et aider les clients à s’adapter à l’évolution rapide du cadre financier et des exigences de communication de l’information.