The release asserts that current disclosure rules may not mandate enough disclosures about activities of audit committees in the reports they make in annual proxy statements and explores possible disclosure mandates in several areas—most of them pertaining to the external auditor. The areas outlined are as follows:
Audit Committee’s Oversight of the Auditor
Audit Committee’s Process for Appointing or Retaining the Auditor
Qualifications of the Audit Firm and Certain Members of the Engagement Team Selected by the Audit Committee
Location of Audit Committee Disclosures in Commission Filings
Smaller Reporting Companies and Emerging Growth Companies
In addition to these areas, the SEC asks for comment on the possible need for disclosures on accounting and financial reporting process or internal audits and invites comment on the scope of audit committee work.
Throughout the 55-page release, the SEC asks questions—74 in all—seeking the views of interested parties, such as audit committee members and investors, on what disclosures would be valuable. All but two of these questions pertain to oversight of the independent auditor.
2. What exactly is a concept release?
A concept release is an early indication that an agency is thinking about a matter and may issue new rules or standards on it. Any agency may issue a concept release. This current SEC concept release is the only one issued so far in 2015, and it is the first SEC concept release issued since 2011. (There were no SEC concept releases at all from 2012–2014.) While there are no recent studies showing the correlation between concept releases and rulemaking, we can assume that new rulemaking may follow. In this sense, concept releases are not the same as interpretive releases, which interpret new laws or court decisions, or policy statements, which clarify the SEC’s positions on particular matters.
3. How does this SEC concept release fit into the SEC’s overall “disclosure effectiveness initiative”?
The release is aimed at improving audit committee disclosures in concert with the stated goal of the SEC’s ongoing disclosure effectiveness initiative, described in a recent NACD Directorship article. Under this initiative, the SEC’s Division of Corporation Finance is reviewing the disclosure requirements under Regulation S-K (regarding company disclosures generally) and Regulation S-X (regarding company disclosures in financial statements) to “facilitate timely, material disclosure by companies….” So far the SEC has focused on the forms 10-K (annual report), 10-Q (quarterly report), and 8-K (updates). Later phases of the project will cover the compensation and governance information in proxy statements.
If the SEC’s new concept release on audit committee disclosures leads to rules mandating additional disclosures that are not material to investors, it would operate against the goals of the initiative. As SEC Chair Mary Jo White said in her keynote speech at NACD’s fall conference two years ago, “[w]e must continuously consider whether information overload is occurring as rules proliferate and as we contemplate what should and should not be required to be disclosed going forward.”
4. Has NACD commented on the SEC’s concept release?
Yes. On Sept. 8, 2015, the NACD submitted a comment letter affirming the importance of improved disclosures. However, the letter also argues that the choice of what to disclose should be up to audit committees themselves because they are in the best position to describe how they are fulfilling those duties. The NACD letter cautions that information should only be included in a proxy statement (or any other disclosure for that matter) if it would be useful to investors.
In the letter, NACD proposes that audit committees take voluntary action by finding new ways of disclosing the broad scope of their work. NACD has also offered to convene a meeting between the SEC and audit committee leaders in order to accomplish this.
The NACD letter followed a more detailed comment submitted to the SEC on Aug. 3, 2015, by Dennis Beresford, a member of the NACD board of directors, an experienced director and audit committee leader, and the former chair of the Financial Accounting Standards Board (FASB).
In his letter, Mr. Beresford states that the concept release focuses too heavily on the audit committee’s relationship with the auditor, which he says is important but should not dominate the committee’s work. He notes that of the 74 questions asked in the release, all but the last two focus on this topic.
Based on his experience, Mr. Beresford suggests that audit committee reports need to cover a wider range of topics, as suggested by the Audit Committee Collaboration, a group that includes NACD. In order of priority, these topics include:
Scope of duties (as referenced in the audit committee charter).
Committee composition (especially information on qualifications of the “audit committee financial expert”).
Oversight of financial reporting (highlighting how the committee is assessing the quality of financial reporting).
Oversight of independent audit (selection of the audit firm and lead engagement partner, and compensation, oversight, and evaluation of the audit firm). Mr. Beresford argues that the disclosure of the lead engagement partner’s name is unnecessary. [This is the subject of a separate Public Company Accounting Oversight Board (PCAOB) release on Rules to Require Disclosure of Certain Audit Participants on a New PCAOB Form.]
Risk assessment and risk management (which is often assigned to the audit committee).
Information technology (such as cybersecurity, which is also often assigned to the committee).
Internal audit (namely, internal audit plan review and results).
Legal and compliance (such as any discussions with legal counsel).
This list of possible topics for voluntary audit committee disclosures accords with NACD’s own publications on audit committee work. These subjects are frequently discussed in meetings of our Audit Committee Chair Advisory Council and in the webcasts and gatherings we produce with KPMG’s Audit Committee Institute.
Notably, Mr. Beresford warns against turning these subjects into mandatory “check-the-box” disclosures. Because audit committee reports are still in an early stage of development, he hopes “that the SEC allows them to continue to develop largely as ‘best practices’ without becoming overly prescriptive [emphasis added].” Regarding disclosure of the name of the lead engagement partner, he says that this should be left to the discretion of audit committees: “If they felt it would be useful to investors, they could include it in their reports in the proxy statement.”
5. Are there any other agency concept releases that audit committee members should know about?
Yes. On July 1, 2015, the PCAOB issued a concept release on Audit Quality Indicators (AQIs) with a comment deadline of Sept. 29, 2015. The release notes that “[t]aken together with qualitative context, the indicators may inform discussions among…audit committees and audit firms.”
NACD does not plan to comment on this release. However, we note that NACD member J. Michael Cook, chair of Comcast’s audit committee, together with Comcast’s executive vice president and chief accounting officer, Lawrence J. Salva, sent acomment letter advising the PCAOB of their views: “We encourage the PCAOB to be judicious with regard to the number of recommended AQIs, as we believe too many AQIs would lessen their impact. As you have previously noted, audit committees have many responsibilities and a limited amount of time, and as you are aware, audit quality requires more than measurable indicators; skepticism and independence are necessary to turn quantifiable indicators into real audit quality.”
6. What is the key takeaway from the SEC and PCAOB concept releases for audit committees?
The SEC and PCAOB are being proactive on the audit committee front. The SEC wants audit committees to say more about their activities in the proxy statement, and the PCAOB wants audit committees to use specific metrics to judge the quality of audits. Comments from the director community have pointed out the importance of ensuring that disclosures are material and that metrics are useful. In response to these two concept releases, audit committee leaders and members might consider taking two main actions:
Review disclosures and their metrics to ensure they are useful.
Reach out to the SEC and PCAOB to express views on these matters.
A Final Word
SEC and PCAOB regulators strive to strengthen the U.S. economy through enlightened rulemaking, but they cannot do it alone. They need to hear the voice of the director. NACD members can make a positive difference in this regard.
As a profession and a discipline, internal audit has had a longstanding objective of adding value and improving an organization’s operations through a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes. Unfortunately, many internal audit functions fall short of this objective.
Change is the order of the day, and internal audit must keep pace. According to a recent Protiviti survey report, chief audit executives (CAEs) are striving to become more anticipatory, change-oriented and adaptive. Such behaviors are in great demand because internal audit functions must anticipate and respond to a constant stream of new challenges—from emerging technologies and new auditing requirements and standards to rapidly evolving business conditions. Many of these challenges deliver uncertain and still-unfolding risk implications for organizations.
The future auditor is a CAE who is positioned to be objective with regard to operating units, business processes, and shared functions, and is vested with a direct reporting line to the board of directors. That person is able to contribute more value to the board because they understand the organization’s business objectives and strategy and can identify risks that create barriers to the successful achievement of critical business objectives.
In addition, the future auditor is authorized to evaluate and challenge the design and operating effectiveness of the governance, risk management, and internal control processes that address the organization’s critical operational, compliance, and reporting risks. The future auditor also creates value by making recommendations to strengthen those processes and by keeping appropriate parties apprised of unaddressed matters.
Given these responsibilities positioning within the organization, the future auditor stands to serve the board as an agent of positive change and valued sounding board in safeguarding the adequacy and effectiveness of activities that matter most to the organization’s success. To illustrate, here are 10 ways the future auditor can contribute value:
Think more strategically when analyzing risk and framing audit plans. Although internal auditors have traditionally focused on operational, compliance, and reporting issues, the future auditor thinks more strategically when evaluating risk and formulating audit plans. For example, the auditor identifies and anticipates barriers to successful execution of the strategy, facilitates the risk appetite dialogue at the highest levels of the organization, updates the company’s risk profile to reflect changing conditions, and understands how new technological trends are having an impact on the company.
Provide early warning on emerging risks. While it is universally accepted that risk assessments must be refreshed periodically, the future auditor’s line of sight is directed to timely recognition of emerging risks. For example, contrarian analysis can be used to identify emerging strategic risks and scenarios that could disrupt the company’s business model.
Broaden the focus on operations, compliance, and nonfinancial reporting issues. In terms of demonstrating sustained value to stakeholders over the long term, having a singular focus on financial controls is not enough. The future auditor’s focus touches significant aspects of business operations, including, but not limited to: information technology (IT) security and privacy, business continuity and crisis management, supply chain management, operating expenditures, talent management, and compliance management.
Strengthen the lines of defense that make risk management work. For internal audit to serve as a viable line of defense, the future auditor evaluates how the organization establishes the necessary discipline to ensure that risks are reduced to a manageable level as dictated by the organization’s risk appetite. The future auditor also determines whether the primary risk owners and independent risk management and compliance functions are fulfilling their respective responsibilities as separate lines of defense. These areas of emphasis, coupled with a focus on the effectiveness of escalation processes, provide a context for focusing the internal audit plan.
Improve information for decision-making across the organization. The future auditor evaluates the reliability of the performance measures, monitoring systems, and analytic tools and techniques the organization has in place to ensure there is a family of lead and lag indicators and trending metrics to signal when disruptive risk events might be approaching or occurring. The future auditor’s emphasis on improving risk information across the organization can lead to better information for decision-making used in the business.
Watch for signs of a deteriorating risk culture. The future auditor understands that a deteriorating risk culture presents a formidable hurdle to sustaining effective risk management. That is why they work with senior management and the board to ascertain whether there are any gaps in the desired risk culture, whether organizational changes are needed to rectify those gaps, and whether specific steps are necessary to implement those changes.
Leverage technology-enabled auditing. Technology can help to automate ongoing monitoring of certain internal controls, track issues, and provide customized dashboards and exception-reporting capability. By using technology, the future auditor is able to devote more time and effort to building relationships and providing expertise in high-impact areas. A technology-focused audit approach facilitates the future auditor’s shift of emphasis to strategic issues and critical enterprise risks by gaining more coverage with less effort, providing more analytic insight and offering early warning capabilities.
Improve the control structure, including the use of automated controls. The future auditor evaluates the control structure and identifies opportunities to eliminate, simplify, focus and automate controls. For example, the future auditor recognizes that automated controls provide opportunities for improving the transparency of the controls structure so that risk owners and independent risk management functions will have more insight as to how operating processes and critical controls are performing than when manual controls are in place. This emphasis is an important one because, according to a Protiviti study, nearly three times as many organizations plan to automate a broad range of processes and controls compared to 2014.
Advise on improving and streamlining compliance. The future auditor applies a quality focus to managing compliance with the same fervor with which the organization often approaches the improvement of core operating processes. For example, the future auditor collaborates with the compliance management function to forge a more streamlined, end-to-end view of compliance management. This results in improved coordination across the organization of control requirements-setting, alignment of management and control activities, streamlining and integration of reporting around compliance and other risks, and a reduction in complexity and redundancy.
Remain vigilant with respect to fraud. The future auditor understands the importance of a comprehensive enterprise-wide fraud and corruption risk assessment and evaluation of the robustness of the organization’s anti-fraud and corruption program. For example, the future auditor deploys data mining and analytics techniques to analyze transactional data, obtain insights into the operating effectiveness of internal controls, and identify patterns or other indicators of possible fraudulent activity requiring further investigation.
While directors may not expect their company’s CAE to contribute all of the above value points, they should periodically assess whether internal audit is doing what matters. CAEs who embrace the future auditor vision are better positioned to demonstrate to executive management and the board the value contributed by internal audit through their comprehensive risk focus and forward-looking, change-oriented, and highly adaptive behavior.
The board can facilitate this transition by articulating their expectations of the company’s CAE and ensuring that person is positioned within the organization with the requisite resources to deliver on those expectations.
Jim DeLoach is a managing director with Protiviti and works closely with companies to improve their board risk oversight, including the communications between management and the board. He is a member of Protiviti’s Executive Council to the CEO and was named to NACD Directorship’s 2012 list of the 100 most influential people in corporate governance. Protiviti is a global consulting firm that assists board members, and the companies on which they serve, in protecting and enhancing their enterprise value by solving critical business problems in the areas of finance, technology, operations, risk and internal audit.
In March, the National Association of Corporate Directors, KPMG’s Audit Committee Institute, and Sidley Austin co-hosted the latest meeting of the Audit Committee Chair Advisory Council. Delegates were joined by analysts from Moody’s Analytics and Morgan Stanley, as well as leadership from Financial Accounting Standards Board (FASB) and the Public Company Accounting Oversight Board (PCAOB). The group discussed how investors and ratings agencies use financial statements in their assessment of corporate performance, the audit committee’s role in helping to ensure the quality of the company’s financial disclosures, and ongoing FASB and PCAOB projects.
As detailed in the summary of proceedings, the discussion addressed several factors that can diminish the utility of financial disclosures, including high volume as a result of duplication, “boilerplate” disclosures, and the timing of releases. Dialogue yielded the following suggestions for how companies might improve the usefulness of disclosures to the investor community:
Expanded reporting at the business unit, segment, or geography level.“We want to see performance data at a more granular level in order to develop a view of the company’s future growth prospects.”
Providing data that shows trends over multiple years.“Understanding trends over 2, 3, 5 years tells a fuller story. One of my pet peeves is when a company’s MD&A includes comparative data only from the previous year. Investors want more context.”
Using more charts and visuals.“Visuals can deliver a wealth of information using very little real estate in the financial statement.”
Including more forward-looking disclosures.“Investors and rating agencies are trying to assess and project future valuations of the company. I’d be in favor of more safe harbors [in this area] if it would encourage companies to offer more forward-looking information.”
For the full day’s discussion and proposed council action items, click here to read the summary of proceedings.