Category: Audit

The Auditor’s Report: Reading Between New Lines

Published by

Alexandra R. Lajoux

Now that the U.S. Securities and Exchange Commission (SEC) has released an order approving the Public Company Accounting Oversight Board’s (PCAOB) new rules on the auditor’s report, what items should the audit committee and shareholders look for there?

The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion and Related Amendments to PCAOB Standards, released by the PCAOB June 1 and approved by the SEC October 23, contains five main changes, including one that requires careful reading between the lines.

As NACD summarized in a recent brief to its members, the new PCAOB standard will require auditors to:

  • Standardize the format of the auditor’s report, placing the auditor’s opinion in the first section of the auditor’s report, followed by the basis for the opinion. This change makes the auditor’s opinion easier to find in the auditor’s report.
  • Disclose the auditor’s tenure, stating when the audit firm began its current service to the company. This new requirement comes in lieu of limiting audit firm tenure through mandatory audit firm rotation, a concept NACD and others have rejected in the past.
  • State that the auditor is required to be “independent.” This requirement is intended to strengthen shareholder confidence in the auditor’s report, possibly as an offset to the tenure disclosure, if it reveals that the auditor has been serving the client for more than a quarter century, for example.
  • State that the financial statements are free from material misstatements “whether due to error or fraud.” This change aligns with other recent or pending regulations on error vs. fraud, such as the proposed executive pay clawbacks rule still pending under Dodd-Frank, which mandated disgorgement of performance-based pay after financial restatements even if restatements were due to error rather than to fraud.

Report on critical audit matters (CAMs), defined as “matters communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements; and (2) involved especially challenging, subjective, or complex auditor judgment.” A number of commenters said that the CAMs mandate is “redundant” with existing reports, which already reveal the required information. See for example NACD’s comment to the PCAOB or State Street’s comment.

The key letter in CAM is M, for material. For those who may wonder what may be “material” to the financial statements, join the club. The SEC has still never defined this term, leaving this job to the courts as they interpret federal securities laws.

The going definition of “material” is more than 40 years old. The SEC release cites TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976), in which the U.S. Supreme Court states that a fact is material if there is “a substantial likelihood that the . . . fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” In that same case, the Supreme Court said that determining materiality requires “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him . . .”

Such wisdom is not lost on the PCAOB and SEC. In its June 1 release, the PCAOB cites as CAMs the auditor’s evaluation of the company’s “goodwill impairment assessment” and, more broadly, the auditor’s assessment of the company’s “ability to continue as a going concern.” These two examples are material to financial statements. By contrast, the following two examples are not material to the financial statement: a loss contingency already discussed with the audit committee and “determined to be remote;” and a “potential illegal act.”

Audit committees need to ensure that their auditors are in a position to recognize critical audit matters, and to learn from those matters.  But this does not mean looking for problems where there are none.

Significantly, SEC Chair Jay Clayton had this to say about the new standard:

“I would be disappointed if the new audit reporting standard, which has the potential to provide investors with meaningful incremental information, instead resulted in frivolous litigation costs, defensive, lawyer-driven auditor communications, or antagonistic auditor-audit committee relationships — with Main Street investors ending up in a worse position than they were before.

I therefore urge all involved in the implementation of the revised auditing standards, including the Commission and the PCAOB, to pay close attention to these issues going forward, including carefully reading the guidance provided in the approval order and the PCAOB’s adopting release.”

To Chairman Clayton’s point, the SEC makes this point in its approval order:

“As the [PCAOB] notes, in order to succeed, any claim based on these new statements would have to establish all of the elements of the relevant cause of action (e.g., when applicable, scienter, loss causation, and reliance). Moreover, as discussed above, CAMs could be used to defend as well as initiate litigation. …However, because of these risks and other concerns expressed by commenters, we expect the Board to monitor the Proposed Rules after implementation for any unintended consequences.“  (SEC approval order , pp. 32–33)

Shareholders and others should read between the lines of auditor’s report (appreciating the regulations behind it), but they should not expect auditors to “look under rocks” to find problems. That is the job of management, internal control, and the audit committee. The auditor’s job is to focus on the audit of the financial statements to ensure that they conform to generally accepted accounting principles (GAAP). Given the complexity of GAAP, that is a big enough job as it is.

The CAM standard can’t be mastered overnight and won’t be required any time soon. Auditors of large accelerated filers will not be required to adopt CAM changes until audits of fiscal years ending on or after June 30, 2019—with audits of all remaining filers to adopt CAM changes for fiscal years ending on or after December 15, 2020.

By contrast, all the other changes will apply to audits of fiscal years ending on or after December 15, 2017.  That mean, essentially that auditors must work on this immediately, since most companies they are working with right now have fiscal years ending December 31, 2017. (According to Audit Analytics, 71 percent of public companies have a fiscal year ending December 31.)

So now is the time to prepare for the changes! In its above-cited report on the new rule, NACD prepared questions for directors to ask, along with related resources.

Questions for Boards

  • For which fiscal year will our auditor first be required to report on CAMs?
  • What areas during the audit do we anticipate our auditor will find challenging, subjective, or complex—and how can we preemptively address those concerns?
  • How will the auditor’s insights in the newly expanded report affect our ongoing work as we prepare the audit committee report for the proxy and review risk disclosures in the annual report on Form 10-K?
  • How will it shape our meeting with auditors, who themselves have extensive standards for their communications with audit committees?
  • How might our company need to adjust our year-end reporting calendar in order to file the 10-K on time?

NACD Resources: See NACD’s commentary on this topic to the PCAOB in the Corporate Governance Standards Resource Center, and visit NACD’s Audit Committee Resource Center for a repository of content related to leading practices for the audit committee. Register for the KPMG webinar “What You Need to Know About the New Auditor Reporting Model” on Thursday, November 9, and review the Center for Audit Quality’s recent alert “The Auditor’s Report—New Requirements for 2017.”

Boardroom Implications for the New Revenue Recognition Standard

Published by

It’s all a matter of time—at least when it comes to recognizing revenue at public companies. The Financial Accounting Standards Boards (FASB) and the International Accounting Standards Board (IASB) in 2014 developed an accounting rule that is set to change how companies approach revenue recognition. The rules, available here, go into effect for public companies with fiscal years beginning after December 15, 2017, and will have major consequences for financial reporting in many industries.

To address the executive-compensation implications of the revenue recognition standard, NACD, executive compensation advisory firm Farient Advisors, and law firm Katten Muchin Rosenman cohosted a meeting of the Compensation Committee Chair Advisory Council on April 4, 2017. During that meeting and its related teleconference, Fortune 500 companies’ compensation committee chairs came together to discuss leading practices and key considerations related to the impact of the new revenue recognition standard. Jose R. Rodriguez, partner in charge and executive director of KPMG’s Audit Committee Institute, joined council delegates for the discussion. The meeting was held using a modified version of the Chatham House Rule, under which participants’ quotes (italicized below) are not attributed to those individuals or their organizations, with the exception of cohosts. A list of attendees’ names are available here.

About the New Standard

A 2014 press release from FASB explained the rationale behind the new standard, noting that revenue is an important metric that investors use when trying to understand how a company has performed and its potential for future performance. Previous accounting standards from the International Financial Reporting Standards (IFRS) and U.S. Generally Accepted Accounting Principles (GAAP), however, were somewhat at odds, according to the press release. Those inconsistencies between IFRS and GAAP meant that different industries that had very similar types of transactions were accounting for revenue in sometimes very different ways. The revenue recognition standard aims to bring more consistency to accounting done for similar types of transactions.

A key part of the new standard is that revenue can only be recognized—among other requirements—once customers actually benefit from the services or goods that the company has already provided them, as noted in the Journal of Accountancy. The Journal continues that if a company provides a customer with goods or services over time, such as a yearlong service contract, the company can recognize revenue as the customer receives benefits in the contract period. For more information on the standard, see this four-page overview and in-depth guide from KPMG.

Key Questions Directors Should Ask
While the level of disruption that the revenue recognition standard will cause varies by industry and company, four questions important for all boards emerged from the Advisory Council meeting:

  1. How will the new revenue recognition standard affect our company specifically?
  2. Does the board understand the key milestones for the revenue recognition standard and how the company is progressing in light of those milestones?
  3. How will compensation plans be affected?
  4. How will our disclosures need to change?

How will the new revenue recognition standard affect our company specifically?

Impact of the new standard will vary widely for a few reasons.  First, sales and service contracts can differ significantly depending on industry—consumer products, health care, manufacturing, IT, and so on. Additionally, the types of sales contracts—and, therefore, the way revenue is recognized—can differ even within a single company, depending on the types of products and services sold. The company’s suppliers and vendors are a third factor influencing change: “Even if the standard doesn’t affect our core business, we could be working with partners and vendors that are affected,” said one director. “One of my companies has hundreds of millions of dollars in service contracts,” another delegate commented. “Our whole income statement is going to change.”

“Every company’s finance department has been looking at this,” Rodriguez said. “Ask your CFO to brief the board about the major income-statement changes that will occur for the company. What will be affected across all revenue lines? How are key reporting processes changing to accommodate the new standard?”

Does the board understand the key milestones for the revenue recognition standard and how the company is progressing in light of those milestones?

Rodriguez said that a pitfall for many companies is not investing enough time upfront in ensuring compliance with the new standard. “Some companies are finding that this is a bigger lift than they thought [to adopt the standard], so they are having to scramble to coordinate.”

Rodriguez shared several steps that companies can take to prepare:

  • Forming cross-functional task forces that integrate finance, accounting, IT, legal, and HR to ensure activities are coordinated.
  • Designating a revenue group to analyze contracts in different regions and locations to ensure all jurisdictions are covered.
  • Devoting sufficient time and resources to make required changes and upgrades to IT and reporting systems, especially in companies that have multiple legacy systems in place.
  • Developing a communication plan to explain to affected employees (especially on sales teams) how the changes will impact their work. “This is actually a huge change-management process,” one council delegate said. “You have to re-train sales people about how they design contracts and agreements.”

How will compensation plans be affected?

Council delegates agreed that compensation committees need to have a clear understanding of how the new standard will affect the key metrics that drive compensation for all levels of employees, from rank-and-file to the C-suite (For more information on incentives and risk taking, please see NACD’s brief, Incentives and Risk Taking). Changes to the way revenue is reported could have a major impact on the numbers used in annual bonus plans, as well as on long-term incentive plans that are already in place.  “With multi-year incentive plans that are in mid-cycle, the effects could be quite complex,” said Dayna L. Harris, partner at Farient Advisors. “For compensation committees, it will be important to ensure incentives are paid out in a way that’s appropriate to what was originally intended to keep consistent with the compensation philosophy the board has devised.”

Compensation committees can ask the following questions:

  • Is the company adopting the new standard prospectively or retrospectively, and how will that change our revenue numbers?
  • Which compensation plans will be affected beyond the CEO and named executive officers (e.g., sales staff at multiple levels)?
  • What do we anticipate will be the impact on the peer groups we use to benchmark executive compensation?

Rodriguez suggested that compensation committees schedule a briefing session with the external auditor, audit committee chair, CFO, and compensation consultant to discuss these and other questions. Members of the audit committee can also be invited to the briefing.

How will our disclosures need to change?

As noted in the Report of the NACD Blue Ribbon Commission on Board-Shareholder Communications (p. 17), “Directors have a general responsibility to oversee the company’s disclosure programs. They also need to take special care in reviewing certain specific disclosures—notably the company’s regular financial disclosures, such as the proxy statement, 10-Ks, 10-Qs, and 8-Ks, as well as any securities registration statements filed with the [U.S. Securities and Exchange Commission (SEC)].” A director observed, “In addition to the changes to reports, we need a strategy to communicate with our major investors. They will be asking questions about why compensation payouts appear to have ‘changed.’”

The SEC will task review teams with scrutinizing public companies’ financial disclosures, 10-Ks especially, to determine if the statements include information on the revenue recognition standard, Bloomberg BNA reports. Mark Kronforst, chief accountant of the SEC’s Division of Corporation Finance, told Bloomberg BNA, “I don’t think that we will be shy about issuing comments if we don’t see the disclosures.”

“Accounting changes should not interfere with a good business decision, performance outcomes on incentives, and appropriate incentive payouts,” said Harris. “With an accounting change in the middle of a performance period, compensation committees will need to provide full transparency into incentive payout decisions, especially if they appear larger than expected under the new accounting. There’s a whole list of ramifications if that transparency is lacking, from proxy advisors’ criticisms to activist investors’ reproach.”

And there’s no time like the present to understand those ramifications and ensure that management stays on top of key milestones.

Seven Ways to Stronger Oversight of Supply Chain Risk

Published by
Jim DeLoach

Jim DeLoach

One important source of operational risk relates to the organizations, people, processes, and resources comprising a company’s supply chain. In many sectors, companies increasingly depend on the external elements of the supply chain (e.g., suppliers, outsource partners, third-party logistics) in an effort to cut costs while increasing capabilities and global reach. Because every business depends on a well-functioning, cost-effective supply chain, every board should consider its oversight of supply chain risks. The following are seven suggestions for better board-level oversight of supply chain issues.

1. Strike the right balance when selecting a supplier. Time, cost, quality, and risk are four factors a company needs to consider when identifying potential suppliers, negotiating contracts, and evaluating supplier risk and performance throughout the lifespan of the contract. Boards should be leery when management emphasizes one or two factors over the others as this can result in unintended consequences. For example, seeking to reduce procurement costs when negotiating supply contracts should not lead to the unintended consequence of taking delivery of components that fail to meet critical quality specifications or timing requirements.

2. Make procurement decisions with an enterprisewide perspective. Striving for functional excellence is a laudable goal, but it has its limits. Companies can incur huge losses making procurement decisions in isolation, ignoring initiatives undertaken by the research and development, engineering and finance functions.

3. Ensure the supplier agreement spells everything out. When a contract clearly defines scope, business objectives, deliverables and performance specifications, it lays the foundation for ongoing monitoring of contract compliance and supplier performance and reduces the risk of costly disputes and misunderstandings. For example, the contract should clarify product and packaging specifications and quality control and inspection protocols so that performance can be monitored over time. It also should ensure that intellectual property and critical assets (e.g., proprietary molds and tools the company gives to the supplier) are adequately protected. Due to the complexity of managing suppliers operating in other countries, boards should ensure that the procurement process is supported by legal advisers knowledgeable of the applicable court jurisdictions, particularly in countries where laws, customs, and business ethics may vary.

4. Hold suppliers to the same level of accountability. The rigor of company processes for identifying, sourcing, measuring, monitoring, and reducing third-party relationship risks should be proportionate to the level of risk and complexity of those relationships. With respect to legislative and regulatory developments regarding disclosure of the actions a company has voluntarily undertaken to remove labor abuses from its supply chains, companies should seek the advice of counsel as to the status of these developments and the jurisdictions and circumstances in which they apply. Given this environment, a case can be made for adopting and enforcing a supply chain code of conduct—especially for vendors authorized to act as agents on behalf of the organization. Coupled with a code of ethics that details the principles and values by which the company operates, a code of conduct might address topics such as human rights, health and safety standards, environmental sustainability standards, ethical and responsible business behavior, and cybersecurity standards.

5. Conduct periodic third-party audits. A supply chain code of conduct is only as good as the vendors who sign it. That’s why a cost-effective third-party audit process is Such audits may be integral to the due diligence associated with vendor selection and onboarding. Conducted on a periodic basis, third-party audits may focus on: selected internal controls, such as cybersecurity; vendor performance against contract specifications; and compliance with laws and regulations. The audits may also be conducted before contract renewals.

6. Monitor supplier risk and performance over the life of the contract. The risk environment is not static over the life of the contract. All suppliers should be segmented based on factors such as risk, the level of spend, criticality, and alternatives in the market. The segmentation should drive the level of preselection due diligence, the contracting strategy, and the level and frequency of monitoring through contract duration. Ideally all facets of contract and supplier risk are addressed through performance reporting, including early warning alerts before it’s too late to act on a timely basis.

7. Pay attention to business continuity risk. There are many instances where a single-source supply strategy is the right business decision. In these cases, however, quality, time, and cost considerations often win out over business continuity risk considerations despite the risk of supply chain disruptions. Thus, risk assessments should consider what could happen to the organization’s business model if any key component of the supply chain were taken away, even though a cause may be somewhat elusive at the time of the assessment.

An assessment should also consider the implications of plausible and extreme scenarios stemming from the loss of strategic sources of supplies for an extended period, including exposure to data security risks and physical access to sensitive information, the financial impact, expected recovery time, and adequacy of current recovery and contingency plans. To illustrate, directors should inquire whether management has considered the following questions:

  • What would happen if we were to lose, for any reason, one or more of the suppliers that we depend on for essential raw materials and components?
  • How long would we be able to operate?
  • What if there were significant disruptions in transportation?
  • What contingency plans do we have?
  • Have our key suppliers performed their own risk assessments with respect to key “Tier Two” or “Tier Three” suppliers? How do we know?

The board should be informed of the results of these assessments.