Now that the U.S. Securities and Exchange Commission (SEC) has released an order approving the Public Company Accounting Oversight Board’s (PCAOB) new rules on the auditor’s report, what items should the audit committee and shareholders look for there?
The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion and Related Amendments to PCAOB Standards, released by the PCAOB June 1 and approved by the SEC October 23, contains five main changes, including one that requires careful reading between the lines.
As NACD summarized in a recent brief to its members, the new PCAOB standard will require auditors to:
Standardize the format of the auditor’s report, placing the auditor’s opinion in the first section of the auditor’s report, followed by the basis for the opinion. This change makes the auditor’s opinion easier to find in the auditor’s report.
Disclose the auditor’s tenure, stating when the audit firm began its current service to the company. This new requirement comes in lieu of limiting audit firm tenure through mandatory audit firm rotation, a concept NACD and others have rejected in the past.
State that the auditor is required to be “independent.” This requirement is intended to strengthen shareholder confidence in the auditor’s report, possibly as an offset to the tenure disclosure, if it reveals that the auditor has been serving the client for more than a quarter century, for example.
State that the financial statements are free from material misstatements “whether due to error or fraud.” This change aligns with other recent or pending regulations on error vs. fraud, such as the proposed executive pay clawbacks rule still pending under Dodd-Frank, which mandated disgorgement of performance-based pay after financial restatements even if restatements were due to error rather than to fraud.
Report on critical audit matters (CAMs), defined as “matters communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements; and (2) involved especially challenging, subjective, or complex auditor judgment.” A number of commenters said that the CAMs mandate is “redundant” with existing reports, which already reveal the required information. See for example NACD’s comment to the PCAOB or State Street’s comment.
The key letter in CAM is M, for material. For those who may wonder what may be “material” to the financial statements, join the club. The SEC has still never defined this term, leaving this job to the courts as they interpret federal securities laws.
The going definition of “material” is more than 40 years old. The SEC release cites TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976), in which the U.S. Supreme Court states that a fact is material if there is “a substantial likelihood that the . . . fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” In that same case, the Supreme Court said that determining materiality requires “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him . . .”
Such wisdom is not lost on the PCAOB and SEC. In its June 1 release, the PCAOB cites as CAMs the auditor’s evaluation of the company’s “goodwill impairment assessment” and, more broadly, the auditor’s assessment of the company’s “ability to continue as a going concern.” These two examples are material to financial statements. By contrast, the following two examples are not material to the financial statement: a loss contingency already discussed with the audit committee and “determined to be remote;” and a “potential illegal act.”
Audit committees need to ensure that their auditors are in a position to recognize critical audit matters, and to learn from those matters. But this does not mean looking for problems where there are none.
Significantly, SEC Chair Jay Clayton had this to say about the new standard:
“I would be disappointed if the new audit reporting standard, which has the potential to provide investors with meaningful incremental information, instead resulted in frivolous litigation costs, defensive, lawyer-driven auditor communications, or antagonistic auditor-audit committee relationships — with Main Street investors ending up in a worse position than they were before.
I therefore urge all involved in the implementation of the revised auditing standards, including the Commission and the PCAOB, to pay close attention to these issues going forward, including carefully reading the guidance provided in the approval order and the PCAOB’s adopting release.”
To Chairman Clayton’s point, the SEC makes this point in its approval order:
“As the [PCAOB] notes, in order to succeed, any claim based on these new statements would have to establish all of the elements of the relevant cause of action (e.g., when applicable, scienter, loss causation, and reliance). Moreover, as discussed above, CAMs could be used to defend as well as initiate litigation. …However, because of these risks and other concerns expressed by commenters, we expect the Board to monitor the Proposed Rules after implementation for any unintended consequences.“ (SEC approval order , pp. 32–33)
Shareholders and others should read between the lines of auditor’s report (appreciating the regulations behind it), but they should not expect auditors to “look under rocks” to find problems. That is the job of management, internal control, and the audit committee. The auditor’s job is to focus on the audit of the financial statements to ensure that they conform to generally accepted accounting principles (GAAP). Given the complexity of GAAP, that is a big enough job as it is.
The CAM standard can’t be mastered overnight and won’t be required any time soon. Auditors of large accelerated filers will not be required to adopt CAM changes until audits of fiscal years ending on or after June 30, 2019—with audits of all remaining filers to adopt CAM changes for fiscal years ending on or after December 15, 2020.
By contrast, all the other changes will apply to audits of fiscal years ending on or after December 15, 2017. That mean, essentially that auditors must work on this immediately, since most companies they are working with right now have fiscal years ending December 31, 2017. (According to Audit Analytics, 71 percent of public companies have a fiscal year ending December 31.)
So now is the time to prepare for the changes! In its above-cited report on the new rule, NACD prepared questions for directors to ask, along with related resources.
Questions for Boards
For which fiscal year will our auditor first be required to report on CAMs?
What areas during the audit do we anticipate our auditor will find challenging, subjective, or complex—and how can we preemptively address those concerns?
How will the auditor’s insights in the newly expanded report affect our ongoing work as we prepare the audit committee report for the proxy and review risk disclosures in the annual report on Form 10-K?
On May 25, 2018, a major new piece of data protection regulation will come into effect across the European Union (EU), and with it comes the potential for hefty fines or penalties for your organization. Even if you do not directly operate in the EU, chances are that the General Data Protection Regulation (GDPR) still pertains to your company.
The regulation covers any entity that processes the personal data of EU citizens (referred to as “data subjects”), even if the organization does not provide goods or services to EU citizens and only handles or processes their data. Unless you are categorically sure that your organization does not and will not process EU citizens’ personal data, compliance is not optional.
The fine for an infringement can be €20 million (approximately $23 million at today’s exchange rate), or 4 percent of your worldwide annual turnover, depending on which is the higher amount. It is essential for directors to pay attention to the data and information security practices in place to ensure that the organization is prepared and compliant.
The Policy Details of GDPR
The GDPR was written to ensure that organizations:
protect the personal data of ‘EU Natural Persons’ (i.e. living people);
are transparent, fair, and lawful about the processing of personal data;
only request and process necessary personal data;
do not share data with third parties or countries unless the correct legal agreements and processes are implemented; and
gain consent from data subjects to process their data.
Personal data is defined in the policy as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
There are six principles that apply to the processing of personal data. According to the policy, personal data shall be:
processed lawfully, fairly, and in a transparent manner;
collected for specified, explicit, and legitimate purposes;
adequate, relevant, and limited to what is necessary;
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
processed in a manner that ensures appropriate security of the personal data.
Data subjects are provided with a set of legal rights under GDPR, including the right:
Each EU member state has a designated supervisory authority. These regulatory bodies are responsible for monitoring the application of GDPR, and have the power to audit organizations and determine relevant warnings, reprimands, and fines for violations of the organization. When breaches of personal data occur, companies will be subject to a high level of scrutiny, and will have only a 72-hour window to report on the breach. A personal data breach is described as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
There is a requirement for some organizations to appoint a data protection officer (DPO), whose responsibility it is to advise and inform on GDPR and to monitor compliance within the organization. The DPO acts as the main contact for both data subjects and the supervisory authority, must report to the highest level of management within the organization, and cannot perform any tasks or duties which result in a conflict of interest.
You need to ensure your organization has fully investigated the nuances of the requirements to ascertain whether you need to appoint such a role or prepare to meet other personnel or technical demands.
Where do we start?
Your organization first needs to define the team that will drive GDPR compliance and management. Within the C-suite this should include the chief information officer and the chief information security officer, in addition to representatives from legal counsel, human resources, risk and compliance, and privacy. Determine if you need to appoint a DPO. Once your team is assembled, assess your current state, so that you can plan next steps accordingly. This team should present results at least to your board’s audit committee, if not the full board, given the financial and reputational risks involved.
Understand your personal data retention
You should ask your GDPR team the following questions to determine what categories of personal data your organization is dealing with:
To whom does data you collect and retain pertain?
Is it necessary to collect and keep this data?
If so, how long do you need to keep it?
Do you have permission from the data subject to process the data?
How is consent obtained from data subjects for each method of personal data collection?
Encourage your team to follow others’ personal data on its journey through and beyond the organization. Doing so will help the GDPR team understand how the data is collected, stored, transmitted, accessed, and secured, and understand where and how it is passed on to any third parties.
Review how your organization collects consent from individuals to process their personal data
EU citizens must be able to give and rescind consent for their personal data to be processed. Consent means any “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In a contractual situation, the provision of a service may require personal data to be processed in order for the service to function correctly. In this case, this has to be made clear to the data subject when they register for the service.
Identify partner and supplier risk
Review third party legal agreements to ensure the EU citizen’s personal data provided to a third party is handled in a compliant manner. Otherwise, your organization will be held accountable for vendors’ data breaches or a data loss scenario. If you process personal data on behalf of another organization, you will need to demonstrate your compliance with GDPR, and ensure your legal agreements reflect this accordingly.
Ensure your cybersecurity programs are up to par
Your security posture and processes impact the journey and security of personal data, and should be assessed accordingly. GDPR Article 32 stipulates that you must ensure a level of security appropriate to the risk involved with the data. This might require adjustments to your security program, especially if you have weighted your security setup to focus primarily on prevention and are lighter in the areas of detection and correction. Visibility across your ecosystem is vital for determining risk. Knowing your weak points will help you understand where to bolster your security, and testing out your processes will determine whether they are fit for purpose.
Get regular updates on progress and status
As individual reviews are completed, have each leader report back to the core and leadership teams with a set of prioritized actions and milestones. Set up a frequent cycle of reporting to understand the progress of your GDPR compliance status. The spring of 2018 is clearly too late to be finding problems.
If your organization employs, partners with, or serves people who are citizens of the European Union, you are subject to GDPR. Given the detailed stipulations of the regulation, along with the threatening risk of steep fines, it’s not something you can get away with ignoring or procrastinating. As a board member, you’ll want to ensure the organizations you serve are prepared to meet the challenge and reduce the risk.
Corey E. Thomas is president and CEO of Rapid7. He is director of Blue Cross Blue Shield of Massachusetts and the Greater Boston Chamber of Commerce.
In April 2017, the U.S. Securities and Exchange Commission’s (SEC’s) Division of Corporate Finance announced it will not recommend enforcement action for companies that disclose, but do not further investigate usage of conflict minerals which may be from the Democratic Republic of Congo (DRC). Any company manufacturing or contracting to manufacture products using such minerals had previously been required to conduct extensive due diligence on its supply chain and make this diligence publicly known with a note that its products contained minerals which “have not been found to be ‘DRC conflict free.’” However, following a series of partial losses in court, the SEC appears to be backing off the rule—for now.
The Conflict Minerals Rule and Disclosure Requirements
A provision in the Dodd-Frank Act aims to cut off funding sources for armed rebel groups in the DRC and surrounding countries in central Africa. It requires companies manufacturing products containing certain minerals to conduct supply chain audits and disclose if those minerals were known to have originated in the DRC or adjoining countries. The SEC, as the enforcer of this provision, issued a rule requiring issuers of securities who filed reports with the SEC under Sections 13(a) or 15(d) of the Securities Exchange Act of 1934 and who manufactured or contracted to manufacture a product in which the defined conflict minerals were a necessary part, to file a separate special disclosure form, Form SD. Although these obligations were placed on manufacturing issuers, in practice, the diligence requirement was imposed on others in the supply chain because many manufacturers required their supply chain partners to certify origin of minerals and compliance with the rule.
When Form SD was first issued, items 101(a) and (b) required companies using conflict minerals to attempt to identify the country of origin of those minerals. If after conducting a “reasonable country of origin inquiry” the company determined that the country of origin was neither the DRC nor an adjacent country, it had to disclose this finding (and a description of the country of origin inquiry conducted) on its website as well as to the SEC. Per item 101(c) of Form SD, if a company’s minerals may have originated in either the DRC or its neighboring countries, the company was required to conduct additional, more extensive due diligence, and then file and publish a conflict minerals report. This report had to include a description of the company’s due diligence efforts, certified results of an independent private audit, and a list of planned changes as a result of the audit. In the report and on its website, companies also had to describe which products had “not been found to be ‘DRC conflict free,’” although for the first two years of enforcement they could use the label “DRC conflict undeterminable.”
The National Association for Manufacturers challenged these regulations on both procedural and constitutional grounds. After the district court granted the SEC summary judgment, the Association appealed to the DC Circuit of Appeals. Ultimately, the appeals court found that forcing companies to note whether or not their products are DRC conflict free was unconstitutional under the First Amendment. The case was remanded to the U.S. District Court for the District of Columbia, which issued its final judgment in April 2017 and set aside the part of the rule that requires companies to add language that their products are “DRC conflict free” or “have not been found to be ‘DRC conflict free.’” Citing both the court decision and the unclear efficacy of the rule, SEC Chair Michael Piwowar reopened comments and the SEC stayed the compliance portions of the rule pending the conclusion of litigation. The SEC announced it would not pursue enforcement actions against companies who only complete Form SD items 101(a) and (b) and do not pursue more extensive diligence on sourcing or secure an independent audit. The SEC has taken the view that the purpose of item 101(c) of Form SD and the related conflict minerals reports was to determine the status of conflict minerals by requiring the “conflict free” or “not conflict free” labels, and that these measures and the requirements for more detailed due diligence are in need of re-evaluation and clarification given recent court rulings on this matter.
Although companies are not currently expected to conduct the extensive due diligence envisioned by item 101(c) of Form SD, they are still expected to conduct in good faith a reasonable country of origin inquiry and disclose this information to the SEC and the public. Companies and boards still need to ensure there are effective diligence programs in place that allow reasonable inquiry into supply chain partners and components, particularly if conflict minerals are necessary to any product the company manufactures. By statute, the SEC is required to issue a rule relating to due diligence for conflict minerals. Although the “conflict free” labeling requirement has been eliminated, the question remains whether conflict minerals reports, in their current form, are otherwise valid. The SEC is currently developing its future enforcement recommendations with respect to the rule.
In the interim, companies should continue to ensure effective supply chain diligence mechanisms are in place that allow them to confirm where components, particularly conflict minerals, are sourced. To the extent that auditing or diligence measures had already been put into place prior to the final judgment and SEC announcement, companies may want to continue to implement these measures given the lingering uncertainty about future application of the rule. Companies also have the ability to submit comments on the rule to the SEC and should make their views known to influence future enforcement on this issue.
At Baker & McKenzie, Joan Meyer is a partner and chairs the North America Compliance, Investigations & Government Enforcement Practice Group. Reagan Demas is a partner and Maria McMahon is a professional support lawyer in the North America Compliance, Investigations & Government Enforcement Practice Group in Washington, DC.
To learn more about strategy and risk, attend the 2017 Global Board Leaders’ Summit where you will have the opportunity to explore emerging risk issues with peers. A detailed agenda of NACD and Marsh & McLennan’s Board Committee Forum on strategy and risk, can be found here.