With the principle of the rule of law and democratic governance under siege in numerous parts of the world, corporate board members are increasingly considering how global events are creating mounting risks to both their businesses and the bottom line.
These actions are taking place in jurisdictions that have long been high risk for companies. The Democratic Republic of the Congo, Venezuela, and Myanmar, for example, have for some time presented operational challenges as a result of poor governance. In recent years, however, countries thought of as bulwarks for the rule of law have also begun to present challenges for businesses. Some argue that these include the United States, a country that traditionally has been known as a powerful advocate for the rule of law and democratic values and the long-time guarantor of the system of global governance, and the United Kingdom, where the legal and regulatory uncertainty caused by Brexit has seen many investment decisions put on hold.
Just in the last few weeks actions taken by the United States with rule-of-law implications have given some in the business community great pause. US actions regarding Chinese telecom company ZTE Corp. have raised questions as to whether a law enforcement action against a corporate entity can be used as a point of leverage in an international trade negotiation. Notwithstanding policy arguments for and against, the US’s withdrawal from the Iran agreement and pending re-imposition of secondary sanctions create significant uncertainty both for international businesses making investment decisions in Iran, and with respect to the US’s long-term commitments to international agreements. Many also note that America’s executive in chief has imposed considerable pressure on elements of the Federal government whose independence has long underpinned the rule of law in the United States, from individual judges and the judiciary to members of Congress, to law enforcement and the Federal Bureau of Investigation. This pressure has at times taken the form of quite personal attacks that set a concerning precedent, including for businesses that must ask whether they could become a target for a president who dislikes what they may be doing.
It is no secret that businesses do well in jurisdictions where the rule of law is strong: where contracts are enforceable, where fair judicial decisions are rendered without unreasonable delay, where assets aren’t arbitrarily seized or contracts arbitrarily renegotiated, where laws and regulations are transparent and applied fairly, where bribes need not be paid for discretionary actions by government. These are environments where businesses thrive. Indeed, as a 2015 Report by law firm Hogan Lovells and the Bingham Centre for the Rule of Law makes clear, there is a strong correlation between foreign direct investment in a country and the existence of a sound rule of law.
Businesses also do well where basic principles of the rule of law and associated norms are embedded. The separation of powers, the existence of a resilient and independent law enforcement system, and basic respect for truth and fact-based decision making are all important contributors to business success.
Finally, the existence of a strong rule of law correlates with broader societal thriving, making for an invigorated source for customers, employees, partners, and suppliers.
Given this reality, it is imperative that boards be sensitive to the range of rule-of-law issues that impact their businesses, even in jurisdictions where they least expect it. This means considering specific risk factors involving rule of law, above and beyond more generic political risk factors, whenever contemplating entry into new jurisdictions. The same can be said for assessing merger and acquisition or joint venture prospects, even in places where rule of law issues aren’t on the front page of newspapers every day. Indeed, a broad range of rule of law risk factors should be included in standard risk matrices so that business-critical issues such as prospects for the enforceability of contracts, or the ability to get a fair and timely judicial decision, or the independence of law enforcement are specifically considered when assessing risk. Existing governance and compliance frameworks can readily be adapted to reflect rule of law issues, alongside human rights and other risk issues. Rule of law matters should be included on the agenda of board meetings when appropriate.
In addition, boards should consider their companies’ own self-interest in the existence of a strong rule of law, and decide what their role might be in encouraging better governance, both within the companies themselves and in the environments where they operate. Many high-profile businesses have stepped up in recent months to publicly support such issues as countering climate change (as occurred when the US withdrew from the Paris Climate Agreement last year, which precipitated an outpouring of commitments by businesses to meet the goals set out), or in response to gun violence (as with Dick’s Sporting Goods following the Parkland school shooting), for instance.
In this regard, business can serve as a champion of good governance and the rule of law, advocating for improving the standards of governance where appropriate, and initiating collective efforts with like-minded companies with shared interests in stronger rule of law. Chambers of Commerce and other trade associations can be powerful voices when it comes to advocating for a strong rule of law that encourages foreign investment and secures stable business environments. Directors can urge the associations they are involved in to initiate efforts to support the rule of law, helping to bring to bear the influence and credibility of the business community to move the needle, in a positive way, on the quality of governance and the rule of law. Further, there are business-driven associations that provide a platform for collaboration to support the rule of law.
With the rule of law being challenged in so many countries around the world, businesses have both a strong interest in and ability to contribute to fostering a strong rule of law everywhere. Businesses, and their directors, should be part of the urgent work to publicize and mitigate what it is we as a global community will lose if the rule of law is undermined.
Ulysses Smith is a US-based lawyer and director of the Business and the Rule of Law Program at the Bingham Centre for the Rule of Law. All thoughts are his own and do not necessarily reflect those of NACD.
The European Union’s (EU) General Data Protection Regulation (GDPR) is causing a seismic shift in the digital information space, and, whether your company has a presence in Europe or not, the sweeping regulation likely applies. As a director in the era of bet-the-farm digital transformation, familiarity with the basics of GDPR is a must. To that end, Michael Walter and Joel Wuesthoff, experts from Protiviti and Robert Half Legal, respectively, recently presented the ins and outs of the regulation at an NACD Atlanta Chapter program.
Does GDPR even apply to my company?
Effective May 25, 2018, it probably does. The regulation is borderless and applies to all organizations—regardless of size and regardless of whether they have a physical European location—that collect and process personal data of data subjects in the EU. An EU data subject is anyone from whom personal data is collected while in the EU (i.e. data subject is not limited to someone with EU “citizenship”). For example, a skier from Colorado who buys a snowboard online while in the EU may subject the product seller to the GDPR. The rules apply to both data controllers and data processors. The range of information that is protected is quite broad, ranging from vehicle identification numbers to photos to employment information to IP addresses.
If GDPR applies, what’s the big deal?
In the U.S., personal information is often collected as a matter of course, with only an “opt out” offered to consumers. By contrast, GDPR requires that in order to collect information from EU data subjects, an affirmative “opt in” consent must be obtained that clearly specifies how the data will be used. Privacy policies must match. Then, once information is obtained, the EU data subject has the right to request that his or her data be deleted; that is, to invoke the right “to be forgotten.” Incorrect information must be corrected upon request. These rights may seem simple enough, but when data is held in multiple locations, developing a process to handle such requests may be quite difficult.
The burdens of GDPR cannot be outsourced, as companies have joint and several liability with third-party vendors. Due diligence requirements for vendors therefore will be heightened, and all in scope data processors will need to be GDPR compliant.
What if my company has a data breach or fails to comply?
In the event of a data breach involving an EU subject, the breached company has 72 hours to notify regulators and must notify EU data subjects without undue delay under certain conditions.
Fines for failure to comply with GDPR can be up to 20M Euros or four percent of an organization’s annual global turnover, whichever is higher. Further, data subjects can claim compensation for damages from breaches of their personal data.
GDPR won’t be enforced right away, will it?
The expectation is that GDPR likely will be enforced right away against global organizations that collect large volumes of personal data. However, beware. EU countries continue to hire people for enforcement of the GDPR. Also, since individuals have a right of action, it is unclear whether GDPR will be used as a manner of protest against companies that are unpopular with EU data subjects.
What should I be asking management?
The path to compliance with GDPR will require a multi-functional task force, including information technology, legal, human resources, privacy, and other functions. Directors may consider asking about the key phases of compliance:
Discovery and inventory: Have we identified high risk areas to ensure a focused approach?
Gap analysis: Have we determined exposure and prioritized compliance activities?
Compliance remediation: Are we implementing changes to achieve compliance?
Ongoing compliance: Are we prepared to provide evidence of accountability and compliance?
Boards may also want to discuss the appointment of—and ramifications of having—a data protection officer (DPO), required under GDPR for companies processing large scale data; however, bear in mind that the DPO is a unique intermediary between the regulators, the organization and the data subjects who is required to be an independent actor within the organization reporting up to the highest levels of the organization. Care must be taken prior to appointing a DPO as significant obligations attach once this decision is made.
In short, GDPR’s long reach and substantial requirements merit fulsome discussions in the boardroom, even of U.S. companies. Is your company ready?
Looking to learn more about how your board will be impacted by GDPR? Stay tuned. NACD will release an FAQ brief in May. You can also learn more from Protiviti by visiting protiviti.com/gdpr.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
Scott Zimmerman, Phillip Austin, Marty Baumann, Dan Sunderland, and the author discuss “Challenges Facing the Audit Profession” at the AAA’s 2018 Auditing Section Midyear Meeting.
“The new audit report is a great opportunity for the profession.” So spoke Marty Baumann, chief auditor and director of professional standards at the US Public Company Accounting Oversight Board (PCAOB), at a panel during the American Accounting Association (AAA) Auditing Section’s midyear meeting this past January.
I agree wholeheartedly with Marty.
Updating the auditor’s reporting model in the United States represents an extraordinary opportunity, as it has in the United Kingdom and elsewhere. Yet as we discussed on that January panel, with opportunities come challenges—and I have put together some strategies for addressing those challenges.
To understand the opportunities and challenges associated with updating the auditor’s report, it helps to start with the basic elements of the new PCAOB auditing standard.
The standard features a phased implementation approach. The first phase—which affects PCAOB audits of companies with fiscal years ending on or after December 15, 2017—includes disclosing auditor tenure and other changes to the form and content of the auditor’s report.
The second phase of implementation requires communication of critical audit matters (CAMs). The standard defines a CAM as any matter arising from the audit of the financial statements that meets all the following criteria:
was communicated or required to be communicated to the audit committee;
relates to accounts or disclosures that are material to the financial statements; and
involved especially challenging, subjective, or complex auditor judgment.
The effective dates for CAMs to be included in the auditor’s report are (1) fiscal years ending on or after June 30, 2019 for audits of large accelerated filers and (2) fiscal years ending on or after December 15, 2020 for audits of all other companies to which the requirements apply.
What opportunities will these changes bring? Conversation at the AAA panel covered a range of possibilities.
Possible insights for investors. Scott Zimmerman, a partner at EY and its Americas Assurance Innovation division said that each audit should result in “some type of meaningful insight.” Baumann suggested that such insights can “add to the total mix of information that investor use in making decisions,” and offered his view that the audit report could, for some investors, even become “the first place to go in a very big 10-K with a complex set of financial information.”
Differentiation via technology. As a digital expert, EY’s Zimmerman knows how technology can be a competitive differentiator for audit firms, particularly as use of data analytics and artificial intelligence grows. He noted that EY, like many firms across the profession, is examining how technology can be leveraged in the context of the CAMs that will be communicated in an expanded auditor’s report.
Future academic research. As each audit generates insights, academics can sift through the data to track broader patterns in financial reporting. Baumann noted that researchers might investigate possible correlations between CAMs and stock prices, for example, or financial disclosures.
While acknowledging the excitement around these and other opportunities, panelists also recognized challenges.
Boilerplate potential. In December 2017, US Securities and Exchange Commision Chair Jay Clayton quipped that it would be a “bummer” if CAMs devolved into boilerplate language of little or no use to investors. At the AAA meeting, panelist Dan Sunderland, chief auditor and national leader for Audit and Assurance Services at Deloitte & Touche LLP, noted that the nature of the disclosure in CAMs would be the “keys to the kingdom”—and that auditors are well aware of the importance of avoiding boilerplate.
Interference with audit committee communication. Panelist Phillip Austin, the national managing partner of Auditing at BDO USA, noted that, with the new disclosure of CAMs, some company executives might be tempted to “manage” communication between the auditors and the audit committee.
Disclosure tension. In the discussion, panelists contemplated scenarios where auditors may disclose in CAMs information that management is not obliged to disclose. “That’s going to be tricky,” said Austin. Baumann indicated this would be an area that the PCAOB would track carefully.
Strategies for Success
To make the most of the opportunities presented by the new report, panelists discussed strategies to address the challenges of implementing the new reporting models. Audit committee members should become familiar with the following strategies for success.
Maintain open dialogue between auditors and audit committees. As with many items related to the financial reporting process, strong and ongoing communication will be critical around the new auditor’s report. Baumann cited the importance of dialogue around challenging issues, such as revenue recognition or significant and unusual transactions that a company might have, that could be critical audit matters. To foster this dialogue, the Center for Audit Quality (CAQ) has produced a tool for audit committees regarding changes to the auditor’s report.
Pilot-testing. For auditors, “the critical thing is to try to pilot things in the short run,” said Sunderland. This pilot-testing should involve auditors talking through the process with the audit committee, he added.
Pay close attention to the post-implementation review. For regulators, it will be vital to monitor implementation of the standard, particularly given risks such as creeping boilerplate. Marty Baumann voiced the PCAOB’s strong commitment to robust post-implementation review, starting with the implementation of CAMs.
What challenges, opportunities, and necessities do you see regarding updating the auditor’s report? I welcome your thoughts in the comments. And be sure to visit the CAQ’s resource page on auditor reporting for more information.
Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.