Scott Zimmerman, Phillip Austin, Marty Baumann, Dan Sunderland, and the author discuss “Challenges Facing the Audit Profession” at the AAA’s 2018 Auditing Section Midyear Meeting.
“The new audit report is a great opportunity for the profession.” So spoke Marty Baumann, chief auditor and director of professional standards at the US Public Company Accounting Oversight Board (PCAOB), at a panel during the American Accounting Association (AAA) Auditing Section’s midyear meeting this past January.
I agree wholeheartedly with Marty.
Updating the auditor’s reporting model in the United States represents an extraordinary opportunity, as it has in the United Kingdom and elsewhere. Yet as we discussed on that January panel, with opportunities come challenges—and I have put together some strategies for addressing those challenges.
To understand the opportunities and challenges associated with updating the auditor’s report, it helps to start with the basic elements of the new PCAOB auditing standard.
The standard features a phased implementation approach. The first phase—which affects PCAOB audits of companies with fiscal years ending on or after December 15, 2017—includes disclosing auditor tenure and other changes to the form and content of the auditor’s report.
The second phase of implementation requires communication of critical audit matters (CAMs). The standard defines a CAM as any matter arising from the audit of the financial statements that meets all the following criteria:
was communicated or required to be communicated to the audit committee;
relates to accounts or disclosures that are material to the financial statements; and
involved especially challenging, subjective, or complex auditor judgment.
The effective dates for CAMs to be included in the auditor’s report are (1) fiscal years ending on or after June 30, 2019 for audits of large accelerated filers and (2) fiscal years ending on or after December 15, 2020 for audits of all other companies to which the requirements apply.
What opportunities will these changes bring? Conversation at the AAA panel covered a range of possibilities.
Possible insights for investors. Scott Zimmerman, a partner at EY and its Americas Assurance Innovation division said that each audit should result in “some type of meaningful insight.” Baumann suggested that such insights can “add to the total mix of information that investor use in making decisions,” and offered his view that the audit report could, for some investors, even become “the first place to go in a very big 10-K with a complex set of financial information.”
Differentiation via technology. As a digital expert, EY’s Zimmerman knows how technology can be a competitive differentiator for audit firms, particularly as use of data analytics and artificial intelligence grows. He noted that EY, like many firms across the profession, is examining how technology can be leveraged in the context of the CAMs that will be communicated in an expanded auditor’s report.
Future academic research. As each audit generates insights, academics can sift through the data to track broader patterns in financial reporting. Baumann noted that researchers might investigate possible correlations between CAMs and stock prices, for example, or financial disclosures.
While acknowledging the excitement around these and other opportunities, panelists also recognized challenges.
Boilerplate potential. In December 2017, US Securities and Exchange Commision Chair Jay Clayton quipped that it would be a “bummer” if CAMs devolved into boilerplate language of little or no use to investors. At the AAA meeting, panelist Dan Sunderland, chief auditor and national leader for Audit and Assurance Services at Deloitte & Touche LLP, noted that the nature of the disclosure in CAMs would be the “keys to the kingdom”—and that auditors are well aware of the importance of avoiding boilerplate.
Interference with audit committee communication. Panelist Phillip Austin, the national managing partner of Auditing at BDO USA, noted that, with the new disclosure of CAMs, some company executives might be tempted to “manage” communication between the auditors and the audit committee.
Disclosure tension. In the discussion, panelists contemplated scenarios where auditors may disclose in CAMs information that management is not obliged to disclose. “That’s going to be tricky,” said Austin. Baumann indicated this would be an area that the PCAOB would track carefully.
Strategies for Success
To make the most of the opportunities presented by the new report, panelists discussed strategies to address the challenges of implementing the new reporting models. Audit committee members should become familiar with the following strategies for success.
Maintain open dialogue between auditors and audit committees. As with many items related to the financial reporting process, strong and ongoing communication will be critical around the new auditor’s report. Baumann cited the importance of dialogue around challenging issues, such as revenue recognition or significant and unusual transactions that a company might have, that could be critical audit matters. To foster this dialogue, the Center for Audit Quality (CAQ) has produced a tool for audit committees regarding changes to the auditor’s report.
Pilot-testing. For auditors, “the critical thing is to try to pilot things in the short run,” said Sunderland. This pilot-testing should involve auditors talking through the process with the audit committee, he added.
Pay close attention to the post-implementation review. For regulators, it will be vital to monitor implementation of the standard, particularly given risks such as creeping boilerplate. Marty Baumann voiced the PCAOB’s strong commitment to robust post-implementation review, starting with the implementation of CAMs.
What challenges, opportunities, and necessities do you see regarding updating the auditor’s report? I welcome your thoughts in the comments. And be sure to visit the CAQ’s resource page on auditor reporting for more information.
Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.
In 2015, Chrysler issued a 1.4 million-vehicle recall to plug a security hole that could enable hackers to take over a car remotely. It’s the frightening reality that internet-connected systems in cars can present new vulnerabilities, which only stand to get worse as such systems proliferate and cars become more autonomous.
Reacting to this danger, Michigan lawmakers initially introduced legislation to make car hacking punishable by up to life in prison. But cybersecurity researchers argued that hacking for testing purposes can be a good thing because it reveals vulnerabilities—as it did for Chrysler—that can then be corrected by manufacturers. Therefore, placing a blanket restriction on car hacking could interfere with keeping the public safe.
It’s only through dialogue between industry and government that such thorny policy problems can be effectively resolved. Doing so is vital to the national interest as well as to individual companies, and boards of directors can play an important role in reviewing the work being done by executives and legal counsel to connect the company to the right partners in government.
Combating Cyber Threats Together
The ever-expanding complexity of cybersecurity drives a need for those with deep expertise to engage policymakers in informed discussion. Given that the increasing adoption of connected technologies makes cybersecurity vital to everything from manufacturing to healthcare, this discussion needs to take place across industries. That’s why lawmakers and regulators rely upon experts with specific industry expertise for input, factoring this advice into their final decisions.
This presents companies across a range of industries an opportunity to engage in meaningful conversations about the threats they are seeing. The board can plan a role in encouraging that dialogue by asking its executives how they are engaging with government officials on information sharing, for instance.
Industry leaders can often spot areas for improvement in proposed regulations that others may miss due to a lack of expertise. For example, in 2013, officials aiming to stop the distribution of hacking technologies to oppressive regimes proposed broad new restrictions on cybersecurity-related software as part of the Wassenaar Arrangement, an international export control agreement.
At Rapid7, we foresaw that the new controls could actually compromise global security by blocking access by legitimate international organizations to the tools they needed to stay secure. So we joined with other cybersecurity firms and experts to publicly comment on the proposed controls. After lengthy discussion, education, and effort—so often a prerequisite for complex issues—the export controls were recently modified to create new protections and exceptions for legitimate cybersecurity activity.
Being a part of the conversation helps avoid policies that are poorly executed or one-sided. And since good policies and a strong industry are in the best interests of each country, lawmakers around the globe often welcome that dialogue.
But what’s the best way for companies to engage? And how should directors oversee work done by their companies to actively work with national and international agencies on cyber issues?
Different Levels of Engagement
Corporate boards can play an important role by ensuring that engagement is incorporated into the company’s broader risk management strategy. Companies can opt into different levels of engagement for policy advocacy, much of it at negligible cost. And while official public-private partnerships generally require more significant resources, less formal opportunities for collaboration are in no short supply.
For example, many industries, such as healthcare, transportation, and the financial sector, have established information sharing and analysis centers (ISACs), providing resources for gathering information on cyber threats, coordinating with government agencies, and disseminating critical advisories.
Another example: Before government bodies issue a policy, report, or guidance, they often solicit public input and feedback. In fact, they’re often required to consider those comments in decision making. At Rapid7, we write letters and comment on policy drafts on topics that we feel are important to the business community at large. To engage on the low end of the bandwidth scale, however, companies can also simply sign on to letters or comments that others have opened to group signatures. Directors should consider asking what the company’s plans are for engaging in such action.
The board can also push the management team to make use of available educational opportunities such as workshops. One we recently attended centered on botnets and other automated attacks. The US Department of Commerce solicited public written comments and held a workshop where the public was encouraged to lend their opinions and expertise. This and other feedback will help shape the final report and subsequent action to tackle the problem.
Engagement for the Greater Good
Cybersecurity is critically important to every major industry. Policymakers want to hear from these industries about the issues they face, and how they overcome them. This provides an opportunity for businesses, experts, and consumers to positively influence policy for the greater good. Conversely, poorly implemented policies can be ineffective, inefficient, and even harmful.
In the case of the Michigan car hacking bill, nearly two dozen cybersecurity researchers, academics, and companies wrote a letter to Michigan legislators detailing concerns about the effect of the proposed law on cybersecurity. Ultimately, the lawmakers created new protections for security research carried out in safe conditions. Without sustained engagement between the business community and policymakers, the result would have been much different.
It may require some effort and even some expenditure of resources, but it is essential that experts at companies work to assist officials with crafting well-informed and effective policies.
Corey E. Thomas is CEO of Rapid7. Read more of his insightshere.
There is a buzz in the air about renovating corporate culture in the name of innovation. Directors hear the changing desires of their stakeholders, and are developing a greater understanding of their business’s role for society at large. That buzz guided a recent roundtable discussion in Miami at NACD’s Leading Minds of Governance event.
A panel of governance experts and directors discussed recent trends in corporate governance with a full room of directors (fuller remarks from the panel will follow in the March/April 2018 issue of NACD Directorship magazine). Panelists included:
John Borneman, managing director, Semler Brossy Consulting Group LLC
Stuart R. Levine, nominating and governance committee chair and audit committee member, Broadridge Financial Solutions
Kathleen Misunas, director, Boingo Wireless and Tech Data Corp.; principal, Essential Ideas
Michael Stevenson, partner, BDO USA LLP
Peter P. Tomczak, partner, Baker McKenzie LLP
Highlights from their answers to select questions from directors in the audience follow. Comments have been edited for length.
To Build an Innovative Culture, Start with Hiring
I work in a heavily regulated industry. We’re in a very steady environment, but our industry is changing rapidly in all directions. Helping shift that culture is essential, so I’d love to hear your differing perspectives.
Misunas: I think it starts with the people you hire—and you need the buy-in from your senior staff. The people that are hired help you move in the right direction.
Levine: One of the criteria for hiring should be intellectual curiosity. If you’re hiring people at any level, including on the board, if those people do not express intellectual curiosity, I think you’ve got a problem on your hands. In the boardroom, consider sharing content that stimulates discussions around technology or governance trends. By discussing strategic material, it encourages excellent outcomes.
Misunas: Right. This absolutely should cascade down through the organization. The C-suite alone shouldn’t be concerned with curiosity. The next level should be doing the same thing with their staff, and so on.
Tomczak: When you consider innovation strategy, what does innovation mean to your board? Do you mean bringing in new ideas from outside your industry? If you’re hiring the same 20-year industry veterans, you’re probably going to get the same 20-year-old strategy. I’ve also found that tying individual economic incentives to strategy outcomes is useful, and it’s hard. There’s no right answer to the compensation question and innovation.
Borneman: I’ll add that innovation should be on the CEO’s scorecard. Is it one of the top priorities that you want to hold her accountable to for the organization? You can say it’s important, but if it’s not on the scorecard, you’re merely talking about innovation. There’s no accountability. It doesn’t have to be tied to compensation—to put dollars on it gets tough. But we can find innovation measures in some kind of meaningful, quantifiable way.
Stevenson: I think that when some boards assess themselves, when they probe their expertise, they find that because of the complexity of transactions (for example, in financial instruments and other changes associated with this current business environment), audit committees are finding themselves ill-equipped to handle changes happening in their organizations. As you take a fresh look at your board, understand the other situations that they have been involved with will arm them for change. That’s a critical point to know about members of this committee. Boards that are refreshing [their composition] with this understanding are also the easiest to work with from an audit perspective.
Don’t Miss the ESG Bus
How do we translate ESG into something with real business meaning that management can be held accountable for to deliver results?
Levine: Approaching the governance standpoint, regardless of the business you’re in, we’re all trying to anticipate client and customer needs. If you don’t have people of diverse backgrounds on your board, you risk not understanding the people who are buying your products and services. If you’re looking to deploy capital, and you look around and don’t have representatives on your board of the populations you’re serving, I don’t know how you develop the right strategy.
Misunas: I don’t walk into a business anymore where this is not a topic of conversation. Boards and executives are peeling back the onion to see where their companies stand, and where they should be, on environmental issues. ESG is top of mind for millennials. They speak up about real environmental issues. As a result, companies can look at their distribution lines, for instance. What are our transportation means? What are those contracted companies doing to protect the environment? Could we switch out business partners for a company that is more responsive to these issues?
If there’s no penalty for not doing anything, you’re omitting ESG from culture. I’m not saying you should give an extra reward for doing something, but should there not be some penalty other than getting left off the bus?
Borneman: The penalty is the impact on your business, your employee population, and getting kicked off the bus. It’s not about your bonus. It’s not about compensation. It’s about a longer perspective on business.