Many Risk Factors Affect Audit Committee Preparation
Inflation, cybersecurity and SEC proposals are on the audit committee agenda.
According to a recent EY report, there are a number of factors making the jobs of audit committee members more difficult. As detailed in How Audit Committees Can Prepare for 2022 Q2 Reporting, those factors include inflation, rising interest rates, supply chain disruptions and more.
Patrick Niemann, the Los Angeles-based leader of the EY Center for Board Matters Audit Committee Forum, notes that further complicating the work of audit committees are questions around the state of the economy and the uncertainty of geopolitical risk.
“Are we in a recession or are we not? There are different views out there,” says Niemann. “Plus, there’s the war in Ukraine and so many other geopolitical risks. I think that mix of macroeconomic factors is creating some high-priority challenges for audit committees today.”
Current economic challenges will affect the work of audit committees in several ways. Disrupted supply chains, inflationary cost structures and rising interest rates will squeeze profits and impact earnings trends. These, along with continuing tight labor market conditions, will be risks audit committees will want to monitor.
“Audit committees should consider how management at their companies is reevaluating earnings guidance, including non-GAAP financial measures that companies often use.”
Audit Committee Best Practices
To manage macroeconomic risk, Niemann recommends several steps for audit committees. They should be reviewing updates to scenario plans, stress testing and contingency planning. The level of communication with management should be stepped up, with audit committees working to identify criteria to determine when management should notify directors of risk factors and coming to agreement with management on the company’s targeted recovery time following adverse events, such as cybersecurity incidents. The audit committee should also play a major role in determining an organization’s fitness to handle risk situations.
“Audit committees should determine whether the company has access to reliable sources of real-time data, tools and talent to identify risks and relevant issues,” says Niemann.
Audit committee responsibilities in the area of cybersecurity vary from board to board, with many companies having specific committees to handle this emerging risk. However, Niemann believes that all audit committees should be focused on cyber matters, given its potential impact on financial reporting and internal controls. Among the steps audit committees should take are assessing the organization’s cyber hygiene and due diligence; evaluating the company’s plan to monitor and communicate cyberattacks, especially in light of the SEC’s disclosure proposals; and establishing a high-level government contact to assist in the case of a cyber victimization.
“Working with and having an established relationship with the FBI can help companies get through an incident and ensure that they’re not making payments to a sanctioned entity or nation-state, or other actions that could represent significant risk or even illegal activities.”
Monitor the SEC Disclosure Agenda
The SEC’s cyber disclosure agenda should be closely examined by audit committees to assess what aspects of the proposal will impact reporting requirements. Niemann continues to stress communication with management, stating that audit committees should work with their management counterparts to evaluate implications arising from the rulemaking on climate and broader ESG issues and determine whether the company has robust, adequate disclosure controls and procedures to be ready for a final SEC decision.
While the thoughts of the SEC must be kept in mind, Niemann also says that the views of other stakeholders will need to be considered.
“Consider what other stakeholders are looking for. Institutional investors have expectations of companies,” says Niemann. “They care about what companies are doing on the climate front. Companies ought to convey a consistent message that really represents the efforts, priorities and values of companies, and audit committees can and should play a key role in that messaging.”