Cindy Fornelli, executive director of the Center for Audit Quality, often compares a corporate board’s audit committee to the kitchen drawer: It’s where everything important goes when you have no other obvious spot to put it. Only instead of keys and a wallet and a pocket knife, the audit committee agenda is full of internal controls, the external audit, internal audit, special investigations, related-party transactions, risk oversight and, of course, the core responsibility of making sure the financials are correct.
That makes for a drawer full of sharp-edged responsibilities.
Fortunately, two developments are pending that might help you organize it. But, much like those drawer organizers that can either put everything in its proper place or just add to the clutter, it will be up to audit committee members and corporate finance staffs to use those developments well. That’s an approach we advise, since some inquisitive houseguests–namely the Securities and Exchange Commission and institutional investors–are prone to opening that drawer and rummaging around. After all, you can find all sorts of interesting things in the kitchen drawer if you look. It’s a tempting target.
First up is the 2013 COSO internal control framework. The old framework was officially superseded in December 2014, and many companies have adopted the new one. But some haven’t. While no hard and fast ruling requires public companies to use the new COSO guidelines, the SEC does require 10-K risk disclosures to be made according to a disclosed framework, and COSO has become the standard.
It is noteworthy that James Schnurr, the SEC’s chief accountant, referred to the updated COSO framework twice in a recent speech, including a direct link to internal control over financial reporting reporting. The scuttlebutt in Washington is that starting in 2016, any public company disclosure that has not updated and continues to use the previous 1992-era COSO guidelines will have a higher chance of drawing scrutiny, and possibly some questions, from the SEC Division of Corporate Finance.
So there’s the first organizing principle: Do the work to embed risk and ICFR disclosure in the COSO 2013 guideline framework, or prepare for questions about why you haven’t.
One catalyst for such rising investor attention to audit relationships is the advent of enhanced reporting practices in the United Kingdom. Insightful audit letters in annual reports at Vodafone and Rolls Royce have demonstrated to global investors what additional value an auditor can provide.
The second development is the Public Company Accounting Oversight Board’s audit quality indicator (AQI) initiative. Never heard of it? There is a reason: It’s in early stages, and the PCAOB has only issued a concept release. You are under no obligation to use audit quality indicators in managing your outside auditor. But you might want to consider it.
At a recent PCAOB Standing Advisory Group meeting, there were strong opinions on all sides on the question of whether use of AQIs should be mandated. But agreement was almost unanimous that the indicators, mandated or not, are a useful way to plan a quality audit and to help select an audit firm or engagement team.
That makes sense: many of the indicators are intuitive, measuring such things such as the auditor’s availability, competence, and audit focus. While the context in which AQIs are used is important, If you don’t want to read through the full concept release—which includes 28 AQIs, about half of which apply to a firm-level audit, and the rest focus on indicators across an auditing company or across the audit industry—download the Center for Audit Quality’s paper on its approach to AQIs. The CAQ focuses on reinforcing “the importance of (and enhances the dialogue around) the auditor’s communications with audit committees, by providing additional relevant information about the auditor and the audit.”
In addition to helping you and your audit committee manage the audit process, using AQIs will also help your committee explain how it fulfills its obligations.
Why is that important? First, while the timing and specifics of what will result from the SEC’s audit committee disclosure project are uncertain, the likelihood is that more fulsome disclosure will be required. Explicitly asking the outside audit firm about AQIs would provide a partial answer to some of the most likely disclosure questions: How did the audit committee select the auditor? How did it oversee the audit?
Second, regardless of what happens with the AQI project, institutional investors are increasing their focus on audit committees. In some ways, that’s déjà vu; audit committees were the focus following the Enron and Worldcom scandals and the Sarbanes-Oxley legislation. The institutional investor spotlight, however, shifted to the compensation committee following the widespread adoption of say-on-pay voting, and more recently to the nominating and governance committee as the issues of board diversity and board refreshment rose to prominence.
But the audit committee never really left the stage—and, given that drawer full of responsibilities, it was just a matter of time before the action moved back.
Consider, for example that at that same PCAOB Standing Advisory Group meeting, Zach Oleksiuk, Blackrock’s head of corporate governance for the Americas, noted that he thought audit committees would be garnering increased attention from the institutional investor community in the 2016 proxy season. Given that Blackrock is the largest investor in the world, we regard that as both a prediction and a promise.
Indeed, that focus has already begun. In a comment letter regarding the SEC’s audit committee disclosure initiative, the California State Teachers’ Retirement System revealed that it has contacted a number of companies in its portfolio that have used the same audit firm for more than 100 years and asked for an explanation.
One catalyst for such rising investor attention to audit relationships is the advent of enhanced reporting practices in the United Kingdom. Insightful audit letters in annual reports at Vodafone and Rolls Royce have demonstrated to global investors what additional value an auditor can provide. Moreover, audit firms themselves have spotted the trend and are taking steps to strengthen two-way communication with big investors.
With cyber-security and other emerging issues added to many audit committees’ already-long list of responsibilities, the kitchen drawer is getting pretty crowded. We forecast that scrutiny is about to increase. Intelligently using the COSO framework and audit quality indicators won’t reduce the burdens on audit committee members, but it might help manage them.