Welcome back! Before everyone returns to the raw thrill of audit committee meetings, internal control testing, e-discovery requests, and vendor proposals for GRC software upgrades, let’s take a moment to contemplate what lies ahead for compliance, risk, and audit executives in 2015.
In no particular order, here are my picks for big issues to watch in the coming year. I narrowed the list to six, although it is by no means exclusive.
The rise of geopolitical risk. Traditionally, geopolitical risks—climate change, political turmoil, global recession, outbreak of disease, war—have been the domain of those Big Picture People who work at consulting firms or think tanks and lecture your board from time to time.
No longer. Today, we see geopolitical risks translating into business risks that compliance and audit executives need to address much more quickly. Want examples? Ask anyone in the oil & gas business how they’re digesting new sanctions against Russia for its aggression in the Ukraine. Ask your corporate secretary down the hall, who’s trying to disclose climate changes risks in the annual report. Ask yourself, since you’re sweating IT security controls now that the North Korea attack against Sony has scared Corporate America to the core.
In 2015 we’re likely to see recession in every market except the United States, crashing oil prices, terrorism across the Middle East, and continued anarchy online. All of those risks will keep you awake at night much more quickly than anyone would have dreamed 30 years ago.
The new COSO framework for ERM. Sometime in coming months COSO is supposed to propose an update to its framework for enterprise risk management. The question to ask: Why? What’s the ultimate goal here?
COSO’s 2013 update to its framework for internal controls already gave companies a big shove away from rote internal controls testing toward a more ERM philosophy. Updating the ERM framework is likely to take a year or more, but I suspect that by 2020 we’ll scrap the internal controls framework entirely as regulators and audit firms push companies to embrace ERM. This is how it could start.
The Walmart settlement. Confession: I expected Walmart to settle its Foreign Corrupt Practices Act investigation in 2014; I presumed that was why chief compliance officer Jay Jorgensen went on his charm offensive last year, speaking at every compliance conference he could find. I was wrong.
I still believe the rumors that any settlement Walmart reaches with regulators will set a new record for FCPA penalties. That bar was raised substantially in December with the Alstom settlement of $772 million, but Walmart is so huge that even a $1 billion fine will be a speed bump. The interesting question is what type of compliance monitor Walmart might get, if any. Jorgensen has done admirable work reforming Walmart’s compliance operations; if that leads to a self-monitoring agreement, we should all take note.
The rise of Republicans. Yes, Republicans in Congress will try to reform the Dodd-Frank Act, the Consumer Financial Protection Bureau, and lord knows what else. Still, I have faith in Congress’s inability to accomplish much no matter what party runs it.
Instead, I will be watching Michael Piwowar and Dan Gallagher, the Republican appointees to the Securities and Exchange Commission. Piwowar was previously an economist on the Senate Banking Committee, and his old boss Sen. Richard Shelby is expected to chair that committee. Piwowar could emerge as a conduit between Republicans and SEC Chair Mary Jo White, as she accommodates whatever reforms Capitol Hill does enact. Gallagher, meanwhile, just co-authored a paper attacking a corporate governance center at Harvard University—something sitting SEC commissioners typically don’t do in the polite world of securities research and regulation.
Will either of them be able to derail White’s 2015 agenda for SEC rulemaking? No. But lawmakers could, so Piwowar’s and Gallagher’s pronouncements could offer useful clues about fights to come.
Bewilderment at the new revenue recognition rule. The new global accounting standard for revenue recognition will be one of the most profound financial reporting changes we experience this decade. Simply understanding its concepts is a daunting task for corporate accounting departments. Re-engineering your business processes to accommodate the rule—well, that undertaking will be enormous.
The Financial Accounting Standards Board might delay the 2017 implementation date for the rule, either with or without pressure from Congress. Regardless, expect to hear a rising din in 2015 of warnings and guidance about how to live the new rule, and expect that din to become a clamor in 2016.
Audits under the COSO 2013 framework. Roughly 80 percent of Corporate America was supposed to implement the COSO 2013 framework by December 2014, anticipating more rigorous audits of internal control over financial reporting under that new framework this spring. An unknown but significant number of you didn’t do that. The question is how your external audit firms will view that, ahem, deliberate pace of implementation.
The SEC has already said it will not question companies’ use of the old framework in 2015, although that forbearance will not last forever. The audit firms seem to be walking a tightrope: not insisting too much on use of the 2013 framework for fear of annoying regulators, yet still searching somehow for more rigorous audits to stay in the good graces of audit regulators and, of course, to reap higher fees.
Those are a few of my predictions for 2015. We would love to hear yours as well; you can post your thoughts on the Compliance Week Facebook page and our LinkedIn group, or email them straight to me at firstname.lastname@example.org.