quarterly 22 - kpmg · 2020-06-06 · technologies, mobile, social media, data analytics, cloud...

Quarterly 22

Audit Committee InstituteSponsored by KPMG

2014 Global Audit Committee Survey results

Is the audit committee’s workload reaching a tipping point?

EU Audit reform imminent

Global Boardroom Insights: Audit quality

An introduction to cyber security for audit committees

A private company focus on governance

Resources

Audit Committee Institute Sponsored by KPMG

3Audit Committee Institute Sponsored by KPMG

2

For more information on the work of the ACI, please utilize our Website: www.audit-committee-institute.be

Contact us:

Wim Vandecruys Audit Committee Institute

Bourgetlaan - Avenue du Bourget 40B-1130 Brussel - Bruxelles

Tel.: +32 3 821 18 06 E-mail: [email protected]

Contents

About the Audit Committee Institute

The Audit Committee Institute (ACI) was created to assist audit committee members adapt to their evolving roles. Sponsored by KPMG, the ACI is a shared-knowledge and informational resource recognizing the audit committee’s pertinence and importance to organizations.

2014 Global Audit Committee Survey results 6

Is the audit committee’s workload reaching a tipping point? 16

EU Audit reform imminent 18

Global Boardroom Insights: Audit quality 20

An introduction to cyber security for audit committees 23

A private company focus on governance 28

Resources 30

Audit Committee Institute in Belgium

@ACI_BE


5


4

Welcome to the latest edition of Audit Committee Quarterly, the publication designed to help keep audit

committee members and directors abreast of regulatory matters, company law, issues in accounting and audit

and changes in the corporate governance arena.

We start by looking into the results and findings of our 2014 Global Audit Committee Survey. We then zoom in on the main finding of our survey related to increasingly heavy audit committee agendas and point to some practical guidelines for boards and audit committees in this respect.

Our next piece provides an overview of the draft package of European audit reform matters including mandatory audit firm rotation and further restrictions on non-audit services provided by auditors.

Further, we touch on audit quality, providing a summary of four interviews of audit committee chairs around the world from the second edition of ACI’s Global Boardroom Insights.

With cyber security in the headlines on a daily basis, we feature an introduction to the topic of cyber security specifically designed for audit committee members and directors.

Looking beyond listed and public interest entities, this issue of the Audit Committee Institute Quarterly, sheds some light on private companies and their specific focus on governance.

We finish this edition with our Resources series with news, analysis, and insights from around the globe.

We hope this publication serves its intended purpose of briefing you on the important developments affecting your role as an audit committee member or director.

If you require further information, please contact us at [email protected] with any comments or suggestions of topics you would like to see receive attention.

Our ACI website (www.audit-committee-institute.be) also provides additional information, including previous editions of the Audit Committee Institute Quarterly, the ACI Audit Committee Toolkit and various other ACI publications.

We trust you are continuing to enjoy the benefits of ACI membership.

Sophie Brabants

Welcome

Sophie Brabants Chairwoman ACI Belgium, Certified Auditor Wim Vandecruys Director ACI Belgium



6 Audit Committee Institute Sponsored by KPMG


6

2014 Global Audit Committee Survey results

Regulation, uncertainty and volatility, and operational risk are top challenges today.

Perhaps not surprisingly, most audit committees around the world point to regulation and the impact of public policy initiatives, economic and political uncertainty, and operational risk and controls as the risks posing the greatest challenges for their companies. Also, nearly half of audit committee members indicate that it is “increasingly difficult” to oversee all major risks because of heavy agendas.

Key Findings

The quality of information about cyber risk, technology and innovation, and global systemic risk is falling short.

While audit committees rate much of the information they receive about key risks facing the company—legal/regulatory compliance, operational risk, public policy developments—as “good” or “generally good,” many say information about cyber security, emerging technologies, and the company’s growth and innovation plans needs improvement. Audit committees also want to better understand the company’s global systemic risks and supply chain dependencies.

The audit committee’s job continues to grow more difficult.

Nearly half of audit committee members indicate that, given the audit committee’s expertise and heavy agenda, it is “increasingly difficult” to oversee major risks—e.g., cyber risk and IT, the risk management processes, and global compliance—in addition to the committee’s core responsibilities. A significant number of others said their board has recently reallocated or rebalanced risk responsibilities or created a new committee to address specific risks (or may consider doing so in the near future).

Most companies don’t have a CFO succession plan in place.

Only about 40 percent of survey respondents said their company has a formal succession plan in place for the CFO—and clear performance objectives to evaluate the CFO’s performance. Audit committees would like to see the CFO contributing more to the company’s strategy and risk management efforts, as well as “developing talent and bench strength.”

Q1 - From your perspective as an audit committee member, which of the following risks (aside from financial reporting risk) pose the greatest challenges for your company? (select three)

Q2 - For the three risks you selected in the previous question, are you satisfied that the audit committee and/or board devotes sufficient agenda time?

Government regulation/impact of public policy initiatives

Uncertainty and volatility (economic, political/social instability)

Operational risk/controlenvironment

Legal/regulatory compliance

Talent management and development

Growth and innovation (or lack of innovation)

Q1Q2

48% Y N

47% Y N

39% Y N

33% Y N

26% Y N

24% Y N

22% Y N

YES % NO %

Pace of technology change (e.g., emerging technologies, mobile, social media, data analytics, cloud computing)

Possible disruption to the business model

Cyber security – including data privacy and protection of intellectual property

Global systemic risk (pandemic, social unrest, political instabilitty)

Supply chain risk

Tax risk

Other

20%

18%

9%

6%

Y N

Y N

Y

Y N

Y N

Y N

Q1Q2

YES % NO %

N

5%

3%

Q4. Who has primary responsibility for each of the following categories of risk?

Strategic risks

Business modeldisruption

Innovation

Operational/supplychain risks (globally)

9%

5%

86%

17%

33%

50%

14%

6%

79%

12%

39%

49%

22%

2%

76%

13%

38%

49%

13%

47%

39%

24%

38%

38%

36%

2%

62%

26%

14%

61%

Risk managementprocess

Legal/regulatorycompliance

Anti-bribery and corruption

Financial risks (cash flow, access to capital, compliance with debt covenants, etc.)

IT risk/cyber security

Talent

Full Board Audit Committee Other Committee


Strategic risks


Innovation


9%

5%

86%

17%

33%

50%

14%

6%

79%

12%

39%

49%

22%

2%

76%

13%

38%

49%

13%

47%

39%

24%

38%

38%

36%

2%

62%

26%

14%

61%






Talent



Strategic risks


Innovation


9%

5%

86%

17%

33%

50%

14%

6%

79%

12%

39%

49%

22%

2%

76%

13%

38%

49%

13%

47%

39%

24%

38%

38%

36%

2%

62%

26%

14%

61%






Talent


Audit committees around the world say it is becoming increasingly difficult, given the committee’s workload and

expertise, to oversee major risks in addition to financial reporting, according to ACI’s 2014 Global Audit Committee Survey of 1,500 audit committee members in 34 countries,

including Belgium.





8 9Audit Committee Institute Sponsored by KPMG


9

Considerations Going Forward• Given the substantial time commitment required by

the audit committee’s core oversight responsibilities, does the committee have the time and expertise to be responsible for major categories of risk “beyond the core”?

• In light of the increased complexity of the business and risk environment, consider whether risk oversight responsibilities need to be rebalanced.

• Is the audit committee’s agenda prioritized to focus on the most important oversight issues and critical challenges facing the company? Consider whether sufficient meeting time is devoted to substantive discussion of priority issues (versus listening to presentations).

• As needed, leverage additional resources, expertise, and perspectives—particularly in the areas of risk and emerging technology—including from internal and external auditors, and third-party experts.

• Take a hard look at the audit committee’s effectiveness: Is the committee’s self-assessment process meaningful and does it lead to improvements? Consider the committee’s composition, independence, and leadership: Is there a need for a “fresh set of eyes,” or a greater diversity of views?

4





• As needed, leverage additional resources, expertise, and perspectives—particularly in the areas of risk and

emerging technology—including from internal and external auditors, and third-party experts.


Risk/riskmanagement

Technology

No additionalexpertiseon the auditcommittee

Industry Other


M&A

International

Tax

61% 26%

59%

58%

39%

32%

27%

Q5. In addition to “financial expertise,” what other in-depth experience or expertise currently resides on your audit committee? (Select all that apply)

6%

4%

Reallocated/rebalanced risk oversight responsibilities among full board and board committees

Compliance/ethics committee

Created new committee(s) to focus on specific category of issues/risks

No major changes made – but mayconsider changes in near future

No major changes made – and unlikely to consider changes in near future

Technology committee

OtherRisk committee

Strategic planning committee

Reduced the audit committee’s risk oversight responsibilities

26%

22%

12%

36%

25%

7%

5%

4%

6%

Q6. What changes, if any, has your board/board committees implemented recently in light of increased complexity in the business, risk, and regulatory environment? (Select all that apply)

5%

30%

25%

24%

23%

22%

22%

15%

14%

1%

Audit committee’srole in risk governance

Significant financial statement/audit issues and how they were addressed

Oversight of the CFO/finance team

Oversight/evaluation of internal auditor

Other

None of the above

Effectiveness of audit process

Audit committee’s effectiveness (qualification of members, performance evaluation, etc.)

Audit committee meetings (number, attendees, etc.)

Oversight/evaluation of external auditor (including independence and objectivity, non-audit services, rationale for reappointment, etc.)

Q7. In what areas would you favor additional reporting/communication from the audit committee to investors – whether posted on the company’s website, included in the proxy, or communicated via other channels – to provide more insight into the work of the audit committee? (Select all that apply)

40%

4








Risk/riskmanagement

Technology


Industry Other


M&A

International

Tax

61% 26%

59%

58%

39%

32%

27%


6%

4%







OtherRisk committee



26%

22%

12%

36%

25%

7%

5%

4%

6%


5%

30%

25%

24%

23%

22%

22%

15%

14%

1%





Other

None of the above






40%

4








Risk/riskmanagement

Technology


Industry Other


M&A

International

Tax

61% 26%

59%

58%

39%

32%

27%


6%

4%







OtherRisk committee



26%

22%

12%

36%

25%

7%

5%

4%

6%


5%

30%

25%

24%

23%

22%

22%

15%

14%

1%





Other

None of the above






40%

4








Risk/riskmanagement

Technology


Industry Other


M&A

International

Tax

61% 26%

59%

58%

39%

32%

27%


6%

4%







OtherRisk committee



26%

22%

12%

36%

25%

7%

5%

4%

6%


5%

30%

25%

24%

23%

22%

22%

15%

14%

1%





Other

None of the above






40%Q3. Are you satisfied that your audit

committee has the time and expertise to oversee the major risks on its agenda in addition to carrying out its core oversight responsibilities?

NO 7%

YES but increasingly

difficult

43%

YES 50%

Q3. Are you satisfied that your audit committee has the time and expertise to oversee the major risks on its agenda in addition to carrying out its core oversight responsibilities?

NO 7%

YES but increasingly

difficult

43%

YES 50%

Audit Committee’s Workload and AgendaMany audit committees today report that they have primary responsibility for a host of major business risks in addition to financial reporting and internal controls—from legal/regulatory compliance and financial risk, to IT risk, cyber security, and the risk management processes. Globally, one in four say they have recently reallocated/rebalanced risk oversight responsibilities in light of the changing business and risk environment, and nearly as many have created a new committee to focus on risk (12 percent), or a specific category of risk—such as compliance (5 percent) or technology (4 percent).

While there is some support for providing investors and others with more insight into how the audit committee carries out its responsibilities—particularly its oversight of the audit and its role in risk governance— many audit committees do not favor providing additional information.

4








Risk/riskmanagement

Technology


Industry Other


M&A

International

Tax

61% 26%

59%

58%

39%

32%

27%


6%

4%







OtherRisk committee



26%

22%

12%

36%

25%

7%

5%

4%

6%


5%

30%

25%

24%

23%

22%

22%

15%

14%

1%





Other

None of the above






40%

4








Risk/riskmanagement

Technology


Industry Other


M&A

International

Tax

61% 26%

59%

58%

39%

32%

27%


6%

4%







OtherRisk committee



26%

22%

12%

36%

25%

7%

5%

4%

6%


5%

30%

25%

24%

23%

22%

22%

15%

14%

1%





Other

None of the above






40%

Nearly half of audit committee members indicate that, given the audit committee’s expertise and heavy agenda, it is “increasingly difficult” to oversee major risks—e.g., cyber risk and IT, the risk management processes, global compliance, and financial risks—in addition to the committee’s core responsibilities. A significant number said their board has recently reallocated or rebalanced risk responsibilities or created a new committee to address specific risks—or may consider doing so in the near future.

4








Risk/riskmanagement

Technology


Industry Other


M&A

International

Tax

61% 26%

59%

58%

39%

32%

27%


6%

4%







OtherRisk committee



26%

22%

12%

36%

25%

7%

5%

4%

6%


5%

30%

25%

24%

23%

22%

22%

15%

14%

1%





Other

None of the above






40%

4








Risk/riskmanagement

Technology


Industry Other


M&A

International

Tax

61% 26%

59%

58%

39%

32%

27%


6%

4%







OtherRisk committee



26%

22%

12%

36%

25%

7%

5%

4%

6%


5%

30%

25%

24%

23%

22%

22%

15%

14%

1%





Other

None of the above






40%



10

Good Generally good – but issues arise periodically

Needs improvement

65%

29%

5%


56%

34%

10%

Government regulation/impact of publicpolicy initiatives



Operational risk/control environment

55%

38%

7%

Tax risk

34%

16%

50%

Supply chain risk

Growth andinnovation(or lack of innovation)

Global systemic risk(pandemic,social unrest, political instability

Pace of technologychange (e.g., emergingtechnologies, mobile, social media)

25%

32%

43%

Cyber security – including data privacy andprotectionof intellectual property

26%

27%47%

47%

43%

10%

40%

46%

14%

37%

44%

18%

34%

47%

20%

27%

49%

24%

Q8. Please rate the quality of the information you receive about the following risks and their potential impact on the company:

Timeliness Credibility

Clarity Volume

49%36%

15%

53%

33%

13%

66%20%

14%

48%

40%

12%

Q9. How concerned are you that your audit committee’s/board’s ability to provide effective oversight is hampered by the clarity, timeliness, credibility, or volume of the information it receives?

Very Concerned

Somewhat Concerned

Not Concerned


Clarity Volume

49%36%

15%

53%

33%

13%

66%20%

14%

48%

40%

12%


Very Concerned

Somewhat Concerned

Not Concerned

Analysts Auditors OtherIndustry Experts/Consultants

55%

12%35%

20%

Shareholder expectations

Competition

Industry dynamics

Key assumptions underlying the company’s strategy

Critical risksfacingthe company

Technology developments

Compliance

46%

9%60%

13%

23%

66%42%

8%

17%

16%74%

10%

9%

79%29%

10%

39%

15%64%

11%

37%

33%59%

8%

Q10. Regarding which of the following issues does your board or audit committee, as a matter of routine, obtain information and perspectives from independent sources – and from whom? (Select all that apply)


55%

12%35%

20%


Competition

Industry dynamics




Compliance

46%

9%60%

13%

23%

66%42%

8%

17%

16%74%

10%

9%

79%29%

10%

39%

15%64%

11%

37%

33%59%

8%



55%

12%35%

20%


Competition

Industry dynamics




Compliance

46%

9%60%

13%

23%

66%42%

8%

17%

16%74%

10%

9%

79%29%

10%

39%

15%64%

11%

37%

33%59%

8%


38% 21%

21%

19%

14%

10%

35%

33%

28%

26%

21%

Significant regulatory/public policy change

Ethics/compliance/internal control issues

New competition/business modeldisruption

Major technology development

M&A transaction (proposed or actual)

C-level departure without proper succession plan in place

Tax issues

Product quality/safety issues

Supplier issues or supply chain disruption

Political/social unrest or disruption

Other

None of the above

Q11. Over the past several years, for which of the following could your company and board have been better prepared to respond to/address? (Select all that apply)

4%

Risk and Information Quality

Only 25 percent said the information they receive about cyber security and the impact of emerging technologies is consistently good; and approximately half of respondents expressed at least some concern about the timeliness, credibility, clarity, and volume of information they receive about key risks facing the company.

Rating their knowledge of various aspects of the business, audit committee members are least comfortable in their understanding of current and

emerging technologies issues, and operations/supply chain dependencies. Nearly 90 percent said their understanding of the company’s risk management process is “good” (54 percent) or “excellent” (34 percent). And while more than half said their audit committee has an “excellent” understanding of the company’s critical accounting judgments and estimates, the balance of respondents said their understanding was “good” (42 percent) or “limited” (5 percent).

Most audit committees, as a matter of routine, obtain information and perspectives from independent sources—frequently from industry experts or external auditors—about industry dynamics, technology developments, critical risks facing the company, and other issues.

Risks and developments that many audit committees say they “could have been better prepared to respond to” over the past year: significant regulatory or public policy changes, ethics/compliance and internal control issues, new competition or business model disruption, technology developments, and M&A activity.

Considerations Going Forward• Work with management to define or refine the audit

committee’s (and board’s) information needs.

• Recognize when asymmetric risk—the over-reliance on senior management’s information and perspective—is too high, and seek out independent sources of information and perspective.

• Is the audit committee (and board) hearing views from those below and beyond senior management —e.g., from middle management and business unit leaders, sell-side analysts and critics, and other third parties—about the risks and challenges facing the company? Are there dissenting views?

• Make time to visit company facilities and attend employee functions. Does the audit committee have a good sense

of the culture in the company’s global operations—far away from headquarters?

• Does the board have insight and foresight about the impact of new technologies on the business, the industry, and the competitive environment? Are discussions within the traditional boardroom structure sufficient? Do the board’s oversight processes need to change to enable directors to think differently, provide insight, and help guide the company forward?

• Is management actively “listening to the conversation” on social media to better understand the risks, opportunities, and changing attitudes and perceptions about the company?

Good Generally good – but issues arise periodically

Needs improvement

65%

29%

5%


56%

34%

10%

Government regulation/impact of publicpolicy initiatives



Operational risk/control environment

55%

38%

7%

Tax risk

34%

16%

50%

Supply chain risk

Growth andinnovation(or lack of innovation)

Global systemic risk(pandemic,social unrest, political instability

Pace of technologychange (e.g., emergingtechnologies, mobile, social media)

25%

32%

43%

Cyber security – including data privacy andprotectionof intellectual property

26%

27%47%

47%

43%

10%

40%

46%

14%

37%

44%

18%

34%

47%

20%

27%

49%

24%

Q8. Please rate the quality of the information you receive about the following risks and their potential impact on the company:


Clarity Volume

49%36%

15%

53%

33%

13%

66%20%

14%

48%

40%

12%


Very Concerned

Somewhat Concerned

Not Concerned

38% 21%

21%

19%

14%

10%

35%

33%

28%

26%

21%

Significant regulatory/public policy change

Ethics/compliance/internal control issues

New competition/business modeldisruption

Major technology development

M&A transaction (proposed or actual)

C-level departure without proper succession plan in place

Tax issues

Product quality/safety issues

Supplier issues or supply chain disruption

Political/social unrest or disruption

Other

None of the above

Q11. Over the past several years, for which of the following could your company and board have been better prepared to respond to/address? (Select all that apply)

4%

While audit committees rate much of the information they receive about key risks facing the company— legal /regulatory compliance, operational risk, public policy developments—as “good” or “generally good,” many say information about cyber security, emerging technologies, and the company’s growth and innovation plans needs improvement. Audit committees also want to better understand the company’s global systemic risks and supply chain dependencies.



12

CFO and Finance Organization

Only about 40 percent of survey respondents said their company has a formal succession plan in place for the CFO—and clear performance objectives to evaluate the CFO’s performance. Audit committees would like to see the CFO contributing more to the company’s strategy and risk management efforts, as well as “developing talent and bench strength.”

Most audit committees give high ratings to the transparency—i.e., communications and information flow—between the audit committee and the CFO, though many said they would like to hear about financial risk, treasury, and tax issues in more depth.

The top three factors that “most detract from the effectiveness of the CFO and finance organization”: budget/resources, skills, and pressures to meet budget targets or analyst estimates.

YES38%

NO62%

Q15. Does your company have a formal succession plan for the CFO?

47%

32%

Key members of finance team periodically present to the audit committee

Feedback from external auditor

Informal interaction with the financial management team

Periodic discussions with the CFO about bench strength/ talent pipeline

Feedback from internal auditor

Other

21%

21%

21%

21%

21%

73%

73%

55%

50%

45%

4%

Q16. How does your audit committee gain visibility into the “next level” of manage-ment within the finance organization, below the CFO? (Select all that apply)

YES 59%

No formal evaluation process

29%

NO 12%

Q18. Does the evaluation process for the CFO include clear performance objectives against which the CFO’s performance is rigorously evaluated?

YES 59%

No formal evaluation process

29%

NO 12%

Q18. Does the evaluation process for the CFO include clear performance objectives against which the CFO’s performance is rigorously evaluated?

Budget/resources

Skills

Pressure to meet budget targets or analyst estimates

Morale

Other

None of the above

44%

31%

27%

12%

9%

26%

Q21. Which of the following detract from the effectiveness of your CFO/finance organization, and potentially pose a risk to the quality and integrity of the company’s financial reporting? (Select all that apply)

Considerations Going Forward• Recognizing that financial reporting quality starts with

the CFO and finance organization, maintain a sharp focus on leadership and talent and make sure they have the resources to succeed.

• Make sure there’s a formal CFO succession plan in place; and establish clear performance objectives against which the CFO’s performance can be rigorously assessed and continually improved.

• Gain visibility into the level below the CFO—through both formal and informal interaction—to understand and groom the finance organization’s bench strength.

• Encourage the CFO/finance organization to maintain their focus on the company’s long-term performance. What are the “leading indicators” that show whether the company’s strategy is on track?

YES38%

NO62%

Q15. Does your company have a formal succession plan for the CFO?

47%

32%

Key members of finance team periodically present to the audit committee

Feedback from external auditor

Informal interaction with the financial management team

Periodic discussions with the CFO about bench strength/ talent pipeline

Feedback from internal auditor

Other

21%

21%

21%

21%

21%

73%

73%

55%

50%

45%

4%

Q16. How does your audit committee gain visibility into the “next level” of manage-ment within the finance organization, below the CFO? (Select all that apply)

Budget/resources

Skills

Pressure to meet budget targets or analyst estimates

Morale

Other

None of the above

44%

31%

27%

12%

9%

26%

Q21. Which of the following detract from the effectiveness of your CFO/finance organization, and potentially pose a risk to the quality and integrity of the company’s financial reporting? (Select all that apply)



14

Corporate Performance

Most survey respondents express confidence in their company’s monitoring of the two important non-financial drivers of long-term performance—“customer satisfaction” and “operational efficiency.” However, there is markedly less confidence in how companies are measuring and monitoring other key non-financial

performance indicators, particularly talent management, brand reputation, innovation, and employee commitment.

Nearly 40 percent of survey respondents said they are not satisfied that the company has identified appropriate “leading indicators” (versus lagging indicators financial performance and operational efficiency) that show whether the strategy is being implemented as planned.

While more than half said they believe the company’s approach to executive compensation “clearly supports a focus on long-term performance,” nearly a quarter are “not sure.” Most audit committees have at least some involvement overseeing the company’s compensation plans, although more than 20 percent said the audit committee is not involved in overseeing compensation-related risk.

Customer focus/satisfaction

Operational efficiency

Talent management

Brand and reputation

Culture and employee commitment

Innovation (R&D)

Reliable, durable supply chain

Other

66%

56%

42%

42%

41%

Q22. What nonfinancial drivers of long-term value are most important to the successful execution of your company’s strategy? (Select three)

37%

12%

4%



Talent management



Innovation (R&D)


Other

66%

56%

42%

42%

41%


37%

12%

4%

YES62%

NO38%

Q23. Are you satisfied that your company has identified appropriate “leading indicators” (as opposed to “lagging indicators” measuring financial and operational performance) to show whether the strategy is being implemented as planned?

YES62%

NO38%

Q23. Are you satisfied that your company has identified appropriate “leading indicators” (as opposed to “lagging indicators” measuring financial and operational performance) to show whether the strategy is being implemented as planned?

Considerations Going Forward• What are the company’s most important performance

metrics? What are the key non-financial drivers of long-term value for the enterprise?

• What are the important leading indicators—to tell us whether the company’s strategy is being implemented as planned?

• Is the company too focused on lagging indicators—e.g., “rear view mirror” indicators measuring financial and

operational performance? What is the right balance between leading and lagging indicators?

• Do the company’s culture and compensation incentives drive a long-term focus?

• Can disclosures be improved to tell the company’s story—perhaps going beyond what’s required to provide a clear picture not only of the company’s recent performance, but where it’s headed and the key risks it faces?

Q25. Does the company’s current approach to executive compensation/incentives clearly support a focus on the company’s long-term performance?

YES 62%

NO 14%

NOT SURE 23%

Q25. Does the company’s current approach to executive compensation/incentives clearly support a focus on the company’s long-term performance?

YES 62%

NO 14%

NOT SURE 23%



Talent management



Innovation (R&D)


Other

66%

56%

42%

42%

41%


37%

12%

4%

Measuring and monitoring drivers of long-term corporate performance—particularly key non-financial drivers such as talent, innovation, and brand reputation—continues to pose challenges for many companies, as does identifying “leading indicators” that show where the company is headed and whether its strategy is on track.

Risk managementprocesses

Cost reduction/containment

Changemanagement

Crisismanagement

Taxcompliance

Other

Company does not have an internalaudit function

Informationtechnologyand data management

Compliance andregulation

Corruption/fraud

Ethics and culture

Corporate governance

Operational risks

65%

58%

52%

45%

36%

28%

27%

25%

21%

18%

14%

Q26b. In the year ahead, in which of the following areas would you like your internal audit function to devote more of its time and/or sharpen its focus? (Select all that apply)

3%

1%

Internal Audit’s Role

More than 80 percent of survey respondents said internal audit’s role should extend beyond the adequacy of financial reporting and controls, to include other key risks facing the business; however, only 50 percent said internal audit currently has the skills and resources to be effective in the role they envision.

Those who do support an expanded role for internal audit said that in the year ahead they would like the internal audit function to devote more time to risk management processes, IT risk and data management, and operational risks.

Nearly 20 percent said internal audit’s responsibilities should not extend beyond financial reporting and controls.

YES 82%

NO 18%

Q26. Should internal audit’s role/responsibilities extend beyond the adequacy of financial reporting and controls, to include other major risks and challenges facing the company?



Changemanagement

Crisismanagement

Taxcompliance

Other




Corruption/fraud

Ethics and culture


Operational risks

65%

58%

52%

45%

36%

28%

27%

25%

21%

18%

14%


3%

1%



Changemanagement

Crisismanagement

Taxcompliance

Other




Corruption/fraud

Ethics and culture


Operational risks

65%

58%

52%

45%

36%

28%

27%

25%

21%

18%

14%


3%

1%



Changemanagement

Crisismanagement

Taxcompliance

Other




Corruption/fraud

Ethics and culture


Operational risks

65%

58%

52%

45%

36%

28%

27%

25%

21%

18%

14%


3%

1%



Changemanagement

Crisismanagement

Taxcompliance

Other




Corruption/fraud

Ethics and culture


Operational risks

65%

58%

52%

45%

36%

28%

27%

25%

21%

18%

14%


3%

1%

YES 82%

NO 18%

Q26. Should internal audit’s role/responsibilities extend beyond the adequacy of financial reporting and controls, to include other major risks and challenges facing the company?

Considerations Going Forward• Leverage internal audit as a barometer of the company’s

financial health—helping the audit committee understand the quality of financial controls, processes, and people.

• Consider the need to refine internal audit’s role, potentially sharpening internal audit’s focus on key areas of risk and the adequacy of the company’s risk management processes generally.

• Recognize that internal audit is most effective when it is focused on the critical risks to the business, including

key operational risks and related controls—not just compliance and financial reporting risks. What’s changed in the operating environment? What are the risks posed by the extended (global) organization—sourcing, outsourcing, sales and distribution channels?

• Set clear expectations and assess whether internal audit has the resources, skills, and expertise to succeed in the role that management and the board envision for internal audit.

The full text of ACI’s 2014 Global Audit Committee Survey is available at the corresponding section of our ACI Website at www.auditcommitteeinstitute.be.





16

Is the audit committee’s workload reaching a tipping point?

Does the audit committee have the time and expertise to oversee the major risks on its agenda in addition to carrying out the audit committee’s core oversight responsibilities? The results of the ACI 2014 Audit Committee Survey Results as also shown on page 8 revealed that nearly half of audit committee members indicate that, given the audit committee’s expertise and heavy agenda, it is “increasingly difficult” to oversee major risks in addition to the committee’s core responsibilities. A significant number of others said their board has recently reallocated or rebalanced risk responsibilities or created a new committee to address specific risks (or may consider doing so in the near future).

Key Audit Committee Questions• Is the audit committee’s portfolio of risk oversight

responsibilities appropriate and realistic – particularly given the time required for the audit committee to oversee financial reporting risk and internal and external audit?

• Does the audit committee have the necessary expertise and skill sets to oversee the risks on its plate?

• How does the board allocate among its committees the responsibility for oversight of the major substantive areas of risk—as well as the company’s risk management processes?

• How rigorous is the allocation (or reallocation) process – and who is involved? What factors are considered? What is the logic behind the allocation?

• Has the board solicited feedback on the effectiveness of the risk-allocation process as part of its annual self-evaluation? Are the roles of the board, audit committee, and other committees clear?

• Do directors have a shared view as to the three, four, or five most significant risks facing the company? Are we allocating adequate board and committee time to these risks?

• Do we have the right people—who understand the business and are willing and able to ask the right questions?

• How effective are our board and committees in coordinating and communicating their risk oversight activities with each other, and with management?

• How have board governance and oversight processes changed—and advanced—as the business and risk environment has become more complex?

• Is there a need for an additional committee—such as a risk committee, a technology committee, a compliance committee, or a finance committee?

considered? What is the logic behind the allocation? How frequently is the process revisited? Has the board solicited feedback on the effectiveness of the process as part of its annual self-evaluation?

Assessing board governance processes. How have board governance and oversight processes changed—and advanced—as the business and risk environment has become more complex? Are the roles of the board, audit committee, and other committees clear? Have we made changes to our committee structure or the allocation of risk oversight responsibilities? Do directors have a shared view as to the three, four, or five most significant risks facing the company? Are we allocating adequate board and committee time to these risks? Do we have the right people—who understand the business and are willing and able to ask the right questions? How effective are our board and committees in coordinating and communicating their risk oversight activities?

What makes most sense for the audit committee? Given the time required to carry out its core responsibilities—oversight of financial reporting and controls and oversight of external and internal auditors—

what risk oversight responsibilities are appropriate for the audit committee? How much time can or should the audit committee devote to these risk oversight responsibilities? Does the committee have the necessary expertise and skill sets in these areas? Is there a need for an additional committee—such as a risk committee, a technology committee, a compliance committee, or a finance committee?

Whether the audit committee has the room on its plate and the expertise to oversee a range of complex and critical risks, e.g., globalization, emerging technologies, cybersecurity, social media, compliance, and financial risks—as well as the company’s risk management processes—will likely depend on the size and complexity of the company, including the scope of its international operations. Indeed, some audit committee chairs tell us they are comfortable overseeing a broad range of risks. Clearly, maintaining the requisite focus on the audit committee’s core oversight responsibilities—a significant undertaking in itself—is job number one, and all audit committees and boards should take time to consider whether the audit committee’s workload is reaching a tipping point. Q22

While survey after survey suggests that primary responsibility for “risk oversight” often resides with the full board, many audit committees continue to report that they have primary responsibility for a host of risks beyond financial reporting—such as operational, supply chain, IT, cybersecurity (including data privacy and protection of IP), and compliance—as well as the company’s overall risk management processes.

All of this points to the importance of having a robust boardroom discussion about what does and does not belong on the audit committee’s plate, and what’s realistic—particularly as the risk environment becomes more complex and faster-paced.

The expanding risk agendaThe audit committee’s “core” duties – overseeing financial reporting and controls, as well as external and internal auditors—are a substantial undertaking and time commitment. Yet, many audit committees have oversight responsibilities for a range of other risks that have become increasingly complex and challenging in the new

business environment—from operational and compliance risks posed by globalization and the extended organization (partners, suppliers, vendors, etc.), to the risks posed by emerging technologies, social media, and an increasingly digitized world, to compliance risks posed by increased government regulation and stepped-up enforcement efforts globally. The audit committee also also have responsibility for a fourth category: “financial risks,” such as cash flow, access to capital, debt covenants, etc.

A key question for every board and audit committee is whether the audit committee’s portfolio of risk oversight responsibilities is appropriate and realistic—for today and tomorrow. As directors consider this question, we recommend three areas of focus:

Allocation of risk oversight responsibilities. How does the board allocate among its committees the responsibility for oversight of the major substantive areas of risk—as well as responsibility for oversight of the company’s risk management processes? How rigorous is the allocation process? Who is involved? What factors are



18

EU Audit reform imminent

The European Parliament has now voted to approve a Regulation and a Directive intended to reform the audit market in the EU. It remains now for the Council of Ministers to ratify the measures thereby paving the way for the legislation to enter into force in the EU in the second half of 2014. There is a two year transition period which means that the legislation will become applicable in the 28 Member States of the EU in 2016.

The key requirements of the new legislation are summarised below.

ScopeThe regulation will impact EU entities that fall within the definition of a public interest entity (PIE). The PIE definition captures all EU entities, irrespective of size, that (i) have securities listed on a regulated market, are (ii) credit institutions or (iii) insurance undertakings. Member States may also expand the PIE definition to include other entities.

The reforms will impact thousands of entities throughout Europe and have an extraterritorial dimension for groups. Subsidiaries that meet the definition of a PIE would be affected by the regulation irrespective of whether they have an EU or non-EU parent.

Auditor rotation and appointmentAll PIEs would be required to change their auditor after a maximum term of 10 years. Member States may allow shorter rotation periods or the extension of the maximum auditor tenure where a public tender has taken place or in the case of a joint audit by a further 10 or 14 years (ie to a maximum of 20 or 24 years) respectively.

Multinational groups with PIE subsidiaries will be faced with the choice of either applying the shortest rotation period to the entire group or having to appoint different audit firms in different countries, with the difficulties that this can imply for group audits.

Audit committees will be responsible for submitting a recommendation to the administrative or supervisory body of the audited entity for the appointment of the

auditor or audit firms. The recommendation of the audit committee should include at least two possible choices for the audit engagement and a duly justified preference for one of them, so that a real choice can be made. In order to provide a fair and proper justification in its recommendation, the audit committee should use the results of a mandatory selection procedure organised by the audited entity, under the responsibility of the audit committee.

In such selection procedure, the audited entity should not restrict statutory auditors or audit firms with a low market share from presenting proposals for the audit engagement. Tender documents should contain transparent and non-discriminatory selection criteria to be used for the evaluation of proposals.

The audited entity shall prepare a report on the conclusions of the selection procedure, which shall be validated by the audit committee; and, be able to demonstrate, upon request, to the competent authorities that the selection procedure was conducted in a fair manner.

Non-Audit Services (NASs)The Regulation contains a list of services which the statutory auditor of a PIE and all members of the statutory auditor’s network are prohibited from providing to the PIE itself or to that PIE’s EU controlled undertakings or its EU parent undertaking.

The NASs’ prohibitions are extensive and many advisory and tax services would not be allowed. The prohibited list includes tax compliance, tax advice, services that ‘involve playing any part in the management or decision making of the audited entity’, and ‘services linked to the

financing, capital structure and allocation, and investment strategy of the audit client, except providing assurance services in relation to the financial statements, such as the issuing of comfort letters in connection with prospectuses issued by the audited entity’.

These rules effectively prohibit many non-audit services that are permitted under other internationally recognised frameworks such as the IESBA Code of Ethics or the SEC’s independence rules in the US. This inconsistency with rules outside of the EU will again increase the cost and complexity of doing business in Europe.

The statutory auditor is prohibited from providing NASs not only up to the date of the issuing of the audit report but, also, services in relation to ‘designing and implementing internal control or risk management procedures related to the preparation and/or control of financial information technology systems’ in the financial year immediately preceding the period subject to audit. This will affect entities in the 12 months prior to the appointment of a new auditor (eliminating the incumbent and the nominee as possible service providers).

Fees for permissible NASs provided to the group must not exceed 70% of the average of the last three years’ group audit fees.

Member States may add to the list of prohibited NASs, establish stricter rules under which permissible NASs may be provided, or apply a stricter NAS fee cap. They may also allow the provision of certain tax and valuation services in limited circumstances. This will lead to a patchwork of independence rules throughout Europe.

For services other than those on the prohibited list, audit committee approval is required after having assessed the threats to independence and the safeguards applied. The audit committee may also issue guidelines in relation to the tax and valuation services which member states may opt to permit.

Reporting to the audit committeeThe proposed reforms require that the auditor must

explain the results of the statutory audit in an additional report to the audit committee.

Whilst many of the requirements do not constitute a significant departure from current practice there are some new requirements, more specificity and some that require further clarification, for example inter alia:

• a description of the nature, frequency and extent of communication with the audit committee including the dates of the meetings with those bodies;

• a description which balance sheet categories have been directly verified and which have been based on system and compliance testing;

• a report and assessment of the valuation methods applied to the various items in the financial statements including the impact of any changes in such methods;

• any significant deficiencies in the entity’s or, in case of consolidated financial statements, the parent undertaking’s internal financial control system and/or in the accounting system. For each such significant deficiency, the additional report must state whether or not the deficiency in question has been resolved by the management; and

• the significant difficulties, if any, encountered during the audit.

The regulation also allows Member States to set additional requirements in relation to the content of the additional report to the audit committee.

Furthermore, upon request the statutory auditor(s) or the audit firm(s) is (are) required to make available without delay the additional report to the competent authorities.

Effective date and transition arrangementsThe regulation comes into effect (“the date of entry into force”) 20 days after publication in the Official Journal (expected sometime between July-October 2014). EU Member States are required to apply the legislation no later than two years thereafter – i.e. 2016. Q22

Transitional rules Transitional rules stagger the introduction of MFR and depend on the length of auditor tenure at the date the legislation is finalised (‘Entry into Force’ or EIF, which is currently expected sometime between July and October 2014). Where the auditor tenure at the date of EIF has been:

• 20 years or longer – an audit engagement cannot be entered into or renewed any later than 6 years after the date of EIF.

• 11 to 20 years - an audit engagement cannot be entered into or renewed any later than 9 years after the date of EIF.

• 11 years or less – the company has at least 12 years before it must rotate its auditor. In this case,

if a Member State has opted to permit a further extension of 10 years (as is likely in the UK), then the company would need to conduct a public tender by July 2026, and may then extend its audit relationship until 2036 (or 2040 if there is a joint audit).



21

In addition to this formal process the audit chair is generally in a good position to judge audit quality. Often audit chairs are chairs or members of audit committees for more than one company and therefore can benchmark auditor performance from a variety of interactions. Audit chairs also typically have greater interaction with the auditors with regular discussions and meetings in addition to the formal audit committee meetings.”

Nancy Hopkins – Cameco Corporation

Nancy Hopkins, Q.C., is a partner with the law firm McDougall Gauley LLP, and is on the board of Cameco Corporation where she chairs the nominating, governance & risk committee and is a member of the audit committee; the board of Growthworks Canadian Fund Inc. and Growthworks Opportunity Fund Inc., where she chairs the audit committee; and the board of the Canada Pension Plan Investment Board where she chairs the governance committee.

Nancy has also been involved for many years with the chartered accounting profession, most recently serving as a director of the Canadian Institute of Chartered Accountants (CICA). During that time she served on the Public Interest and Integrity Committee of the CICA for the development of the new Independence Rules for the chartered accounting profession.

Nancy Hopkins: “If one is looking at the audit process overall then of course one of the main things for the audit committee is to make sure that the auditors are in fact bringing scepticism to the table – that is that they are not necessarily agreeing with everything that management has to say; that they are looking at things independently and that they actually have the capacity to do that; that they do it in a timely way, and that to the extent that the issues need to get raised to a higher level within the organisation they are raised to that higher level.

To my mind, audit quality reviews are not discrete periodic events, but something that audit committee members should be assessing on an ongoing basis. Good audit committees do this and you see it, from time to time, when the audit committee says we are not really satisfied with the answer we got from that individual from the auditors, we want to hear more, we want to probe deeper on this. So, I do believe it is an ongoing assessment and best made when issues are in front of a person, in front of a committee. If you don’t do it on a regular basis then issues that might have come up tend to get lost and you assess audit quality only when something occurs that causes you to realise that this isn’t ‘business as usual’.

Of course, issues don’t come up at every meeting – but whenever something does come up that is out of the ordinary, auditors have an opportunity to demonstrate that they have assessed the facts, challenged management’s assumptions

and ensured they concur with management’s accounting analysis. They have a chance to demonstrate to the audit committee that they truly are independent, that they are objective and that they are bringing the required expertise.

Management has a different opportunity to assess quality but from an audit committee perspective I think you have to do it on an ongoing basis as the issues arrive.

This can tend towards subjective assessments but I believe you can be objective about the process. It’s not an impression that the audit committee think the auditors are good – it is based on the auditor’s response to a particular set of facts and circumstances as opposed to “did I like those guys over the past five years” when you are thinking about putting the auditor out to tender.

On the difference between audit quality and audit service: there is some overlap but I do believe that they are different issues. You can have people who are absolutely responsive and who come back to you with an answer promptly and work late in to the night to get your issues looked at but if they don’t do that with people who understand the issues and who have the background, knowledge and experience necessary to address them properly you may have great kindliness of service but you don’t have the quality in the resulting audit that the audit committee and the shareholders want.”

Ann Godbehere – Rio Tinto Plc

Ann Godbehere is a Canadian and British citizen with more than 25 years’ experience in the financial services industry. She spent ten years at Swiss Re, a global reinsurer, latterly as chief financial officer from 2003 until 2007 and was interim chief financial officer and executive director of Northern Rock bank after its nationalisation. Ann is now a non-executive director and chairman of the audit committees at Rio Tinto Plc, Prudential Plc and Atrium Underwriting Group Limited; a non-executive director and member of the audit committees at British American Tobacco Plc and UBS AG; and a non-executive director at Arden Holdings Limited.

Ann Godbehere: “I believe audit committees must consider audit quality. Without considering the effectiveness of the audit I don’t know on what basis an audit committee can make its recommendation to the board with regards to reappointment of the auditor or tendering of the audit.

To ensure the audit continues to deliver value for money and to help absorb part of the annual expense inflation in fees the auditors need to deliver efficiency and effectiveness improvements. They can’t do this without feedback from both management and the audit committee.

An audit is about much more than just timeliness and quality of communication. It is about understanding the business and the commercial pressures of that business, the culture of the firm and how its people are responding to delivering on targets. All of this helps the auditors to determine the risks in the business and define their risk map for the business which won’t necessarily match the risk map that management define for the business although the two should not be a million miles apart. Assuming the auditors are conducting a risk-based audit, their risk map will help inform both them and the audit committee regarding the scope of the audit.

When evaluating audit quality many companies conduct an annual review of their auditors. This typically is conducted internally and may be led by internal audit, the company secretariat or finance. The review

might encompass the views of the audit committee, executive committee members and the finance team. The areas covered might include the quality of the audit team, the audit process and communication.

Under ‘audit team’ you might consider areas such as the quality of lead partner, transition planning for senior members of the team including the lead partner rotation, continuity of the team, sector knowledge and any specialist knowledge within the team.

‘Quality of process’ typically includes planning, working with internal audit and being in a position to place reliance on the work of internal audit, management of the audit especially internal escalation processes for large global audits, issues resolution including timeliness of resolution and coordination during the audit across auditor disciplines.

‘Communication’ includes clarity of written and verbal communication with the audit committee, communication with the committee chair between formal meetings and transparency in dealing with material areas of debate on accounting judgements.

Global Boardroom Insights: Audit Quality

Audit quality is a major component of audit effectiveness but measuring audit quality is difficult. This is particularly true if one differentiates between ‘audit service’ (such as a no surprises environment, good communications and the chemistry between the audit committee and the audit partner) and the quality of the audit itself. In the second edition of ACI’s Global Boardroom Insights, we bring together views of audit committee chairs from significant global organisations to explore the topic of audit quality. Also, concerns around audit quality can differ widely by country, but the insights we’ve collected from seasoned audit committee chairs throughout the world should be of interest in all regions.



22

Audit committees have a critical role to play in ensuring that their organisations have robust cyber security defences – not in understanding the minutiae of the technology involved, but in leading governance and policy. UK Government Communications Headquarters director Sir Iain Lobban has been quoted1 as saying that business secrets are being stolen on an ‘industrial scale’ with 70 sophisticated cyber espionage operations a month against government and industry networks. Clearly, this is not an issue where a ‘wait-and-see’ approach is viable.

This means being able to answer questions such as:

What are the key assets requiring protection?

How are they being protected?

Who is responsible for protecting them?

What level of cyber security risk is considered acceptable?

How would the organisation respond to a major cyber security incident?

1 BBC interview July 2013 on cyber attacks at UK firms

If the answers to these questions are not at your fingertips, you are not alone. However, the expectations of audit committees in terms of cyber security are growing.

An introduction to cyber security for audit committees

Aloysuis Tse – China Telecom Corporation Limited

Aloysius Tse is an Independent Non-Executive Director of China Telecom Corporation Limited (secondary listing on NYSE), Wing Hang Bank Limited, CNOOC Limited (secondary listing on NYSE), Linmark Group Limited, SJM Holdings Limited, Sinofert Holdings Limited, and from 2004 to 2010, - all companies listed on the Hong Kong Stock Exchange. He is also an Independent Non-Executive Director of CCB International (Holdings) Limited and a member of the International Advisory Council of the People’s Municipal Government of Wuhan.

Aloysius Tse: “In my opinion, an audit committee should constantly be assessing audit quality. Generally, when I assess audit quality, I start by considering the adequacy of the audit plan including the experience of the engagement team, followed by the quality of the audit findings and service deliverables.

I believe that in reviewing audit quality, it is important to consider how well the auditor understands the business, and the depth of insight that they can offer. Familiarity with accounting and reporting standards is a must, but what is important is the auditor’s ability to consider the quality of accounting treatment and the various options available to the business. From a service point of view, I can assure you that audit committees appreciate auditors who are forward looking and can provide guidance on what’s coming around the corner.

We ask management their opinion about the auditors. We ask if they

have any problems or concerns regarding the auditors. We also ask about how proactive the auditors are.

External Audit has evolved from an annual and half-yearly certification activity to becoming a year-round process. This is where audit service comes in. It is expected that auditors have proactive relationships with the audit committee and management, and that they come equipped with business solutions.

When considering audit service, I consider the overall delivery, taking into consideration how well the auditor identifies and approaches issues, whether they have brought sufficient challenge and whether private meetings with auditors are useful.”

John Harrison - Hong Kong Exchanges and Clearing Limited

John Harrison is an Independent Non-Executive Director of Hong Kong Exchanges and Clearing Limited, The London Metals Exchange Limited, BW Group Limited and AIA Group Limited. He is also a member of the Asian Advisory Committee of AustralianSuper Pty Ltd and a council member, standing committee member and honorary treasurer of The Hong Kong University of Science and Technology.

John Harrison: “Audit quality assessment is a key role of the audit committee. The audit committee must assess the quality of the audit firm’s people, their knowledge of the business and the environment in which business is conducted, communications, interaction and processes, not just at head office, but at all material locations. It is also important to take management’s

views into account, as they interact with the auditors on a day to day basis. Whilst there is usually an annual formal assessment, this is an ongoing process and responsibility.

Audit service is linked to audit quality. Factors that contribute to audit service include the timeliness and quality of communications, whether the auditor provides input when requested, ensuring consistency of the team, that there is a proper process in place for audit partner rotation, and whether the auditor is prepared to spend time and effort with the business.

An audit partner can provide comfort to the audit committee by communicating proactively before the audit committee meeting and in doing so, raise issues and share knowledge and points of view. I was recently invited to spend a day with an audit team in my role as audit committee chairman. I attended an audit planning workshop where I was introduced to key members of the audit team, subject matter specialists and discussed the strategic planning of the audit in detail. This kind of activity reinforces my impression of both audit quality and audit service.

Conversely, an audit committee becomes concerned when communication is poor, the auditor’s understanding of the business is lacking, and there is insufficient engagement, poor interaction and poor relationships.”

The full texts of his and other ACI Global Boardroom Insights publications are available at the corresponding section of our ACI Website at www.auditcommitteeinstitute.be.



24

1 For more information, see the press release and executive summary at www.coso.org.

Cyber security and the increasing focus on audit committees Governments around the world are aware of the growing importance of cyber security, not only to public sector institutions, the military and organisations which are part of the critical national infrastructure, but also to private sector businesses.

A risk to somebody elseThe risk remains that organisations consider themselves a low-value target for cyber criminals and under-invest in protective measures as a result. The reality is that all companies are an attractive proposition for cyber criminals with a wide range of motivations.

Personal data breaches have become common place. Recently, a firm announced that personal data of millions of customers had been stolen by hackers – an example of a high profile incident with significant financial and reputational consequences.

Espionage has traditionally been seen as the stuff of James Bond films, but it is now a fact of life for many firms, whether the source of the threat is competitors or state sponsored. Intellectual property is being systematically targeted and stolen through cyber attacks, and not just in the aerospace and defence sector. In

February this year, a cyber security firm (Mandiant) published a detailed expose of a seven-year campaign of cyber espionage targeting over 150 firms worldwide. This is one of many cyber espionage campaigns exposed by the security community over the last two-three years.

There have also been instances of data being stolen on such a scale and damaging IT infrastructure to such an extent that businesses have been close to being shut down. A single destructive attack in August 2012 disrupted over 30,000 desktop computers at a Middle-eastern oil company.

Companies which are part of the critical national infrastructure are potential targets for hostile nations or terrorists. Cyber attacks are becoming commonplace during periods of international tension, with examples of politically motivated attacks against the US, Israel, Pakistan, India and South Korea over the last two years.

‘Hactivists’, those using hacking for politically or socially motivated purposes, also target businesses, although their aim is typically to cause reputational damage and promote a change in corporate strategy rather than to access financially valuable data or disrupt production.

Organised crime syndicates can also use cyber attacks as a means to hold organisations to ransom. The likes of stock exchanges, betting exchanges, and online trading platforms – and anything else which lives or dies by being available online to customers – are all vulnerable to attack.

Cyber attacks can be mounted against any part of the organisation’s business; not just its core operations, but also supporting functions, such as human resources, finance and business development. High levels of automation now mean that computers not only provide our office information technology, but also have an unseen role controlling industrial processes, buildings and infrastructure.

An attacker may also gain access to an organisation’s systems through the IT infrastructure of a customer or supplier, or through the home computer or mobile phone of an employee. Organisations going through a phase of restructuring (such as acquisition or merger) may be at particular risk due to market sensitivity, staff morale issues, network reconfigurations and the engagement of external advisers.

It’s not just banks which are targeted by hackers.

“Cyber security is not just a technical issue; it is an integrated approach to preparing, protecting, detecting

and responding to cyber incidents.”

What is the threat?

Organised crime has found cyberspace to be a lucrative opportunity. Exploiting vulnerabilities in computer systems allows criminals to compromise and remotely control computers; recording key strokes, monitoring screen displays and manipulating the computer user into divulging sensitive data. Cyberspace allows the attacker to be anywhere in the world, routing their attacks through multiple countries and jurisdictions, complicating investigation and law enforcement.

Malicious employees can also collect large amounts of sensitive company information and remove it easily from company premises; they can also introduce malicious

software which can corrupt company databases or sabotage network operations.

Corporate espionage by firms is commonplace in cyberspace. Attacks often target sensitive intellectual property, and there have been instances of major firms having being compromised over many months with large amounts of sensitive data being stolen.

Activism is also commonplace in cyberspace. Sabotage and denial of service attacks are becoming increasingly frequent. In the past they would have been attributed to ‘hacktivist’ groups such as Anonymous; but increasingly attacks appear to be politically motivated.

The potential impact of a cyber security breach

A cyber security breach can impact:

• Financial systems and assets – through fraud, theft and extortion.

• Intellectual property and trade secrets – through espionage.

• Brand and online presence – through public censure, defamation, liability and embarrassment.

• Business continuity – through sabotage or disruption of operations.

The Belgian Corporate Governance Code prescribes that audit committees be responsible for the review of a company’s internal control and risk management systems, unless such issues are expressly addressed by a separate board risk committee or by the board itself.

Findings from KPMG’s 2014 Global Audit Committee Survey suggest that globally only 38 percent of audit committees currently have primary oversight responsibility for cyber security risks and 45 percent believe

the audit committee (or board) doesn’t devote sufficient time to cyber security. When asked, to rate the “quality of the information you receive about cyber security,” 25 percent of respondents considered it to be good, 43 percent noted that it was generally good but that issues arose periodically and 32 percent said it needs improvement – the highest degree of dissatisfaction of any of the 11 risk areas tested in the survey.

What is the role of the audit committee?


2726


Cyber security considerations for audit committees Cyber threats should be considered as part of the company’s risk management process, and the audit committee should test whether the company has:

• Identified the critical information assets which it wishes to protect against cyber attack – the crown jewels of the firm – whether financial data, operational data, employee data, customer data or intellectual property.

• Intelligence processes in place to understand the threat to the company’s assets, including their overseas operations.

• A way of identifying and agreeing the level of risk of cyber attack that the company is prepared to tolerate for a given information asset.

• Controls in place to prepare, protect, detect and respond to a cyber attack – including the management of the consequences of a cyber security incident.

• A means of monitoring the effectiveness of their cyber security controls, including where appropriate, independently testing, reviewing and assuring such controls.

• A program of continuous improvement, or where needed, transformation, to match the changing cyber threat – with appropriate performance indicators.

Striking the right balance between security and costThere is no such thing as absolute security. A well resourced and determined adversary is likely to eventually find a way to defeat even the best security measures, whether the weak point is information security, physical security or people. Each organisation needs to strike a risk balance between defending its key assets against cyber attack and the cost of cyber security measures.

Cyber threats should be considered as part of the organisations risk management and governance framework, with risk registers reflecting the potential risk of cyber attacks on key corporate assets or business processes.

Many organisations develop attack scenarios to test the ability of the organisation to handle a cyber attack. Such scenarios include a description of the motives and intent of a potential attacker, the circumstances

in which the attack is carried out, and the techniques used by the attacker.

Boards should be encouraged to think broadly about possible scenarios, and be prepared to use multiple scenarios to test different aspects of an organisation’s cyber security.

What does good cyber security look like?

Getting the basics right is important - from technical security measures, such as running antivirus software or setting up firewalls to protect company networks, to the establishment of a cyber incident management policy, and a broad user education and awareness campaign. These steps won’t stop every attack, but could block many.

At the heart of this advice is information risk management – understanding the organisation’s key information assets and managing the risks to those assets – a board level responsibility.

Programs to improve cyber security must take a holistic view of security which includes people, culture, business processes and technical security measures. Cyber security is not just a technical issue; it is an integrated approach to preparing, protecting, detecting and responding to cyber incidents.

Staff can unintentionally represent the greatest source of vulnerability, so education and awareness training is important to reinforce the necessary behaviours. A governance structure to monitor the effectiveness of the cyber security system and an intelligence system tracking cyber threats and helping inform risk decisions are also part of a leading practice approach.

Our insight: today’s outlook – and tomorrow’sWe are seeing a significant growth in the number of sophisticated organised crime syndicates targeting individuals within organisations to

gain access to valuable corporate data. Also, evermore ‘Trojan’ websites are being set up and genuine websites compromised. This is done to lure users into inadvertently downloading malicious software, ultimately giving hackers access to corporate networks.

The other big trend is currently state espionage, with long-term intrusions leading to a range of challenges including significant quantities of intellectual property being stolen. The scale of this issue is far larger than many organisations appreciate, due to a combination of a reluctance to directly attribute attacks to nation states and to report security breaches when and if they are identified.

Tomorrow’s big challenge, regardless of any new threats emerging, is protecting the ever-greater range of technology, such as mobile devices. How best to secure cloud computing services is also a concern which is

likely to grow. Finally, the increasing militarisation of cyber space is a potential issue, and one which could disrupt, and possibly erode value, for other users such as businesses and their customers.

Protecting value There are many ways of providing independent assurance of a firm’s cyber security capabilities. A cyber maturity assessment, for example, takes a systematic approach to reviewing a firm’s cyber security, from its technical security measures to the overall information risk management and governance framework within which cyber security sits. Individual security processes and control measures can also be independently assessed, tested and certified. While all of these steps can build confidence in an organisation’s approach to cyber security, it is ultimately for the board to discuss and reach a judgement on the acceptable level of risk to their business.

The fast-changing nature of cyber threats means that businesses need to invest, strategically and financially, in order to stay ahead of the criminals. Achieving better cyber security doesn’t necessarily mean erecting more and more barriers; the focus should be on creating greater agility, providing the capabilities needed to counter threats as they evolve. It is also important to have the ability to notice when defences are breached, so that damage is limited.

Some companies are taking this issue very seriously and are investing in understanding cyber security risks and adopting a pragmatic approach to mitigating risks. However, others are not, and in doing so are taking a significant risk with the value of their businesses in the widest sense, including the loss of intellectual property to competitors, reputational damage in the eyes of loyal customers and straight forward financial loss.

Q22

“The focus should be on creating greater agility.”

Audit Committee Institute

Sponsored by KPMG29Audit Committee Institute

Sponsored by KPMG28

As experienced private company directors and executives recognize, good corporate governance is critical to any company’s growth and success -- it adds real value, preparing the company for short-term challenges and long-term opportunities.

A private company focus on governance

Board compositionSecond, consider the need for independent directors to serve on the board. For small companies -- where directors, shareholders, and management may be essentially the same -- this may not be an issue. As a business begins to grow and mature, however, independent directors can provide a broader perspective, play an important role in management debate and strategy setting, and support and monitor the CEO. For resource-constrained smaller companies, recruiting outside directors with specialized skills can also fill management gaps in critical areas such as financing, M&A,

product expertise, tapping new markets, and financial reporting.

Value-add of an audit committeeFinally, recognize the value-add of an audit committee -- particularly as the company migrates to a more robust financial reporting and control environment. A sophisticated audit committee can play a critical role in assessing and, where appropriate, strengthening the company’s financial reporting processes globally; helping build and oversee an appropriate control environment; and engaging and managing the external auditor relationship.

Given stakeholder demands as well as the complex, volatile business and risk environment today, strong governance practices are key to the success of all companies. As a private company evolves and matures, it is critical that management periodically assesses whether the company’s governance structure and processes are keeping pace with changes in the business -- and importantly, whether the company is making the most of its board as a strategic asset that serves as a foundation to achieve the company’s short-term and long-term objectives. Q22

A common misconception about corporate governance is that it is only about the board of directors. In practice, however, corporate governance is about the policies, processes, and procedures throughout the organization -- from the board to the employee base -- that guide how the company sets strategy, manages risk, monitors its assets and resources, satisfies its legal and regulatory obligations, and communicates with internal and external stakeholders. Most importantly, corporate governance is about the tone and culture throughout the entire organization.

From the perspective of an entrepreneur or investor seeking to build a successful company, what are the most critical or effective governance practices?

How do these practices evolve as a business matures? Given stakeholders increasingly demand for good corporate governance at all companies, we see lenders, insurers, and venture capital and private equity investors increasingly focusing on the governance practices of private companies -- often stressing many of the corporate governance code recommendations that apply primarily to public companies.

In developing and maintaining an effective governance structure, we recommend that every private company bring the right people and perspectives to the table periodically to assess the governance structure -- and ensure that the present (and future) governance structure meets the expectations of key stakeholders and serves as a foundation to achieve the company’s strategic objectives.

Among the areas of focus, we emphasize three:

Governance structureFirst, identify the key elements of the company’s governance structure, which will vary depending on the development stage of the business and its size and complexity (e.g., strategic planning, financial reporting and internal controls over financial reporting, external audit, risk management, ethics and compliance, internal audit, and the overall control environment). For each element, assess the current state and identify the company’s short-term and long-term objectives. Are our governance processes keeping pace with the increasing size and complexity of the business?

Resources



30

Global Profiles of the Fraudster: White-Collar Crime - Present and Future

Global Profiles of the Fraudster is an analysis of the constantly changing nature of fraud and the fraudster.

With the nature of fraud and the fraudster constantly changing, a KPMG paper offers an analysis of 596 fraud cases from 78 countries investigated between 2011 and 2013. The paper provides insights into the relationship between the attributes of fraudsters, their motivations and the environments in which they flourish.

The report illustrates that there is no fixed face of a fraudster and that the three drivers of fraud – motivation, opportunity and rationale – are timelessly relevant.

KPMG gathered data from fraud investigations conducted by KPMG forensic specialists across the globe.

The findings indicate that the typical fraudster is:

• 36 to 45 years of age

• Generally acting against his/her own organization

• Employed in an executive, finance, operations or sales/marketing function

• Holds a senior management position

• Employed in the organization in excess of six years

• Frequently acted in concert with others

The full text of the paper is available for download from the Risk management section of the KPMG Institutes website at www.kpmginstitutes.com.

IAASB Audit Quality Framework contributes to global effort to define and measure audit quality

The International Auditing and Assurance Standards Board (IAASB) released its new publication, A Framework for Audit Quality: Key Elements that Create an Environment for Audit Quality.

The IAASB publication is a new milestone of the IAASB’s project on audit quality and follows a January 2013

consultation. The IAASB Framework aims to contribute to a global effort to identify ways to measure and define audit quality. A number of other organizations and standard-setters are working on their own projects to identify audit quality indicators.

The objectives of the IAASB’s Framework for Audit Quality include:

• Raising awareness of the key elements of audit quality.

• Encouraging key stakeholders to explore ways to improve audit quality.

• Facilitating greater dialogue between key stakeholders on the topic.

The Framework aims to generate discussion, and positive actions to achieve a continuous improvement to audit quality.

The full text of the Framework is available for download from the Publications section of the IAASB website at www.ifac.org/auditing-assurance.

Bridging the GAAP

Investors are demanding more than GAAP is delivering.

GAAP rarely tells the whole story of a company’s performance. To bridge the gap, companies and investors communicate through key performance indicators (KPIs), alongside the GAAP numbers. Few such measures are the subject of agreed, usually sector-specific, definitions; but many are not.

This topic has prompted much debate. When do KPIs enhance GAAP, aiding communication, and when do they present a confusing or overly optimistic picture? Regulators around the world have taken different approaches to non-GAAP information or alternative performance measures (APMs).

The European Securities and Markets Authority (ESMA) has issued a consultation paper on APMs in public, regulatory filings. The proposals, once finalised, would

apply to non-GAAP information in the 28 member states of the EU.

The proposals acknowledge the importance of APMs and user demand for them. They do not try to ban APMs or define specific APMs; and they do not limit either the measures that a company presents or where they are disclosed. Instead, the proposals seek to enhance transparency and comparability when APMs are presented.

Read more in the related publication from KPMG’s IFRS Institute in the In-the-headlines section from the KPMG IFRS Institute website at www.kpmg.com/global/en/issuesandinsights/articlespublications/in-the-headlines.

2014 Economic outlook and year-end considerations

Is the economic recovery real? Can emerging companies keep up the pace?

The KPMG/NACD Quarterly Audit Committee Webcast features a dialogue with Leo Abruzzese, director of global forecasting for the Economist Intelligence Unit (EIU), on the outlook for global economies in 2014.

From a deepening, broad-based recovery in the United States, to the effects of stimulus and monetary policy in Europe and Japan, and fresh challenges to emerging markets, particularly surging loan growth in China, Abruzzese looks at the recovering global economy and

highlights the risk scenarios and opportunities shaping business decisions in the year ahead.

The webcast can be replayed from the website of the Audit Committee Institute in the U.S.at www.kpmginstitutes.com/aci

Transforming internal audit through critical thinking

In an uncertain and challenging economy, organizations are seeking an approach to internal audit that goes beyond reviewing past activities.

Instead, they want internal audits that are insightful, forward looking and go beyond preserving value to creating value on a departmental, divisional or organization-wide level.

A KPMG paper describes the evolving need for internal audit in a changing environment and how internal audit drives value creation. It also highlights the application of critical thinking to internal audit and the strategy that can be applied to take the audit to the next level.

The full text of the paper is available for download from the Compliance section of the KPMG Institutes website at www.kpmginstitutes.com.

Download your softcopy version of the Audit Committee Toolkit from our website at www.auditcommitteeinstitute.be.

However, we rather hope to welcome you to one of our future events to be able to provide you with the opportunity to receive your personal hardcopy of ACI’s Audit Committee Toolkit free of charge.

Get your copy of ACI’s Audit Committee Toolkit BELGIUM …

About us

Recognising the importance of audit committees, the Audit Committee Institute (ACI) was created to serve audit committee members and help them to adapt to their changing role. ACI provides knowledge to audit committee members and is a resource to which they can turn for information or to share experience.

ACI Professionals

Sophie Brabants, Chairwoman ACI BelgiumKPMG Bedrijfsrevisoren, Partner, Certified Auditor

Wim Vandecruys, Director ACI BelgiumKPMG Bedrijfsrevisoren, Senior Manager

Theo Erauw, Honorary ChairmanHonorary Certified Auditor

Contributing Editors

David A. Brown, DirectorKPMG LLP - US Audit Committee Institute

Tim Copnell, PartnerKPMG LLP - UK Audit Committee Institute

Stephen Bonner, PartnerKPMG LLP -Information Protection and Business Resilience team

Contact us

Wim VandecruysAudit Committee InstituteBourgetlaan - Avenue du Bourget 40B-1130 Brussel - Bruxelles

www.audit-committee-institute.beE-mail: [email protected].: +32 3 821 18 06Fax: +32 2 708 43 99

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received, or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. While every effort has been taken to verify the accuracy of this information, neither the Audit Committee Institute, its sponsors, professionals nor contributing editors can accept any responsability or liability for reliance by any person on this quartely newsletter or any of the information, opinions or conclusions set out in this quartely newsletter.

© 2014 KPMG Support Services ESV/GIE is a Belgian firm providing services to local member firms of KPMG International, a Swiss cooperative. Responsible editor: Sophie Brabants, Avenue du Bourget - Bourgetlaan 40, B-1130 Brussels. All rights reserved. April‘14 . Printed in Belgium.

Audit Committee Institute in Belgium

@ACI_BE

About usAbout us

quarterly 22 - kpmg · 2020-06-06 · technologies, mobile, social media, data analytics, cloud...

Documents