Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
Three firms have published guidance for audit committees: KPMG, Deloitte, and Protiviti. As far as I can tell, Ernst & Young and PwC have not published anything yet.
Here are each of their suggestions, with my comments.
- Stay focused on job #1: Financial accounting & reporting and internal controls.
o A ho-hum reiteration of traditional financial reporting issues.
- Reinforce audit quality and set clear expectations for the external auditor.
o Good advice, not only to set expectations but to monitor audit team quality.
- Monitor the impact of the business and regulatory environment on the company’s compliance programs.
o While it remains important to address regulatory compliance and fraud risk, as KPMG say, audit committee members need to broaden their view to include risks to the reputation of the organization should it fail to meet societal/community expectations. The audit committee should consider the organization’s social responsibility stance and actions.
- Understand the company’s significant tax risks and how they are being managed.
- Make sure internal audit is properly focused and fully utilized.
o This is an excellent and concise discussion of the need for the audit committee to ensure internal audit focuses on the risks that matter to the business, is properly resourced, and is able to act as a valued advisor to the committee.
KPMG wisely added these “Broader Governance Matters” to the agenda:
- Consider whether the board has the right composition and committee structure to provide effective risk oversight.
o This is an important topic and KPMG asks some fine questions to get the discussion going.
- Understand how digitization and social media are transforming the business landscape — and impacting the company and board oversight.
o In my opinion, we are seeing a leap change in the use of and reliance on technology to run, manage, and direct the organization. I think this issue should top the agenda, as the greatest risk to the organization may be failing to deploy disruptive technology fast enough and broadly enough — and organizations should be prepared to take more risk to move quick alacrity into big data-driven analytics, mobile applications, social, and more.
- Set the tone and closely monitor leadership’s commitment to that tone, as well as the culture throughout the organization globally.
(PDF) has a different set of priorities:
- Finance talent assessment.
o While a valuable exercise, why limit it to Finance?
o The questions included in the sidebar are a good foundation for a discussion.
- Managing through uncertainty
The best way to describe Deloitte’s coverage of this high priority is “skimpy”. It’s a shame, as they have previously provided excellent guidance in their Risk Intelligence White Paper series
- Ebb and flow of technical accounting activity.
o Traditional guidance with reference to the planned update of the COSO Internal Control–Integrated Framework.
- Tax landscape uncertainty.
o The guidance in this area, including the questions in the sidebar, is solid.
- Interaction with the external auditor.
o Deloitte’s advice is weaker than that from KPMG.
- SEC regulatory activity.
- Oversight of management.
o This section has a focus on fraud and is thin on content.
- Interaction with internal audit.
o Again, Deloitte’s content is poor compared to that from KPMG.
- Information technology risk.
o Thin guidance to a critical area.
report is based on a survey of “corporate leaders” and starts with a review of the top ten major challenges that are expected to face organizations in 2013. This post is about the top priorities that should be on the audit committee agenda, so I will not review them here. But I do recommend you review and consider them.
1. Update the company’s risk profile to reflect changing conditions.
o This is so obvious I am surprised to see it. In fact, the risk profile should be updated continuously and the audit committee should be more concerned with ensuring the company and its management understand its risk profile at all time
2. Oversee the capabilities of the finance organization and internal audit.
o I think this discussion is somewhat thin for both areas. I am surprised not to see a focus on moving internal audit to focus on the risks that matter to the business
3. Continue to provide oversight for significant changes in the control environment.
o Words but no content worth mentioning
4. Understand how new technological developments are impacting the company.
o Protiviti mention social, cloud, and mobile, but omit both big data analytics and what Gartner calls the Nexus: the use of all of the above in a connected fashion to deliver functionality — in other words, applications that use a combination of cloud, social, big data, mobile, and in-memory technologies.
5. Take a fresh look at the compliance infrastructure.
o The guidance includes useful links to FCPA and U.K. Bribery Act guidance.
6. Assess audit committee effectiveness.
o I would say "thin," but "skimpy" works too.
7. Work with the external auditor to upgrade the communications process.
o Protiviti would have been better advised to comment on external auditor effectiveness rather than communications.
8. Be aware that the auditor’s report may expand in the near future.
o No action is needed by audit committees as (a) this is still under discussion, and (b) when and if a change is made the audit committee will be briefed by the external auditor.
9. Inquire whether PCAOB inspections impact the audit approach.
o The audit approach should not change. The quality of execution may need to.
Please refer to this post
for, I suggest, better guidance for audit committees.
10. Keep an eye on developments with respect to mandatory auditor rotation.
o A continuing debate, with few anticipating change in the U.S. I would not waste precious audit committee time on this topic.
11. Expect action on convergence to IFRS.
o My advice — worry about if and when the SEC tells us it is time to worry. There is no indication it will happen in the near future.
12. Consider other issues, namely Conflict Minerals disclosure and an updated version of the COSO Internal Control–Integrated Framework.
I recommend reading this post
, which has constructive advice
So who wins the battle of the firms? KPMG is the easy victor, with Protiviti getting an honorable mention and Deloitte deserving the question: “why did you publish this?”
KPMG gets deeper into each of the issues but does so concisely and, on the whole, with value. I like the Protiviti approach and commend them for the discussion of top business issues. But they in truth have little to say that audit committees haven’t heard before. Deloitte’s content is not worthy of this fine firm.
I welcome your opinions:
- Do you disagree with my ranking of the three firms?
- What should the top priorities be?