What are audit committee members’ greatest concerns? Audit committee members participating in KPMG’s 2017 Global Audit Committee Pulse Survey identified risk management as the biggest challenge for audit committees in 2017, with 42% of those surveyed characterizing their existing risk management programs as requiring “substantial work,” and a “similar percentage” indicating that it is “increasingly difficult to oversee those major risks.” However, only 51% indicated that they have the time to oversee major risks effectively and only 46% say they have the expertise. Moreover, 39 % say it is increasingly difficult to find the necessary time and 43% say the same with regard to the necessary expertise. Also high on the list of challenges were legal/regulatory compliance, cybersecurity risk, the control environment in the extended organization and tone at the top.

One in four survey participants viewed tone at the top as a major challenge, while one in five considered short-termism (short-term pressures and aligning long- and short-term priorities) as a major challenge. With regard to audit committee attention to any of the issues identified as major challenges, the most common response was that committee members were “somewhat satisfied” that the committee’s agenda was properly focused on those issues; members were mostly “satisfied” only with regard to legal and regulatory compliance (54%). In fact, 22% indicated that they were “not satisfied” with respect to the committee’s attention to tone at the top/corporate culture, and 23% were “not satisfied” that there was adequate time on the committee’s agenda for examining short-termism. Indicators that KPMG identified as early warning signs of short-termism included board presentations that emphasized historical issues or topics with a short-term focus, infrequent forward-looking discussions about risk and opportunity, incentive compensation “strongly tied” to short-term goals with few long-term goals, and little weight being assigned to non-financial performance measures that contribute to long-term performance.

SideBar: As noted in a post from The Harvard Law School Forum on Corporate Governance and Financial Regulation, a recent academic study revealed that “three quarters of senior American corporate officials would not make an investment that would benefit a company over the long run if it would derail even one quarterly earnings report.” (See this PubCo post.) Data compiled by S&P and Bloomberg showed that companies in the S&P 500 spent 95% of their earnings on repurchases and dividends in 2014, including spending $553 billion on stock buybacks (which can drive increases in EPS), leaving little for alternative uses of capital, such as long-term strategic investment in productive assets, including investment in R&D. (See this PubCo post, this PubCo post and this PubCo post.)

Appropriate focus on CFO succession planning (44%) and finance department “bench strength” (26%) were other areas where survey participants were “not satisfied.” In addition, 24% were “not satisfied” with the level of the committee’s focus on the company’s readiness for the OECD country-by-country tax reporting. Only 13% of participants indicated that their companies had clear implementation plans for the new revenue recognition standard, while 24% were still assessing the effects and had not developed an implementation plan; 16% of participants were not even familiar with the new standard.

With regard to cybersecurity management, survey participants identified “organizational awareness” and “keeping technology systems up to date” as the two biggest “gaps.” KPMG indicated that there is a shift in focus in cybersecurity from prevention to detection and containment, with increasing concern about “adjacencies” that can allow hackers to enter the system. In addition, KPMG advised, this risk should be viewed as an enterprise risk, not simply an IT risk.

With regard to internal audit, survey participants indicated that, beyond financial reporting and compliance risks, internal auditors should maximize their value by focusing on key risk areas (including operational risks) and related controls.

KPMG recommended that committee members engage in dialogue with management about non-GAAP financial measures and related controls. The survey showed that 31% of the survey participants were on audit committees that discussed with management the process used to develop non-GAAP financial measures, and 27% discussed the adequacy of controls and processes related to development of these measures. But, significantly, only 24% discussed the correlation of the measure with the actual business and 24% had only limited input on the issue altogether. Among the questions that KPMG suggests: what is the process by which the company selects the measures to present? What are the roles of the “disclosure committee” and the audit committee? Is the audit committee satisfied that the measures are being used to promote transparency rather than obfuscation or distortion?

SideBar: The SEC has recently put the spotlight on abuses of non-GAAP financial measures. Corp Fin has issued guidance in the form of new CDIs (see this PubCo post). In addition, the head of the SEC’s Financial Reporting and Audit Task Force has previously indicated that the SEC was looking at the use of non-GAAP measures “with an eye toward possible enforcement cases.” (See this PubCo post.) In fact, as noted in thecorporatecounsel.net blog, some companies have recently been contacted by Enforcement concerning their non-GAAP disclosure practices in earnings releases, primarily focused on the requirement in Reg S-K Item 10(e) to disclose the most directly comparable GAAP measure with equal or greater prominence relative to the non-GAAP measure. (See this PubCo post and this PubCo post.) For a discussion of establishment of controls related to non-GAAP measures, see this PubCo post, and see this PubCo post for discussion of a tool develop by the Center for Audit Quality for audit committee members to use to assess non-GAAP financial measures.

When asked what would most improve the committee’s performance, the survey participants cited better understanding of the business and its risks (39%), additional expertise in technology or cybersecurity (31%) and, interestingly, greater willingness and ability to challenge management (27%).

The survey was conducted by KPMG from August to October 2016, and included over 800 audit committee members (55% of whom were audit committee chairs).