On the 2022 audit committee agenda On the 2022 audit committee agenda On the 2022 audit committee agenda

Emerging from two years of pandemic-driven crisis and disruption, we continue to see how important trust and transparency are. These two elements are critical to the functioning of the capital markets, customer relationships, brand reputation, as well as the health and wellbeing of employees. From a shareholder’s – and a broader stakeholder’s – perspective, trust and transparency are grounded in the quality of the company’s corporate reporting and disclosures, and the story they tell. The audit committee’s oversight role has never been more important or more challenging.

The crises of 2020-21, largely resulting from the pandemic, have accelerated technology transformations and upended long-standing norms of the workplace, business models and the economy. These disruptions have added significant stress and strain to financial reporting processes and the risk and control environment. That pressure is likely to continue given the following factors impacting the global risk environment:

• The demands for better climate and environmental, social, and governance (ESG) reporting
• Increased cybersecurity risk and ransomware attacks
• A war for talent
• A fast-changing regulatory landscape

Drawing on insight from our conversations with audit committee chairs and business leaders, we’ve highlighted nine topics to keep in mind as audit committees carry out their 2022 agendas:

1. Stay focused on financial reporting and related internal control risks

According to audit committee members, managing major risks on the committee’s agenda beyond their core functions is increasingly difficult. The audit committee’s main responsibilities cover financial reporting, related internal controls and oversight of internal and external auditors. Aside from any additional agenda items (such as climate and ESG risks) audit committees have had other risks on their plates for some time, making their core responsibilities more complex. These risks include cybersecurity, IT risks, regulatory compliance, supply chain and other operational risks. Board members must reassess whether the committee has the time and expertise to oversee these other major risks. Do climate, other ESG issues and cybersecurity risks require more attention at the full-board level–or perhaps the focus of a separate board committee?

The pros and cons of creating an additional committee should be weighed carefully. Considering whether a finance, technology, risk, sustainability or other committee would improve the board’s effectiveness can be a healthy part of the risk oversight discussion. The board may also need to consider if they have the resident skill sets to oversee these issues. As the financial reporting, accounting and disclosure impact of Covid-19 continues to unfold in 2022, the two areas of focus are:

• Forecasting and disclosures

The uncertain trajectory of Covid-19 and the extensive use of forward-looking information in financial statements make Covid-related disclosures a major area of focus. At the same time, the strain on supply chains will make financial forecasting even more difficult. Key areas requiring audit committee attention include:

• Disclosures regarding the current and potential effects of Covid-19 (strategic reporting, risk and uncertainty, liquidity and operating results of operations)
• The preparation of forward-looking cash-flow estimates
• The impairment of non-financial assets, including goodwill and other intangible assets
• Accounting for financial assets (fair value)
• Going concern and longer-term viability
• The use of non-international financial reporting standards metrics

With companies making more tough calls in the current environment, regulators are emphasizing the importance of well-reasoned judgments and transparency. This includes documentation to demonstrate that the company applied a rigorous process. Changes in judgments, estimates and controls may be required more frequently given the fluid nature of the long-term macro-economic environment (inflation, interest rates and supply chains).

• Internal control over financial reporting (ICOFR)

Internal controls will continue to be put to the test in the coming year. When control deficiencies are identified, it is important to probe beyond management’s explanation. It is also helpful to provide a balanced evaluation of the deficiency’s severity and cause. An assessment of whether the weakness indicates poor decision-taking, a need for more extensive monitoring or a reassessment of the effectiveness of management's on-going processes is also important. The audit committee and management should regularly take a fresh look at the company’s control environment. Controls should also keep pace with the company’s operations, business model and changing risk profile including cybersecurity risks.

ICOFR has been a key focus area for regulators in the UAE such as the Abu Dhabi Accountability Authority (ADAA), the Central Bank of UAE and the Securities and Commodities Authority (SCA). Additionally, this focus from the regulators can also be evidenced by the recent ADAA Resolution No. 88 of 2021ⁱ issued on August 31, 2021. The earlier Law No. (19) of 2020ⁱⁱ on the Reorganization of ADAA also shows regulators’ focus on ICOFR. This law increased ADAA’s scope to cover entities with 25% government ownership instead of the initially decreed 50%.

Furthermore, the SCA issued its Circular on the Mechanism for Implementing Requirements of Clause No. (2) of Article No. (71) of Authority’s Decision No. (3/Chairman) of 2020ⁱⁱⁱ. This requires external auditors to issue an official opinion on the effectiveness of administrative and financial systems, as well as on internal control systems of public joint-stock companies (PJSC).

2. Monitor climate and other ESG disclosures and clarify the audit committee’s related oversight responsibilities

Companies are facing increasing demands from investors, research and ratings firms, employees and customers for more transparent and higher quality information about corporate sustainability efforts. They are interested in how the company addresses climate and other ESG risks like diversity, equity and inclusion (DEI) efforts. Employees, suppliers and communities are also monitoring how the company is linking these issues to their purpose while considering the interests of its stakeholders.

We can expect increasing stakeholder demands for more detailed climate/ESG reporting. Audit committees should encourage management to reassess the scope and quality of the company’s sustainability/ESG reports and disclosures, these include:

• Benchmarking against peers
• Considering the methodologies and standards of various ESG raters–particularly those used by the company’s investors
• Understanding the expectations of investors and other stakeholders
• Considering the appropriateness of ESG reporting framework(s) for the company

It is important however to note that the company’s efforts should be about more than just ESG ratings. It is also about how climate and other ESG risks and opportunities are managed and their impact on the creation of long-term value. Investors want to understand which climate and other ESG risks are of strategic significance to the company and pose a threat to the company’s strategy, operations and financial condition.

The company is expected to address climate and ESG as long-term strategic issues and embedding them into the company’s core business activities (risk management, strategy, operations, incentives, and corporate culture). This is relevant to driving long-term performance and value creation. There should also be a clear commitment and strong leadership from the top as well as enterprise-wide buy-in.

As one director commented, “Real transparency is not easy, and it is usually uncomfortable. But to make real progress and be accountable as a company today, you have to show your work, what targets you have set and what you are doing to reach those targets”.

The oversight of a company’s climate, ESG and DEI activities is a formidable undertaking for any board and its committees. Audit committees are responsible for the management of companies’ related disclosures. They typically select disclosure frameworks, consider where the disclosures should be made, handle the management’s disclosure controls and procedures, as well as any third-party assurance. The audit committee can also play an important catalyst role by ensuring that the responsibilities of the board and committee are clear, and that communication and coordination among the board and its committees are effective. It is quickly becoming clear that ESG issues touch multiple board committees and oversight responsibilities should be allocated accordingly.

ESG is increasingly grabbing the attention of different stakeholders. The Chairman of SCA’s Board of Directors Decision No. (3/Chairman) of 2020iii requires all listed PJSCs to issue annual sustainability reports. Other key initiatives the UAE has embarked upon throughout the past few years include:

• The UAE Green Agenda 2015-2030
• The formation of the National Committee on Sustainable Development Goals (SDGs)
• The Abu Dhabi Vision 2030 which aims to build a sustainable and diversified economy
• The Dubai Declaration on Sustainable Finance

This increasing focus on ESG both globally, regionally and locally, increases the pressure on audit committees to include this topic in their agendas for 2022.

3. Help sharpen the company’s focus on ethics and compliance

The reputational costs of an ethics or compliance failure are higher than ever. This is attributed to the increased fraud risk due to employee financial hardship, pressures on management to meet financial targets and the rising vulnerability to cyberattacks. The right culture and tone at the top are fundamental to an effective compliance program, including the organization’s commitment to its stated values, ethics, and legal/regulatory compliance. This is particularly true in a complex business environment. In such conditions, companies move quickly to innovate and capitalize on opportunities in new markets. They also aim to leverage new technologies and data and engage with more vendors and third parties across complex supply chains.

To sharpen the focus on ethics and compliance, the companies should closely monitor their culture and tone at the top, emphasizing on behavior and yellow flags. Senior management should also be sensitive to ongoing pressures on employees, their health, safety, productivity, engagement and morale. Finally, they should normalize work-from-home arrangements.

The events of 2020–2021 have proven that leadership and communication are key, along with transparency and empathy. The company’s culture should also provide a safe environment for employees to do the right thing. It should frequently update the regulatory compliance and monitoring programs, clearly communicate its expectations for high ethical standards and cover all vendors in the global supply chain.

Fraud is a hot topic for audit committees. This will continue as employee financial hardship, the changing work practices and pressures on management to meet financial targets impact the key elements of the fraud triangle, which refers to:

• Incentives to commit fraud
• Opportunity to commit fraud
• Rationalization that allows a person to commit fraud

From a regulatory perspective, the ADAA Resolution No. 88 of 2021 now requires external auditors to review the adequacy of internal controls, policies and procedures that support in combating both administrative and financial fraud. Furthermore, we have noticed a recent focus from federal entities in the UAE on developing comprehensive anti-fraud frameworks. This aligns the frameworks with the requirements included in the Anti-Fraud Manual in the Federal Government, issued in 2018. The manual requires all federal entities to conduct various anti-fraud activities such as fraud risk assessments, conflicts of interest management and having detailed fraud investigation procedures.

Being able to identify and understand your current fraud risk profile is paramount to being able to demonstrate you have actively tried to prevent and detect fraud. It will also provide an opportunity to identify control weaknesses or gaps that require strengthening.

A focus on the effectiveness of the company’s whistleblower reporting channels and investigation processes would allow the audit committee to:

• View all whistle-blower complaints
• Obtain information on how such complaints are resolved
• Receive information that enables the committee to understand trends

The company should determine a process to filter complaints that are ultimately reported to the audit committee. As a result of the radical transparency enabled by social media, the company’s culture and values, commitment to integrity and legal compliance and its brand reputation are on full display.

4. Remain focused on cybersecurity risks and the increased risk of ransomware attacks

The rapid shifts that companies have made during the pandemic to keep their businesses up and running – remote work arrangements, supply-chain adjustments, and increased reliance on online platforms – have been a boon to organized crime, hacktivists, and nation-states. Globally, cyberattacks of all types proliferated during the pandemic, highlighting the far-reaching implications for supply chains and operations, as well as the ongoing cybersecurity challenge facing companies.

Boards and audit committees have made strides in monitoring management’s cybersecurity effectiveness. For example, through greater IT expertise on the board and relevant committees, company-specific dashboard reporting to show critical risks and more robust conversations with management. However, the board or audit committee may oversee a continued cybersecurity challenge ahead. This is a result of the acceleration of digital strategies, remote and hybrid work models and increased regulation on data privacy and sophistication of cyber attackers. It is no longer a matter of if you will experience a cyber-security incident, but rather a matter of when and how you respond to it.

5. Reinforce audit quality and set clear expectations for the external auditor

Audit quality is enhanced by a fully engaged committee that sets the tone and clear expectations for the external auditor. The committee also monitors auditor performance rigorously through frequent quality communications and a robust performance assessment. (See our global Audit Committee Institute’s External Auditor Assessment Tool).

Setting clear expectations and frequent quality communications with the external auditor is vital. It Is important to consider the lessons learned from 2021 while setting expectations for 2022–potentially the first audit in a remote working environment.

The audit committees and auditor would discuss what aspects of the 2022 audit will be conducted remotely. They would also explore what worked well in 2021, the aspects of audit that will be done differently and the opportunities for improved efficiency in 2022.

This includes Identifying:

• The complexity that working remotely adds to audit
• The change in the company’s financial reporting and related internal control risks
• The management’s and auditor’s plans to keep the 2022 audit and the interim review on track

To figure all that out, the company should set clear expectations for frequent, open and candid communication between the auditor and the audit committee. This can also go beyond what is required. The list of required communications is extensive and includes matters related to the auditor’s independence, planning and the results of the audit. Taking the conversation beyond what’s required can enhance the audit committee’s oversight, particularly regarding the company’s culture, tone at the top and the quality of talent in the finance function.

Audit committees should also probe the audit firm on its quality control systems intended to drive continuous improvement in audit quality. This involves the firm’s implementation and use of new technologies. Audit quality is a team effort requiring commitment and engagement from everyone involved in the process–the auditor, audit committee and management.

6. Understand how technology is impacting the finance function’s talent, efficiency, and value-add, along with the implications of the war for talent and changing workforce trends

Continued scrutiny of how companies are adjusting their talent development strategies is expected in 2022. The challenges of finding, developing and retaining talent have created a war for talent. This is especially true for finance functions and internal audit amid the shifts in working trends and a labor constrained market. Not to mention the potential effects on wellbeing, systems and controls as people adapt to new ways of working. This applies to people returning to the workplace or embarking on long-term remote or hybrid working.

The transformation and acceleration of digital strategies are impacting the finance functions for many organizations. They are also presenting important opportunities for finance to reinvent itself and add greater value to the business. As audit committees monitor and help guide finance’s progress, we suggest three focus areas:

• Identifying the organization’s plans to leverage robotics and cloud technologies to automate as many manual activities as possible, reduce costs, and improve efficiencies. In fact, much of finance’s work involves data gathering. In addition, we suggest determining the risks associated with such technology, as well as how they are being addressed and mitigated.
• Understanding how the finance function is using data analytics and artificial intelligence (AI) to develop sharper predictive insight and better deployment of capital. The finance function is well-positioned to guide the company’s data and analytics agenda. It is also fit to consider the implications of new transaction-related technologies, from blockchain to cryptocurrency. As the historical analysis becomes fully automated, the organization’s analytics capabilities should evolve to include predictive analytics–an important opportunity to add real value.
• As the finance function combines strong analytics and strategic capabilities with traditional financial reporting, accounting and auditing skills, its talent and skill-set requirements must change accordingly. It should attract, develop, and retain the talent and skills necessary to match its evolving needs. In this environment, it is essential that the audit committee devote adequate time to understand finance’s transformation strategy.

7. Stay apprised of global tax developments and risks – now an important element of ESG

Disruption and uncertainty describe the global tax environment today–particularly multinationals. The organization for economic cooperation and development (OECD) is leading efforts to achieve consensus among 137 countries. The UAE, for instance, is considered for global tax reform to enable jurisdictions to tax automated digital services. This is being done so that technology-enabled services and customer-facing services are taxed in the jurisdictions in which those activities are happening.

Tax has also emerged as an important element of ESG. Stakeholders expect companies to conduct their global tax affairs in a sustainable manner, measured in terms of good tax governance and paying a fair share.

In this environment, it is important for audit committees to engage with the management in at least three areas:

• Understand the risks posed by the uncertainty and complexity of this evolving global tax landscape, as it is likely to have a significant effect on in the future
• Help articulate the company’s tolerance for reputational risk associated with global tax choices that are being made. This includes developing a global tax strategy that is aligned with the company’s broader ESG agenda.
• Evaluate the extent to which the corporate governance framework and the associated controls are in place to minimize this risk and improve sustainability scores

8. Help ensure that internal audit is focused on the company’s critical risks

Audit committees should work with the head of internal audit (HOIA) to ensure that the internal audit plan is risk-based, flexible and adjusts to changing business and risk conditions. While Covid-19 was perhaps not an expected risk heading into 2020, the functions pivoted effectively to reviewing management’s updated risk assessments and remediation plans. Moving forward, the audit committee would do well to:

• Work with the HOIA and chief risk officer to identify critical risks and ensure that internal audit is focused on them. Critical risks pose the greatest threat to the company’s reputation, strategy and operations. These risks include tone at the top and culture, workforce trends, regulatory compliance, incentive structures, cybersecurity and data privacy, ESG risks, global supply chain and outsourcing risks.
• Ask again whether the audit plan is risk-based, flexible and can adjust to changing business and risk conditions:
  • What has changed in the operating environment?
  • What are the risks posed by the company’s digital transformation and by the company’s extended organization–sourcing, outsourcing, sales and distribution channels?
  • Is the company sensitive to early warning signs regarding safety, product quality, and compliance?
  • What role should internal audit play in auditing the culture of the company?
• Set clear expectations and help ensure that internal audit has the resources, skills and expertise to succeed
• Help the HOIA think through the impact of digital technologies on internal audit

9. Make the most of the audit committee’s time together

Effectiveness requires efficiency. Keeping the audit committee’s agenda focused on financial reporting and related internal control risk is essential to the committee’s effectiveness; but meeting the workload challenge requires efficiency as well.

Streamline committee meetings by insisting on quality pre-meeting materials (and expect pre-read materials to have been read), making use of consent agendas, and reaching a level of comfort with management and auditors so that financial reporting and compliance activities can be “process routine” (freeing-up time for more substantive issues facing the business). Other key questions to pose periodically:

• Does the audit committee leverage the array of resources and perspectives necessary to support the committee’s work?
• Does the committee spread the workload by allocating oversight duties to each audit committee member, rather than relying on the audit committee chair to shoulder most of the work? Does the committee have the expertise to oversee all of the issues delegated to it?
• Is sufficient time spent with management and the auditors outside of the boardroom – to get a fuller picture of the issues?
• Is there a need for a different committee composition, independence and leadership with new skill sets?