The global risk environment has undergone drastic changes over the past year due to economic, political and natural developments, leading to increased uncertainty for businesses. As we move into 2023, greater geopolitical instability, surging inflation and the prospect of a global recession are expected to present companies with a range of macroeconomic challenges. This includes the war in Ukraine, disruptions in supply chains, cybersecurity risks and ransomware attacks, and shortage of talent in the market which are anticipated to test the resilience of companies’ financial reporting, compliance and internal control environment. The increasing complexity and interconnectivity of these risks will therefore require audit committees to present a more holistic approach to risk management and oversight.
In this volatile and opaque operating environment, demands by regulators, investors and other stakeholders for more action and greater disclosure and transparency – particularly around companies’ climate and other environmental, social, and governance (ESG) risks – will continue to intensify.
Drawing on insight from our interactions with audit committees and business leaders, KPMG experts have highlighted the following eight issues to consider as audit committees carry out their 2023 agendas (click to expand each of the agenda items):
Effective oversight requires audit committees to stay up to date on finance and accounting obligations posed by the current geopolitical, macroeconomic and risk landscape. The top priorities for financial reporting in 2023 include risk-based decision making and audit control deficiencies.
Making tough calls: forecasting and disclosures
The latest geopolitical risks and extensive use of forward-looking information in financial statements are demanding more focus from audit committees’ on disclosures about area directly or indirectly impacting their organizations, including:
- The impact of the Russia-Ukraine war and sanctions, supply chain disruptions, heightened cybersecurity risk, inflation, interest rates, market volatility and the risk of a global recession
- Impairment of nonfinancial assets including goodwill and other intangible assets
- Accounting for financial assets (fair value)
- Going concern and longer-term viability statements. The volatile economic environment and its impact on cashflows, credit lines and borrowing facilities has driven many organizations to double down on scenario planning and impact analysis.
- The use of non-IFRS metrics, including ESG
Regulators are also highlighting the importance of well-reasoned judgment and transparency, including documentation demonstrating the company’s rigorous processes. Given the fluid nature of the long-term environment, disclosure of changes in judgments, estimates and controls may be required more frequently.
Internal control over financial reporting and probing control deficiencies
UAE regulators such as the Abu Dhabi Accountability Authority (ADAA), the Central Bank of the UAE and the Securities and Commodities Authority have proposed the introduction of a stronger framework for organizations’ internal controls. Accounting and auditing processes will therefore continue to be put to the test this year to strengthen existing frameworks including the identification, assessment and control of fraud risk. Audit committees should also discuss with management how these regulations are affecting their disclosure controls and procedures, as well as their assessment of internal control over financial reporting.
When a control deficiency is identified, it is important to probe beyond management’s explanation of why it is not a disclosable significant failing or weakness and help provide a balanced evaluation of the deficiency’s severity and cause. Management and audit committee should regularly examine the company’s control environment, ensuring controls are in line with the company’s operations, business model and changing risk profile.
Audit committees continue to express concern around the challenges of overseeing major risks that are beyond their core oversight responsibilities. Demand for expanded disclosures regarding a range of ESG and sustainability risks have also heightened concerns on audit committees’ bandwidth and overload.
It is recommended that audit committee members reassess their time and expertise available to oversee significant risks such as cybersecurity, climate change, ESG and safety. They should consider if these risks require more attention from the entire board or a separate board committee. A careful evaluation of the pros and cons of creating a new committee is also essential. Otherwise, they can consider organizing a committee focused on finance, technology, risk, sustainability and other areas, and finding directors with new skill sets to improve the board’s effectiveness. These considerations can be beneficial for the risk oversight discussion.
Intensifying demands for higher quality ESG disclosures should be prompting boards to reassess their oversight structure relating to ESG risks. Investors, regulators, ESG rating firms and other stakeholders are seeking ESG information that is accurate, comparable and supports decision making.
Boards are taking various approaches to monitor ESG risks. For many organizations, this oversight is a full-board function with most of the work being carried out by their committees. ESG board committees are becoming increasingly common in leading companies around the world. However, other committees like the audit, remuneration and nomination committees may also have some responsibilities related to ESG. For example, the remuneration committee will likely oversee any ESG-related performance incentives, while the nomination committee will ensure that the board and senior management team have the right skills and expertise in place.
The audit committee is usually responsible of overseeing ESG disclosures and frameworks, financial risks, the expanding legal/regulatory compliance risks, data and the robustness of their company’s enterprise risk management (ERM) processes.
Board standing committees play a vital role in helping boards carry out oversight responsibilities related to ESG risks, as well as broader strategic issues such as their organization’s ability to raise finance. Information sharing and effective communication and coordination among committees is crucial for successful ESG oversight. For instance, given the financial reporting and internal control implications associated with ESG risks, audit committees must recognize what type of input other committees require from them, and vice versa. Key areas where information sharing is particularly important include:
- Deciding where ESG disclosures should be made e.g. financial statements, sustainability reports and/or the company’s website
- Ensuring that ESG information is being disclosed at the same level of rigor as financial information
- Selecting an ESG reporting framework
With the 28th United Nations Conference of the Parties (COP28) Climate Change Conference being held in the UAE, heightened requirements may also be introduced for ESG disclosures and requirements by UAE regulators.
Finance functions are facing challenges in addressing talent shortages, managing digital transformation and developing robust systems to collect and maintain high-quality ESG data that meets stakeholder demands. Additionally, they are contending with difficulties in forecasting and planning for an uncertain environment and keeping their workforce motivated and engaged.
As a result, audit committees are monitoring and guiding finance departments as they progress in these fields. KPMG experts suggest the following areas of focus:
- Ensuring finance teams have the necessary leadership, skills and resources to address ESG reporting, collect and maintain quality data and give adequate consideration to diversity. Many finance functions have been assembling or expanding management teams to manage ESG activities and enhance controls over the ESG information being disclosed in corporate reports.
- Taking advantage of the opportunities presented by the accelerating digital transformations undertaken by many companies to reinvent themselves and add greater value to their business. As finance functions combine strong analytics and strategic capabilities with traditional financial reporting, accounting and auditing skills, their talent and skill-set requirements must change accordingly to match their evolving needs.
It is essential that the audit committee devote adequate time to understand finance’s ESG reporting and digital transformation strategies and help ensure that finance has the right resources to execute them.
Audit quality can be enhanced through a fully-engaged audit committee that sets clear expectations for external auditors and monitors auditor performance rigorously with frequent quality communications and robust performance assessments.
Auditor’s plans for 2023: keeping interim reviews on track
While setting expectations for external auditors in 2023, audit committees should review what worked well in 2022, as well as consider opportunities for improving audit quality in the upcoming year. They should also examine the challenges of hybrid or remote work and their effects on the audit process. Audit committees should also assess how their company’s financial reporting and related internal control risks have changed in 2023 in light of the global geopolitical landscape, cybersecurity risks, inflation, interest rates, market volatility, climate change and other ESG issues and the risk of a global recession.
Setting frequent, open and candid communications
Audit quality is a team effort, requiring the commitment and engagement of everyone involved in the process – the auditor, audit committee, internal audit and management. The list of required communications is extensive and includes matters related to the auditor’s independence, as well as the planning and results of the audit. Taking the conversation beyond what’s required can enhance the audit committee’s management of the company’s culture, tone at the top and quality of talent in the finance function.
Expanding independent assurance beyond external auditors
Audit committees should probe the audit firm on its quality control systems and implementation of new technologies to drive sustainable and improved audit quality. In their discussions with the external auditor regarding the firm’s internal quality control system, the committee should also consider the results of recent regulatory and internal inspections, and the efforts made to address deficiencies.
Many companies are also actively analyzing their image and reputation among shareholders and other stakeholders, empowering some audit committees to extend the independent (external) assurance they receive, be it from an external auditor or other third-party assurance providers.
As audit committees deal with heavy agendas, internal audit has become a crucial resource for providing valuable insight on financial reporting, compliance, operational, technology and evolving ESG risks. However, there are capacity constraints within the audit profession and finding the right auditor may be more difficult than expected.
ESG risks are also rapidly evolving and involve managing human capital such as inclusion, diversity and equity (IDE), talent, leadership, corporate culture and environmental and data-related risks. Internal auditors’ role concerning ESG risks and ERM is not to manage risk, but to focus on disclosure controls and procedures and provide added assurance regarding the adequacy of risk management processes. Therefore, the internal audit plan should be flexible and risk-based to adjust to changing business and risk conditions.
Going forward, the audit committee should work with the chief audit executive and chief risk officer to identify critical risks that pose a threat to the company’s reputation, strategy and operations, and ensure that internal audit is focused on these risks and related controls.z
Changes in the company’s operating environment and its digital transformation and extended organization can also create additional risks related to sourcing, outsourcing, sales and distribution channels. Companies should therefore be aware of early warning signs regarding safety, product quality and compliance.
Finally, internal audit should play a role in reviewing the company’s culture, ensuring access to the right resources, skills and expertise to succeed, and assisting chief audit executives in evaluating the impact of digital technologies on internal audit.
The reputational costs of an ethics or compliance failure are higher than ever, particularly given the current increase in fraud risk, pressures on management to meet financial targets and higher vulnerability to cyberattacks.
Fundamental to an effective compliance program is the right tone at the top and culture throughout the organization, including its commitment to its stated values, ethics and legal/regulatory compliance. This is particularly true in a complex business environment, as companies move quickly to innovate and capitalize on opportunities in new markets, leverage new technologies and data, and engage with more vendors and third-parties across complex supply chains.
Audit committees should closely monitor the tone at the top and culture throughout the organization. This involves focusing on results, as well as employee behavior and yellow flags that may arise. It is important to consider ongoing pressures on employees, including those who are working from home, and ensure senior management is sensitive to their health and safety, productivity, engagement and morale. Effective leadership and communications are key and demonstrating understanding and compassion are now more important than ever before.
As a result of the radical transparency enabled by social media, the company’s culture and values, commitment to integrity and legal compliance and its brand reputation are on full display. Having a positive culture in the workplace can also ensure a safe environment for employees to do the right thing. To gain a better understanding of the company’s culture, directors should consider meeting with employees in the field.
Furthermore, the audit committee should focus on the effectiveness of the company’s whistleblower reporting channels, including whether complaints are being submitted and the investigation processes that follow. The company’s regulatory compliance and monitoring programs should also be up to date and apply to all vendors in the global supply chain with clear communication of the company’s expectations for high ethical standards.
From a regulatory perspective, ADAA requires external auditors to review and ensure that subject entities comply with applicable laws and regulations. It also requires external auditors to verify the adequacy of the systems, policies and procedures the subject entity has in place to combat financial and administrative corruption and fraud. This is one of the key drivers behind many organizations in Abu Dhabi for establishing new compliance functions, digitizing their compliance platforms and developing a repository of all of their applicable laws and regulations.
Globally, tax has emerged as an important element of ESG and stakeholders are expecting companies to conduct their tax affairs in a sustainable manner, measured in terms of good tax governance and paying a fair share. Many global ESG stakeholders also view the public disclosure of a company’s approach to tax, the amount of taxes paid and where those taxes are paid as essential components of sustainable tax practice. Shareholder proposals are also starting to call for companies to report on their tax practices on a country-by-country basis under the Global Reporting Initiative.
Given the introduction of corporate tax in the UAE, which is effective for the financial year starting 1 June 2023, audit committees have to ensure adequate assessment to understand the corporate tax impact on their organizations. Accordingly, committees should also monitor the effective implementation of the tax framework. Therefore, audit committees need to be engaged with the company’s management in the following areas:
- Understanding the risks posed by the uncertainty and complexity of the evolving tax landscape
- Articulating the company’s tolerance for the reputational risks associated with their tax choices and evaluating the extent to which the corporate governance framework and associated controls are capable of minimizing risks and improving sustainability scores
- Determining the right approach to tax transparency as there is currently no consensus as to what level of reporting constitutes good tax transparency. Management teams will therefore need to consider stakeholder expectations, relevant standards, regulators and the tax transparency disclosures of their peers.
The roles of audit committees continue to expand and evolve beyond their core oversight responsibilities to include areas such as cyber and data security, supply chain issues, geopolitical risks, and climate and ESG disclosures. As committees assess if they have the required composition and skill sets, KPMG professionals have recommended the following areas for audit committees to consider as part of their annual self-evaluation:
- Determining the number of audit committee members who have significant experience in financial accounting, reporting and control issues. It is important to understand if the committee is only relying on a few members to do the heavy lifting to accomplish their oversight duties.
- Involving members who have the experience and skills needed to supervise areas of risk beyond the committee’s core responsibilities.
- Ensuring the necessary financial reporting and internal control expertise to effectively manage disclosures for non-financial information. The committee may need to hire experts to discharge some of its oversight duties.