In a mid-December interview, SEC Chief Accountant Paul Munter shared his views on audit committee expectations and oversight of risk management and the control environment, among other issues.
In December, Jackie Daylor, audit partner at KPMG LLP and a member of the Women Corporate Directors (WCD) Foundation board, interviewed Paul Munter, SEC chief accountant, for the WCD Audit Committee peer exchange series. They discussed Paul's views on audit committee expectations, oversight of risk management and the control environment, and audit committee and audit firm independence, among other issues. The following discussion highlights have been edited for length and clarity.
Paul Munter's comments below are provided in his official capacity as the Commission's Chief Accountant but do not necessarily reflect the views of the Commission, the Commissioners, or other members of the staff.
Jackie Daylor: The audit committee plays a critical role in the oversight of the audit. How do you frame the role of the audit committee from your vantage point as chief accountant?
Paul Munter: The SEC has a three-part mission—to protect investors, to facilitate capital formation, and to ensure fair, orderly, and efficient markets. If you go back to the Congressional hearings that led to the enactment of the Securities Act of ’33 and the Securities Exchange Act of ’34, high-quality financial reporting was an integral part of those proceedings. When considering financial reporting, it is not just important that financial statements are accurate, but that investors believe that those statements are accurate and complete. For this, high-quality audits are critical.
We only have to go back a couple of decades to several high-profile accounting frauds and audit failures. As a result, the Sarbanes–Oxley Act further empowered the audit committee as a primary gatekeeper to the financial reporting process and made its oversight of the external audit explicit. So, it is important that audit committees, collectively, and audit committee members, individually, take ownership of their responsibilities—that they're the ones engaging the auditor, determining the compensation of the auditor, and evaluating whether audit quality is at an appropriate level to serve the investors. It’s also very important for the audit committee to transparently explain to investors how they are fulfilling their gatekeeper responsibilities and overseeing the external audit process.
JD: Last summer, you issued a statement on the importance of comprehensive risk assessment by management and the auditors. How should the audit committee think about its role in that process?
PM: In my view, audit committee members have an important role to play in terms of their oversight and understanding of management’s process for risk assessment. The audit committee is looking to ensure that it is exercising oversight of the financial reporting process, the internal control structure, and that it understands how business risk management processes are integrated into financial reporting and internal control effectiveness assessments. That statement evolved from several conversations we had with issuers. We had seen a number of circumstances where the risk management process was viewed as separate and apart from the financial reporting process. But when you think about financial reporting—reflecting financial position, results of operations, and cash flows for the period—business risks that manifest themselves in the company's operations will impact the financial statements now or at some point in the future. It also cascades to the auditor, which should start the audit by doing a robust risk assessment and identifying where within operations there is potential for material misstatements to the financial statements.
JD: Regarding internal and external factors impacting the control environment—from AI to cyber to geopolitical risk—what do you see as critical for audit committees to focus on as they carry out their oversight of controls over financial reporting?
PM: Audit committees need to understand that the control environment is not static, and risk assessment has to be a continuous activity. It is important to have that mindset. One of the things that is really dangerous is what I'll call a “SALY mentality”—"same as last year." The audit committee should be continually probing, engaging with management, and discussing with the external auditor ... what the risks are, specifically what is new or emerging. How might those risks impact the issuer and what processes is management using to identify and manage them? This requires a culture of continuous assessment. From a disclosure standpoint, those risks are often communicated first outside of the financial statements, in risk factors or management’s discussion and analysis (MD&A). So, it's important for audit committees not only to engage, but also to think through what those risks mean for the financial reporting process. How can those risks be conveyed transparently and clearly to investors who are making their own capital allocation decisions and pricing risk?
JD: Investors spend a lot of time on income statements and balance sheets, but those of us who read your statement in December know that you have a view on the utility of the cash flow statement and how it could be improved. Could you share a little more on that?
PM: The cash flow statement is equally important to the other financial statements. I think the audit opinion underscores its importance: it says that the financial statements present fairly the financial position, results from operations, and cash flows for the period. Anecdotally, we've seen circumstances where issuers don't seem to have the same robust processes and controls around the preparation of the statement of cash flows as they do around the other financial statements. We've also seen instances where it doesn't receive the same amount of attention as the other financial statements from an audit perspective. If you look at sources of restatements over a number of years, statement of cash flow issues are consistently at or near the top of the list.
When we get engaged in discussions with issuers where an error in the cash flow statement has been identified—as to whether it is material and therefore warrants a big ‘R’ versus a little ‘r’—we tend to hear comments like, “Well, it's quantitatively big, but there are all these qualitative factors as to why it's not material,” starting with the fact that it's just about classification. But that's at the heart of the cash flow statement. Investors want to understand where an issuer is generating its cash from. The other part of the December statement focused on the utility of the direct method (vs. the indirect method) for conveying information about cash flows to investors. And, if companies don’t feel that they can use the direct method, are there additional disclosures that they could make to help investors' understanding of cash flow information? This goes back to viewing financial reporting as more than just a compliance exercise, but also one of communication.
JD: Switching gears slightly, in the US, there are requirements for audit committee independence at public companies, clearly articulated in the exchange guidelines. Auditor independence is also mandated and just as important for the company and its stakeholders. How does the audit committee help to uphold these aspects of independence?
PM: The audit committee plays a critical role in how investors get information about the company. Its ability to exercise oversight of both the financial reporting process and the external audit would obviously be hindered if management or former management had a seat at the table. That transitions to auditor independence, which is a shared responsibility of the external auditor and the issuer. If the auditor is not independent, then the issuer has a problem because it now has a deficient filing.
It is very important for audit committees to understand the external auditor’s process for maintaining its independence and whether that permeates throughout the firm's culture. In terms of audit and assurance, it is the firm that is required to be independent—not just the audit practice. So having a culture of the highest level of professional conduct and a commitment to auditor independence and audit quality must be resident at the very top of an audit firm. Audit committee members would be well served by having conversations with the leader of their engagement team about the firm’s culture of compliance and its commitment to independence and audit quality.
JD: Lastly, what are the concerns that keep you up at night that audit committees should have top of mind?
PM: This really gets back to the risk questions we’ve been talking about. First, are risks properly identified? Second, does the company have a process in place to properly manage those risks? Third, is the company communicating those risks to investors?
In the current environment, relatively high inflation triggered action by central bankers around the world to increase interest rates. That resulted in exchange rate volatility and shifts in commodity prices and other uncertainties throughout the supply chain. One of the things I worry about is that those who are responsible for identifying and managing risk and, from an audit perspective, risk assessment over those processes, may not have previously managed their way through an environment of high interest rates or inflation. From an audit committee perspective, I would want to understand not only the processes, but also the skills of the people who are doing that and what kinds of steps the issuer has taken to make sure that those responsible for risk assessment and risk management have the appropriate skills. I would also engage the audit team about what it is doing to make sure that it too has the skills to make an appropriate risk assessment and execute an effective audit in light of those risks and uncertainties.
JD: On behalf of KPMG and WCD, I want to thank you for your time and your insights.
Focus on risk assessment, independence, and cash flows, says SEC chief accountant
Download PDFSign up to receive Board Leadership Weekly and Directors Quarterly