The Top Ten Topics for Audit Committees to Consider in 2019

Following an active year of developments in the political and regulatory environment, significant tax law changes coming into effect, rapid advancements in technology and innovation, and robust economic growth, 2019 kicks off with much uncertainty, including concerns about the economy and political turmoil. To prepare for the year ahead, financial institutions’ audit committees should consider the following top 10 topics to discuss with management teams, internal and external auditors, and other advisors. As many of the topics are the result of a fast-paced, changing landscape in a variety of aspects, it may be time to assess the potential need for third-party assistance or personnel enhancements to obtain the requisite skill sets and expertise needed to effectively manage and address the challenges and risks of today’s financial institutions management teams and boards.

1 Tax Considerations

How are the audit committee and management team staying abreast of tax developments? Tax reform continues to be a hot topic for financial institutions with new laws impacting the recognition of net operating losses (NOLs) and merger and acquisition transactions. There are potential limitations on NOL carrybacks for periods that ended after Dec. 31, 2017, and there are impacts to the tax-free status of bank-owned life insurance (BOLI) acquired from a transaction if the life insurance contract constitutes a reportable policy sale – careful evaluation of facts and circumstances is now required. While the tax laws were enacted in December 2017, the Internal Revenue Service, U.S. Department of the Treasury and other regulators are continuing to issue guidance and interpretations. This creates an environment of constantly evolving rules and requirements. It is important to monitor these updates and discuss them with your tax advisor to determine the impacts to your company. In addition, the U.S. Supreme Court ruling on South Dakota v. Wayfair, Inc., was a landmark case, which eliminated the historical “physical presence” nexus standard for sales tax with a new “economic” nexus standard based on the amount of business a company transacts in a given jurisdiction. It is a possibility that the majority of the states will enact a form of economic nexus, which could result in higher state tax liabilities for many companies.

2 New Accounting Standards

Ask your external auditor: is your institution ahead, consistent or behind your peers with implementation efforts related to the new current expected credit loss (CECL) accounting standard adoption and the new Leases standard? Has the committee monitored management’s implementation plans, such as understanding which loss methodologies will be utilized, what the costs associated with both implementation and ongoing is projected to be, and whether all of the data needed has been collected? Is management on track with their implementation plan, and have potential barriers to achieving milestones been identified? Where does your external auditor think the institution should be in the process? The implementation of these standards continues to require significant effort on the part of management teams, not only within corporate finance departments, but also needs collaboration with information technology, risk management and other relevant parties. Are any changes needed for processes and controls to address the accuracy of adopting the standards and ongoing accounting post-implementation? As institutions begin to implement new models and accounting tools to address new standards, it is important to remember model risk management throughout the process. The models should be validated prior to accounting standard adoption, and banks should ensure that there is an appropriate risk governance structure in place to manage through the remainder of the implementation phase.

3 Disclosures, Disclosures, Disclosures

New accounting standards (e.g., revenue recognition and Leases), additional guidance on non-GAAP measures, and the ever-changing economic and technological landscape continue to challenge financial reporting departments with the additional disclosures required. Has the audit committee discussed how much information and detail are needed in any new disclosures? What new internal controls have been implemented by management as the result of any changes or additions with respect to disclosures (including any non-GAAP measures)? The U.S. Securities and Exchange Commission (SEC) has continued to emphasize the importance of providing accounting transition disclosures as required under Staff Accounting Bulletin (SAB) Topic 11.M about the anticipated effects of the new accounting standards on a Company’s financial statements. The SEC staff expects a registrant’s disclosures to evolve as the effective date of a new standard nears and the registrant makes progress on its implementation plan. Does the audit committee have a full understanding each reporting period about the accuracy of the filing disclosures, and what peer institutions are disclosing?

4 Enterprise Risk Governance

Regulatory expectations around risk management programs continue to increase for community banks, particularly those greater than $1 billion in assets. Institutions should have internal controls, information systems and internal audit programs that are commensurate with their size, sophistication and complexity. Emphasis should be placed on several elements, including the implementation of a board-approved risk appetite statement, identification and assessment of risks on a regular basis, and a risk culture framework supported by training across all levels.

An effective enterprise risk management (ERM) framework should allow senior management to:

  • Assess the interrelationships among various risks,
  • Make better informed cost/benefit decisions about risk mitigation efforts, and
  • Think proactively about future risks.

Firms must demonstrate an ability to effectively identify, measure and mitigate risks from a governance perspective. When institutions develop their ERM framework, it is recommended that all institutions have a “three lines of defense” model, incorporating best practices from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The front-line business unit of a function owns the risk and the relevant controls. The second line of defense should be independent from the front line and is responsible for the ERM framework. The last line of defense is typically internal audit or any organizational unit that provides assurance to the soundness and effectiveness of controls. All three elements are necessary in order to promote risk ownership and a stronger risk management culture, while also reducing inefficiencies, gaps and overlap that often occur.

5 Cybersecurity

While certainly not a new topic, failure to adequately address cybersecurity continues to increase exposure to a host of risks to the organization’s brand and bottom line. Negative press has become commonplace in relation to publicized cybersecurity incidents, making reputational damage a front running risk. Customer confidence may dwindle in the event of a publicized breach or an inability to serve customers. Further, decrease in market valuation, legal complexities and potential fines from regulatory bodies for noncompliance are all possible if breach prevention and notification practices have not been applied. On Feb. 21, 2018, the SEC issued interpretive guidance regarding public companies’ disclosure obligations under existing law regarding cybersecurity risk and incidents. Is the audit committee abreast of the information required to determine whether disclosures are sufficient and accurate? Does the company have a plan in place to allow for immediate evaluation into whether an incident requires public disclosure? Is the company’s information technology department adequately staffed, or are staffing issues potentially putting the company at risk?

6 Emerging Technologies

The Center for Audit Quality (CAQ) has published an Emerging Technologies: An Oversight Tool for Audit Committees to address topics such as artificial intelligence, robotic process automation, blockchain and more. This tool provides insights for audit committees to help execute their oversight responsibilities for the impacts of technology, such as data analytics and other artificial intelligence tools that may have a bearing on financial reporting. As institutions utilize more sophisticated systems and applications to process and move data throughout their organizations, it is important to have tools to evaluate and interpret the information generated. The use of these IT tools, whether in corporate finance or internal audit, will allow for efficiencies in accounting and reporting and recognize issues or trends within their data, enabling management to be more proactive in their operations. The publication provides various questions that can be asked by your committee – whether the company is just starting down the road of looking at potential technologies to utilize, or if these advancements are already part of the company’s financial reporting process.

7 Critical Audit Matters (CAMs)

The CAQ has issued a publication, Critical Audit Matters: Lessons Learned, Questions to Consider, and an Illustrative Example. The publication shares early observations from dry runs of the CAM requirements performed by public company auditing firms and provides an illustrative example of a CAM communication. Some of the early lessons learned include the following:

  • Determining which matters are CAMs involves applying a principles-based approach and significant auditor judgment;
  • Importance for the auditor to communicate with management and the audit committee early and often in the process of identifying and drafting CAMs;
  • Auditors, preparers, audit committees and others should plan accordingly for the time it will take to determine and draft CAMs; and
  • Drafting CAMs can be challenging.

In addition to early lessons learned, the publication provides key questions that audit committees and other stakeholders should consider when developing their understanding of the CAM communication requirements in the auditor’s report based on early dry run experiences. These questions are meant to promote a dialogue about the auditor’s implementation of the CAM requirements to assist audit committees and other stakeholders in enhancing their understanding of the impact that the requirements to identify and communicate CAMs may have throughout the audit and on interactions with auditors, management and investors. It is crucial for audit committees to start engaging in conversations with their auditors now. The implementation date is approaching and is required for audits of large accelerated filers with fiscal years ending on or after June 30, 2019, and for all other filers with fiscal years ending on or after Dec. 15, 2020.

8 Culture & Conduct Risk

Conduct risk has received increased regulatory scrutiny over the last few years. Regulators have observed shortcomings in the prevailing culture of financial institutions as the root cause for continued misconduct, and regulators hold board members and senior management directly responsible for establishing and maintaining their financial institution’s culture. Firms have the challenge of integrating conduct risk into existing risk management frameworks to meet regulatory and supervisory expectations. Identifying and maintaining a strong organizational culture begins at the highest levels of management. In terms of generational changes, baby boomers continue leaving the workforce and are replaced with Generation X, millennials and eventually Generation Z employees. A strong culture is critical among all employees to deliver a consistent brand message that customers can trust. A strong culture should include consistent expectations set by the tone at the top, including accountability, effective challenge, incentives and integrity.

9 Emerging Risks

The nation has entered into what may be referred to as the “fourth quarter” of the current economic cycle, with many economists expecting a recession to occur by 2021. Audit committees should work with management to understand the potential risks in their institution’s lending strategy. What changes can be implemented now to minimize potential weaknesses and risks appearing in the market? Ask your external auditor if there are trending risks emerging at other institutions that have not been addressed or discussed. Third parties, for example, can present significant reputational risks to firms, and regulators are increasingly focused about the effectiveness of the firms they supervise in managing and mitigating their exposures from third parties (e.g., cybersecurity, business continuity, data privacy, etc.). Data privacy also remains a high profile emerging risk, especially with the global application of the European Union’s General Data Protection Regulation that is causing firms to reconsider privacy policies and their operating models.

10 Press the Reset Button

As the demands and new challenges imposed on audit committees have increased significantly over the past decade, it is important to make sure a committee is focused on appropriate topics. What may have been a significant risk or issue for a financial institution five or 10 years ago may not be as much of an issue today, but perhaps the committee is still discussing and reviewing information in unneeded detail. If not already addressed, take some time to review the committee’s focus to determine top priorities. In addition, as financial institutions grow in size but are not required by regulation to have a separate risk committee, many have opted to create a separate risk committee. Given continued emerging risks, including cybersecurity and technology, a separate risk committee can be necessary for the board to maintain sufficient oversight in these areas. Ask some consideration questions as your institution assesses current and future needs. Has there been a recent, rigorous self-assessment of the audit committee, including skill sets or expertise that can help with succession planning for future board members? Are the current members engaged and providing sufficient input to contribute as an effective committee member? Press the reset button, study the current state of the committee and prioritize changes that may be needed to establish your committee as best in class.

DHG Contacts

Heather Cozart, CPA
Partner, DHG Financial Services

Lindsay Schuster, CPA
Senior Manager, DHG Financial Services

benchstrength@dhg.com

About DHG Financial Services

DHG Financial Services professionals provide you with in-depth industry knowledge and a wide range of advisory, assurance and tax services to address issues facing your industry in today’s challenging environment. For more information, visit dhg.com/financial-services.